House of Lords - Constitution Committee

Surveillance: Citizens and the State - Constitution Committee Contents

Memorandum by the Ministry of Justice

INTRODUCTION

1. The Ministry of Justice (MOJ) is responsible for the Government's domestic policy on data protection and data sharing, and also represents the UK at European and International level.

2. There have been massive social and technological advancements in recent years which give citizens greater opportunities than they could have ever imagined. There is a need to gather and access personal information to: support the delivery of personalised and better public services; fight crime and protect public security; reduce the burden on business and the citizen, and tackle social exclusion through early intervention. This processing of personal information is demanded in greater quantity and in quicker time than ever before and this presents a variety of challenges to public service providers.

3. This Memorandum covers the issues relating to the collection and sharing of personal information and the safeguards provided by the Data Protection Act 1998 (DPA) and other legislation. It also covers the duties and powers of the Information Commissioner.

4. The Home Office has also contributed to this Memorandum in respect of its policies, which engage the legal framework that governs information sharing. The Home Office's evidence on these policies can be found at paragraphs 33 to 78.

THE LEGAL FRAMEWORK

5. The current legal framework around information sharing is in our view responsive and robust enough to meet both current and future needs. There is no single source of law that regulates the powers that a public body has to use and share personal information. The collection, use and disclosure of personal information are governed by a number of different areas of law. In domestic law, these include:

— the law that governs the actions of public bodies (administrative law);

— the Human Rights Act 1998 (HRA) and the European Convention on Human Rights (ECHR);

— the common law tort of breach of confidence; and

— the DPA

6. The DPA regulates the processing of personal data and processing includes collection, use, and distribution. It is underpinned by the framework of the ECHR, particularly the right to a private and family life under Article 8, which is now part of domestic law by virtue of the HRA. Neither the HRA nor the ECHR prevents the lawful and proportionate sharing of data. Confidentiality is also not an absolute bar to disclosure. At common law, or where there is a statutory discretion to disclose, it is possible to share confidential information where it is in the public interest to do so.

7. Statutory bodies have to rely on express or implied powers to share information while Ministers of the Crown may also be able to rely on common law or prerogative powers. However, where there is a relevant statutory provision occupying the same ground, this may operate so as to exclude these common law or prerogative powers.

8. Under the DPA, organisations and individuals must comply with the data protection principles in order to process personal data unless an exemption applies.[1] These principles include ensuring that data processing is fair and lawful, that data are processed only for specified and lawful purposes and that data are accurate.[2] Additionally the processing has to meet certain statutory conditions. In many of these conditions it is a requirement that processing be "necessary" for a particular function or purpose, eg for the performance of a contract or to protect the vital interests of the subject.[3]

9. Where sensitive personal data is involved, such as data related to political opinions or health, the processing must also meet a further set of conditions, eg that the processing is necessary for the administration of justice or for medical purposes.[4]

10. Under the DPA, the Information Commissioner is the UK's independent regulator.

THE ROLE OF THE COMMISSIONER

11. The Commissioner promotes compliance and good practice; manages the notification scheme and enforces the DPA and other legislation that he has powers to act upon.

12. The mechanisms which regulate and protect the use of personal information are always under review to ensure that they continue to protect the citizen and help achieve the balance between sharing and protecting. The MOJ and other Government Departments work closely with and consult the Commissioner's Office, and have due regard for his views when developing policy and legislative proposals.

13. The Commissioner has statutory powers to ensure compliance with the DPA. These enable him to serve enforcement, information and special information notices, and obtain warrants to enter premises to inspect, operate and test equipment used for processing personal information. He can also seize and inspect evidence of offences.

14. Under the DPA, the Commissioner presents Parliament with an Annual Report on the exercise of his functions under this Act. The powers of the Commissioner are kept under continuous review and the Government will consider legislative change where the case for additional regulatory control is established.

15. The Commissioner has other specific or general powers that he can use under other legislation. For example, in some circumstances he can use the stop now powers under the Enterprise Act 2002.

