Setting the surveillance scene
It is without doubt that the perpetrators of the failed terrorist attacks in July were traced by using personal data stored on surveillance systems – most notably from data stored on CCTV, Automated Number Plate Recognition systems and from communications data stored by the telephone companies. This success will only deepen the resolve of all Western governments to retain these kinds of personal data for longer periods, and it is my view that the vast majority of individuals have no problem with this. We all want to help the authorities capture terrorists.
However, mass retention of personal data combined with wide-ranging legal powers has its dangers. This mix will inevitably facilitate function creep beyond the "find the terrorist" purpose because a valid reason can always be found for processing personal data for different purposes. Since mass surveillance systems costs millions of pounds, such reasons will also arise from the need to obtain value for money.
Function creep is very easy for Government to justify. For example, what is the justification to limit access to surveillance data only for anti-terrorism purposes? Why should serious crimes that are not terrorist related – a brutal murder or rape, for instance – be excluded? If other serious crime becomes an acceptable reason for using these retained data, why not all violent crime? After all, surely we want to find the perpetrator who attacked and mugged a pensioner and stole the £10 in her purse?
And if the authorities use these retained data for a £10 theft, why not use access to the personal data to trace a £400 Council Tax arrears, or an £80 fine for dropping litter. Then, if the retained data are used in tracing £100 of debt, why not use the personal data to improve efficiency of service delivery and save £100? It is this kind of reasoning which explains why function creep is inevitable and why the Government chose, contrary to all its public consultation documents and without Parliamentary debate on the subject, to allow the ID Card database to be used for a general administration purpose by all public authorities.
Mass data retention also facilitates new forms of surveillance and the emergence of new data mining or profiling techniques – mainly because it is known that the personal data exist and have been retained. For example, the fact that the DNA database covers about 5% of the population has resulted in techniques to use the retained DNA to identify individuals whose DNA can be linked to the DNA data on the database.
In future, the linking of retained personal data associated with surveillance databases will give the authorities a picture of where you live and work, where you drive, who you call, where you spend your money, and what public and private services you use. In fact, all the authorities need to link divergent database and develop a profile every member of the population.
Ten trust standards to safeguard the individual
The legislation that Government has enacted to facilitate data retention, surveillance and its subsequent sharing has the effect of negating much of the protection afforded by the eight Data Protection Principles. For example, if legislation states that certain items of personal data can be retained for purpose X, for Y years, and disclosed to anybody for purpose Z, then it is going to be very difficult to argue that for these purposes and items of personal data, the First Principle (process data fairly and lawfully), Second Principle (obtain data only for specified and lawful purposes), Third Principle (avoid using excessive data) and Fifth Principle (don't keep data longer than necessary) have been breached. As the disclosure for purpose Z is likely to be also subject to the exemption from the non-disclosure provisions, the Fourth (keep data accurate and up to date) and parts of the Sixth Principle (the rights of the data subject to object to disclosure) are also negated with respect to any disclosure. As any transfer, for example to the USA, is likely to be in the "substantial public interest", then the Eighth Principle (don't transfer data to a country with inadequate data protection). In summary, Principle Seven (keep the data secure) is the last man standing.
It is my belief that additional safeguards are needed and these safeguards have to meet ten "standards of trust". These will demonstrate to the public that their privacy interests are safeguarded and that they can trust the complete process, from law-making to dealing with law-breaking.
The standards are:
- Any processing / surveillance / interference is limited to lawful purposes that have been fully scrutinised by a Parliament that can obtain all the necessary information to deliver effective scrutiny.
- There are constraints that ensure that widely-drafted powers or laws are not used by a future Government to legitimise function creep without detailed scrutiny by Parliament.
- Procedures which authorise processing / surveillance / interference are followed scrupulously.
- Procedures which authorise processing / surveillance / interference are separate from procedures related to the processing / surveillance / interference itself.
- A complete record of the processing / surveillance / interference and its authorisation is retained to ensure transparency and accountability to the system of supervision.
- Staff involved in the processing / surveillance / interference activity are fully trained to follow the rules.
- Any malfeasance can be identified and individuals concerned suitably punished.
- The system of supervision is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.
- The regulator in charge of the supervision reports to Parliament and can refer matters to Parliament and determines the degree of transparency that is required.
- Individuals should obtain the right to information privacy and full compensation for aggrieved individuals when things have clearly gone awry with the processing / surveillance / interference activity.