THE COLLECTION AND SHARING OF PERSONAL INFORMATION

16. There is a general recognition across the public sector of the potential to deliver more efficient and effective public services, and bring benefits to society as a whole, through better use and sharing of information, within appropriate legal constraints. It is also becoming increasingly obvious that the challenges for information sharing in the future may well shift away from sharing within the public sector into a more complex environment of sharing between organisations that fall outside the traditional boundaries of the public sector but still deliver public functions.

17. Information sharing is already happening occurring to deliver personalised, better public services, fight crime and protect public security, reduce the burden on business and the citizen, and tackle social exclusion through early intervention.

18. Changes in technology are beginning to transform the public sector and enable better use of information. In the past, information was generally held on discrete databases or in paper files. These were effectively isolated from other sources of information, and had a limited capacity for storing data. New technologies, and the Internet in particular, now mean that databases hold more data and that it is easier than ever before to link information held in different databases and to transfer information from one place to another.

19. These advances in technology have been taken up by the private sector to change the way that commercial services are delivered. As a result, citizens also expect public services to be better tailored to their needs, more joined up, and for their personal information to be better protected. Innovations such as biometric passports; road congestion charging; and the development of the Police National Database have all been made possible by new technologies and are being used to collect a greater range and quantity of personal data than ever before. Proper use of these will build public confidence and security.

20. In Sir David Varney's report[5] on service transformation, he identified that citizens currently have to report a single change of circumstances to Government many times over. In one instance, bereavement, he identified some 44 different public sector agencies that had to be informed. Sir David Varney recommended the development of a service that would enable members of the public to report changes of circumstances—such as births, changes of address and bereavements—to Government just once.

21. This information would then be shared across Government securely. Individual projects using shared data are designed to ensure that they are secure—with security measures ranging from the design of the system; physical access and technological controls to training and security checks for staff access.

22. Responsible information sharing ensures that citizens have a say in how their personal information is shared among service providers. Efficient use of this information will avoid citizens having to give repeatedly the same information to a range of service providers.

23. Research[6] suggests that the public is willing to give out personal information to Government and allow it to be shared if there is a clear benefit to be gained by this information sharing. Improved services are seen as providing a clear benefit, but public concerns still remain about the way that information can and should be shared across Government, the wider public sector and with private organisations.

24. Society is rightly concerned that these new developments are being used appropriately and within a legal framework, with due regard for individual privacy and rights. The challenge is to achieve the balance between increased information sharing and protecting the privacy of the citizen from unnecessary intrusion.

25. The Government is therefore committed to ensuring that information sharing is undertaken in a transparent and controlled manner, with legal and process controls in place to ensure that information is not shared inappropriately or disproportionately. Once information has been collected, the Government is very careful in ensuring that sharing can only take place when it is not incompatible with the original purpose of collection an important protection in the DPA and the Directive which the DPA implements. The public needs to be satisfied that a proper balance is maintained between the benefits of sharing information and the right to privacy.

26. As a rule, the Government consults widely on its policy and legislative proposals, affording the public and key stakeholders the opportunity to voice their opinions and concerns in response. The Government also ensures that frontline practitioners and the public are aware of legislative effects through guidance, public awareness campaigns, and official website postings.

A CASE BY CASE APPROACH

27. Sharing is not an end in itself. It is one of the foundations for improving services across the whole of the public sector and increasing public safety. Responsibility for developing and delivering individual policies across the whole spectrum of Government activity rests with lead departments. The Ministry has a central role in providing advice on policy and legislative proposals which engage on data protection and data sharing, and ensuring that all parts of Government apply the legal framework in a consistent manner.

28. The Government considers and introduces new data sharing provisions on a case-by-case basis. The data sharing arrangements, including safeguards to protect the privacy of individuals and their personal information, are designed specifically around the policy itself, taking into account technological and social issues relevant to that policy.

29. An example of this is the Digital Switchover (Disclosure of Information) Act 2007,[7] which received Royal Assent on 18 June 2007. The legislation allows the Department for Work and Pensions to pass the names and addresses of people eligible for financial help with the switch to digital television to the BBC (or a BBC controlled company). The measures are supported by organisations who represent vulnerable groups and we estimate 7m households will benefit from the digital help scheme. The Act also provides for custodial sentences for unlawful disclosure.

30. In July 2006, in response to concerns raised, the Secretary of State for the then Department for Constitutional Affairs (now the MOJ) made an Order under the DPA[8] to facilitate payment card issuers to process sensitive personal data (provided by law enforcement agencies) about customers who have received convictions or cautions for crimes relating to child abuse images, where their payment card was used to commit the offence.

31. This enables credit card companies to exercise their contractual rights and decide whether to close the account and/or remove the card. The MOJ consulted the Information Commissioner before making the order, as required by the DPA. In Parliamentary debate, the Government assured the House of Lords that the action was fair; balanced; the order was justified and that there would be no prejudice to the innocent party in the case of joint accounts.

32. The Select Committee on the Merits of Statutory Instruments had described the Order as "a good example of an appropriate balance between the rights of the state and the rights of the individual".

33. Following the Commissioner's special report What Price Privacy?,[9] the Government is seeking to use the Criminal Justice and Immigration Bill, which was introduced in the House of Commons on 26 June, to amend the DPA to allow custodial sentences where access to personal information has been wilfully or deliberately misused.

CURRENT POSITION ON SURVEILLANCE RELATED POLICIES

CLOSED CIRCUIT TELEVISION (CCTV)

34. There is a Code of Practice covering the users of CCTV. The code deals with surveillance in areas to which the public have largely free and unrestricted access. The Information Commissioner has a role in taking into account the extent to which users have complied with the CCTV Code of Practice when determining whether they have met their legal obligations on data protection.

35. Since February 2006, the Home Office, with the Association of Chief Police Officers (ACPO), has been conducting a review to develop a strategy for the future development of public space CCTV. The report of the review will be published shortly, together with proposals for implementing the strategy.

THE NATIONAL IDENTITY SCHEME

36. This scheme, which includes the introduction of identity cards, has been the subject of considerable public consultation and parliamentary scrutiny over the past five years. At every stage there has been a clear understanding of the need to balance the benefits from additional public protection with the need to safeguard civil liberties. Indeed the British Social Attitudes Survey, published in January 2007, found that 71% of those polled thought that the introduction of ID cards was a price worth paying to combat terrorism.

37. Public consultation started in July 2002 with publication of "Entitlement Cards and Identity Fraud" (Cm 5557) which included a chapter on data protection and privacy issues, including human rights. Draft legislation was also published for consultation in April 2004 (Cm 6178). Consultation involved reviewing comments from members of the public as well as from specialists such as the Information Commissioner; also during 2004 there was an inquiry by the Home Affairs Select Committee which took written and oral evidence from Ministers as well as external experts and interest groups.[10]

38. Interdepartmental consultations took place at official and ministerial level before the first Identity Cards Bill was introduced in 2004 (including preparation, though not for publication, of a formal ECHR memorandum on the Identity Cards Bill for the LP Cabinet committee).

39. A second Identity Cards Bill introduced in May 2005 became the Identity Cards Act 2006. During the passage of the Bill the then Home Secretary, Charles Clarke, wrote to the Joint Committee Human Rights (JCHR) setting out how the proposals were compatible with the HRA and with our obligations under the ECHR.

40. The Identity Cards Act 2006 establishes a new post of National Identity Scheme Commissioner who will make regular reports on the scheme's operation and the uses to which ID cards are put. The Commissioner's reports to the Home Secretary will be published and laid before Parliament.

NATIONAL DNA DATABASE (NDNAD)

41. Human Rights: The Criminal Justice and Police Act 2001 allows for the retention of all fingerprints and DNA samples taken on suspicion of involvement in a criminal offence. These may be used only for the purposes of prevention and detection of crime, the investigation of an offence or the conduct of a prosecution. The legislation has been challenged in the courts under the ECHR. On 12 September 2002 the legislation was ruled in the Court of Appeal not to have contravened the Convention.

42. ACPO and the Home Office have been looking at how the police can best use the opportunities provided by the Criminal Justice and Police Act 2001. A revision of the rules governing the weeding of records from the Police National Computer is being examined in parallel with consideration of the best way to retain data on fingerprints and DNA from individuals who have been acquitted. The Information Commissioner's Office is being fully consulted on this exercise.