These 10 trust standards have to be met in a transparent way that can publicly demonstrate that safeguards are in place; mere reliance on data protection and human rights law is insufficient. Meeting these standards in turn requires changes to Parliamentary procedure, to the Commissioner's powers and to the individual's level of protection. These additional safeguards are outlined below..
Safeguards involving Parliamentary procedure
Parliament has traditionally balanced the public interest by scrutinising the executive. To assist this:
- Parliament should have a mechanism which allows it to demand any information that relates to the processing of personal data / surveillance / interference. For example, publication of details or legal advice that explains: why there is no breach of Article 8 of the Human Rights Act which guarantees the right to respect for private and family life; and why the European Commission considers the UK's Data Protection Act to be defective – and why the UK Government says it is not.
- Parliament should become involved in the details of the processing of personal data / surveillance / interference when matters are referred to it. For example, there are several Codes of Practice (or parts of Codes) that concern these issues that the Secretary of State currently lays before Parliament. These could be subject to consultation with a Commissioner. If consultation results in agreement the Code can come into effect without Parliamentary involvement. If agreement is not forthcoming, Parliament should have to approve the Secretary of State's Code by positive affirmation. This means that Parliament can explore the reasons for the disagreement.
- Parliament should separate privacy and security responsibilities. All warrants that concern surveillance or interference, currently signed by a Secretary of State, should seek judicial approval. This step would automatically separate the power to authorise interference from the mechanisms that protect an individual from unnecessary interference.
- Parliament should permit a Select Committee to take privacy under its remit. Currently such issues have only been discussed in the narrow context of a Committee's specialist remit (e.g. child protection and privacy, science and privacy in relation to the DNA database; Home Affairs and privacy, etc) with the result that the big picture of how all Government initiatives impact on privacy has yet to be reviewed.
- Select Committees of Parliament should allow, if they decide, experts in the field to ask questions. In cases which relate to the scrutiny of public policy towards privacy, often the devil is in the complex detail of how surveillance occurs and not on the broad principle of whether surveillance should occur.
- Parliament should insist that the various Commissioners who have a role to ensure that any processing of personal data / surveillance / interference is proportionate should report to Parliament and not to the Government Minister that is responsible for the interference. The Commissioners should also be able to employ security cleared experts to investigate operational matters where this is needed and a single Commissioner should deal with all national security issues.
Safeguards involving the powers of a Commissioner
- A Commissioner should be able to insert into any relevant Code of Practice that relates to an activity concerning the processing of personal data or surveillance or interference:
a) any procedure that establishes proportionality before any activity is commenced;
b) the criteria that measure the success of the activity; the compilation of records that show that the activity was properly authorised including the statistical data which can used to demonstrate transparency or that the interference was justifiable in terms of outcomes from performing the activity; or
c) require a Privacy Impact Assessment or audit or both to be undertaken.
- A Commissioner should be able to test Article 8 in the Courts (e.g. he could be provided an "Article 8 (Incompatibility) Notice" which can test whether a particular Statutory Instrument or primary legislation is compatible with Article 8 of the Human Rights Act.
- A Commissioner should have effective powers of investigation, intervention, audit and prosecution that can extend into operational matters.
- A Commissioner should have the duty to ask for changes to Codes of Practice or Ministerial powers that, in his view, would rectify a pressing privacy problem. Such a mechanism could provide, in cases where the Minister disputed the Commissioner's view for Parliament to refresh its approval of Ministerial powers or Code of Practice by an affirmative Statutory Instrument procedure.
Safeguards improving the individual's level of protection
- Individuals should be granted a right to privacy of personal data, via the Sixth Data Protection Principle, which can be enforced by the Information Commissioner.
- Individuals should be informed when their personal data have been lost by an organisation in circumstances where the data could be used for ID theft. This obligation could arise by the introduction of a variety of USA security breach legislation where individuals are informed when unencrypted personal data are lost. Alternatively the legislation could specify that when a certain kind of security breach arises, the organisation has to notify the Commissioner of a security breach, and then the Commissioner decides whether individuals should be notified that their personal data have been compromised.
- Individuals should have a much simpler right to object to the processing of personal data in appropriate circumstances
Dr Chris Pounder is the editor of the Pinsent Masons publication Data Protection Quarterly and runs data protection training for organisations across the UK. In June 2006 he gave oral evidence to the Home Affairs Select Committee on the 'Surveillance Society'.