43. The DNA profiles of individuals who have had samples taken lawfully under the Police and Criminal Evidence Act 1984, but against whom the prosecution was not proceeded with or who were subsequently acquitted by the courts, can be identified on the NDNAD. DNA samples are retained and used solely for the purposes of prevention and detection of crime; the investigation of an offence or the conduct of a prosecution and such use does not contravene data protection legislation.

44. Currently the fingerprints of persons who are acquitted or against whom charges have not been proceeded with are weeded from the National Automated Fingerprint Identification System (NAFIS) system. Once the acquittal/not proceeded with information is put on the Police National Computer a message is sent to NAFIS and the fingerprint record deleted. In light of the changes in the Criminal Justice and Police Act 2001, further proposals are under consideration in relation to the system to allow for the retention of fingerprints on NAFIS in such cases.

45. Existing safeguards for data use: Fundamentally the interests of law enforcement and data protection are identical in that information needs to be accurate, lawfully obtained, processed and protected securely. Safeguards are provided by the restrictions imposed by the Police and Criminal Evidence Act (PACE) and the DPA, and the oversight provided by the NDNAD Strategy Board and the Custodian. Further safeguards are to be provided by an Ethics Group to be responsible for reviewing the appropriateness of policy, decision making and practice.

ELECTRONIC MONITORING (EM)

46. EM is used predominantly to monitor a curfew condition imposed as a requirement of bail; a community sentence; a suspended custodial sentence or release on licence from prison. Contract staff responsible for the service are subject to Criminal Record Bureau (CRB) checks. EM schemes used for monitoring curfew conditions imposed by a court or Prison Governor derive from primary legislation.

47. Information on a subject's curfew record can be provided to the police or other agencies involved in the investigation or prevention of crime, in line with the requirements of the DPA. The release of such information must be approved by the Ministry of Justice unless the subject is a Multi-Agency Public Protection Arrangements (MAPPA), or Prolific or other Priority Offender (POPO), case.

48. In developing the policy and legislation a wide number of criminal justice stakeholders are involved in the consultation process, with human rights and data protection issues key considerations in the operation of the schemes. The Criminal Justice Act 2003 was preceded by two consultation documents, "Making Punishments Work" published in July 2001 and "Justice for All" in July 2002. The current contracts and protocols relating to electronic monitoring were developed to ensure that those subject to electronic tagging are treated decently, and subject only to the minimum personal intrusion required to manage their curfew.

REGULATION OF THE INVESTIGATORY POWERS ACT 2000

49. The conduct by public authorities of what might be described as "traditional surveillance" which interferes with individuals' human right to respect for private and family life is permitted by the Intelligence Service Act 1994, Part III of the Police Act 1997 and Parts I and II of the Regulation of Investigatory Powers Act 2000 (RIPA).

50. Article 8 of the ECHR establishes both the right of individuals to have their privacy respected and that public authorities may interfere with that right where that is in accordance with law and is necessary in a democratic society in the interests of national security, public safety or for the prevention of crime and disorder.

51. RIPA provides for the authorisation, in accordance with law, of necessary and proportionate conduct that will, or is likely to, interfere with an individual's rights and where private information about a person(s) is obtained. It is not legislation that authorises covert conduct. Rather, it authorises interference with individuals' rights.

52. RIPA and the 1994 and 1997 Acts are used by a wide range of public authorities—the security and intelligence agencies, the police service, local authorities and government departments and agencies—which have necessary and proportionate requirements to engage in conduct that can interfere with individuals' rights for legitimate purposes whether, for example, to safeguard national security or to prevent and detect crime.

53. Subject to various statutory safeguards and oversight, this conduct includes:

— interception of communications ("phone tapping")

— acquisition and disclosure of communications data (eg. details of telephone subscribers and their call records);

— covert observation and eavesdropping on conversations in private spaces, both premises or vehicles ("intrusive surveillance")

— covert observation and eavesdropping on conversations in public spaces and vehicle location tracking ("directed surveillance")

— covert entry on and interference with private property and interference with wireless telegraphy.

54. This conduct may be undertaken only when necessary for a legitimate aim and proportionate to that aim and is subject to strict independent oversight by the Chief Surveillance Commissioner, by the Interception of Communications Commissioner and the Intelligence Services Commissioner - all of whom report to the Prime Minister and to Parliament.

55. RIPA also provides access for complainants to an independent tribunal—the Investigatory Powers Tribunal, set up under RIPA to consider complaints and human rights claims arising from conduct involving regulated investigatory powers.

CRIMINAL RECORDS

56. The Criminal Records Bureau, established under Part V of the Police Act 1997, provides wider access to criminal record information through its Disclosure Service. It was launched on 11 March 2002. This service enables organisations in the public, private and voluntary sectors to make safer recruitment decisions by identifying candidates who may be unsuitable for certain work, especially that involve children or vulnerable adults.

57. A Home Office Circular 047/2003 made it clear that except where specific statutory provision is in place (including Part V of the Police Act 1997, under which the CRB operates), the governing principle must be that the police must safeguard sensitive personal information, and must not disclose such information to a third party unless there is good justification in the particular case.

58. The Police Information Access Panel (PIAP) chaired by ACPO now determines access to the Police National Computer (PNC). This group decides who will get access in the future, determined by business need in accordance with an Information Tribunal Judgement.[11]

59. ACPO also produced Retention Guidelines for Nominal Records on the Police National Computer. These guidelines became effective on 31 March 2006 and replaced the ACPO Weeding Rules. The Guidelines are based on the format of restricting access to PNC data rather than deletion of data.

60. Sir Rhys Davies QC was appointed in September 2003 as the Independent Monitor of local police information disclosed under the Criminal Records Bureau's Enhanced Disclosure process.[12] The Monitor's primary role is to review intelligence information released from local police records under sections 113B (4) and 113B (5) of the Police Act 1997, and, for the purposes of Article 8 of the ECHR, to ensure that the individuals' rights to a private life has not been infringed arbitrarily or unnecessarily.

Information Sharing Between Police Forces (IMPACT)

61. The IMPACT Programme is introducing new IT enabled business change that will ultimately deliver a national police database, which will provide a single source of operational information linking data currently held on local systems with that held on national systems such as the Police National Computer (PNC). It is also helping the Police Service to implement the requirements of the statutory Code of Practice on the Management of Police Information (MoPI) and the accompanying guidance.

62. Forces and other agencies remain under a strict duty to abide by the requirements of legislation and other regulations including on data protection, human rights, policing, criminal procedures, evidence and equality and diversity. The Programme is addressing these legal and policy issues in close partnership with the Police Service, the Home Office, the Ministry of Justice and the Information Commissioner. Regular contact with these stakeholders is maintained to obtain their views and to keep abreast of developments.

63. Initial consultations have confirmed that there is nothing to preclude the widespread sharing of police information between policing agencies for policing purposes, and that this can be achieved by holding information on IT systems that other forces can access directly. The powers to share information are either vested in specific legislation or common law.

64. The Programme is now developing an Information Management and Assurance Policy that will consider in greater detail not just the minimum requirements of the regulatory framework, but also how the potential impact on individual privacy can be minimised (whilst recognising that some invasion of privacy is necessary in the wider public interest). Once agreed with key stakeholders it will be used to help shape the design and implementation of the national database, including the associated business change.

DATA SHARING—MULTI-AGENCY

65. Multi-Agency Risk Assessment Conferences (MARACs) will provide a standardised approach to public protection for victims of domestic violence. A protocol for the information sharing process is in the final stages of reaching agreement with the Information Commissioner. Consideration is also being given to ways in which multi-agency risk assessment, information-sharing, management and interventions processes to prevent serious violence in circumstances where MAPPA and MARACs would not apply, could be improved. Any proposals which are developed will take full account of DPA and HRA legislation.

FRAUD AND THE SERIOUS CRIME BILL

66. The Home Office has worked closely with Ministry of Justice officials and the Information Commissioner throughout the development of the policy on the Serious Crime Bill and its passage through Parliament.

67. Both the data sharing and data matching provisions of the Bill are premised on the basis that the processing of data under those clauses must comply with the DPA and the ECHR. The Bill also requires the Secretary of State to produce a code of practice to which public authorities sharing information through a specified anti-fraud organisation must adhere. The Secretary of State must consult the Information Commissioner and others when producing or altering the code.

68. The data matching provisions included from the outset a duty on the Audit Commission to produce a code of practice with respect to data matching exercises. The Audit Commission must consult the Information Commissioner and others when producing or altering the code.

IMMIGRATION

69. Border and immigration policy is developed, using standard best practice guidance, consulting and collaborating with partners, in a transparent and open way, based on the best possible analysis and use of evidence, and consistent with international obligations, data protection and human rights.

70. Policy proposals are scrutinised to ensure, among other things, that they comply with data protection and human rights legislation. The Ministry of Justice is also consulted as proposals are developed. Collective agreement from across Government is secured before policy is decided, or legislation introduced.

Examples

SIMPLIFICATION PROJECT

71. A Simplification Project, seeking radically to simplify the legal framework of the Border and Immigration Agency, was launched on 6 June with an initial consultation paper. Subject to the Parliamentary timetable, the aim is to introduce comprehensive new primary legislation in 2008. The initial paper sets out principles for simplification and invites views, making clear the intention to consult extensively with staff, external stakeholders and the wider public in taking this work forward. Regulatory impact and equality impact assessments will be produced to support the later stages of the consultation process and compliance with data protection and human rights legislation will be ensured.

ENFORCEMENT STRATEGY

72. The enforcement strategy was required from the outset to be a cross-government strategy so engagement with other departments in the process of development was critical.

73. This engagement came in various forms:

— Early dialogue with key government departments and agencies to understand their issues and requirements for the strategy

— A series of collective seminars to drive a common understanding of the issues and a collective approach to finding solutions

— Focused bilateral negotiations to refine the terms of specific proposals involving other departments.

— Discussions were held in respect of specific issues relating to human rights and data protection with DCA (as was) and devolution (with Scotland Office)

— Collective agreement to the proposed strategy via the relevant cabinet committees (AMWG and AM).

74. In relation to human rights and data protection, the discussions centred on the potential breach of rules governing information sharing as an aid to enforcement. The strategy contains commitments to work within the legal framework.

75. The seminars with other departments focussed on the interactions between users (migrants) and service providers (government and intermediaries) to get a more refined understanding of:

— the type of interactions required to deliver the desired outcome

— the motivations and capacities that would shape those interactions

— the levers that exist to influence those motivations and capacities.

76. Engagement with a number of key stakeholders included the Association of Chief Police Officers, the Audit Commission, and the Confederation of British Industry, to test emerging analysis and proposals. A consultation event was held with a wider range of stakeholders to explore ideas.

77. To ensure that the strategy was grounded in analysis of the evidence, information was analysed from the following sources:

— operational data held by the Border and Immigration Agency

— relevant operational data held by other departments and agencies

— Home Office research

— wider academic research

— international experience using the FCO network.

POINTS BASED SYSTEM

78. The Border and Immigration Agency operates three taskforces which meet industry stakeholders from three key areas: General Employers, the Arts & Entertainment industry and members of the Education community. The representatives actively engage with the Agency to contribute to policy decisions and the implementation process. Engagement with other key stakeholders is equally maintained and includes the Immigration Law Practitioners Association, CBI and TUC.

79. Implementation of the Points Based System for Managed Migration followed an extensive public consultation exercise and the publication, in March 2006, of a Command Paper "A Points-Based System: Making Migration work for Britain". A key learning point for the transitional and implementation arrangements was issuing a Statement of Intent for each element of the system prior to launch; this will inform external stakeholders and the public and allow for an opportunity to raise potential problems. Ensuring consistency with human rights and data protection legislation are key considerations, likewise early engagement is made with the Department for Business, Enterprise and Regulatory Reform to ensure international commitments are not compromised.

July 2007