Governments should have to justify privacy-affecting laws, says ICO

Out-Law News | 18 Nov 2010 | 1:33 pm | 3 min. read

Governments should be forced to report on the impact of laws which affect citizens' privacy after they have come into force, telling Parliament whether those laws have worked and what privacy rights have been infringed, the UK's privacy watchdog has said.

The Information Commissioner's Office (ICO) has told a Parliamentary committee that there should be formal post-legislative scrutiny to make sure that a Government's claims about the privacy impact of proposed laws are consistent with how the law is actually used.

The ICO's recommendation is one of a number contained in a report for Parliament's Home Affairs Select Committee on the state of surveillance in the UK.

"Legislation engaging significant privacy concerns should include on the face of it a requirement on the Government to report back to Parliament on how the measures have been deployed including evidence of the extent to which the expected benefits and possible risks have been realised in practice and the continued need for the measures in question," said the report (50-page / 501KB PDF).

The ICO said that though there were existing structures designed to scrutinise the operation of legislation, they may not work as effectively as privacy-specific reporting.

"Parliamentary Committees already play an invaluable role in holding the Government and others to account for the use of powers granted to them. However this process is inevitably inconsistent as Parliamentary committees struggle under the weight of business and the range of matters which they must address. The Commissioner proposes a more formal and consistent approach to ensuring post legislative scrutiny," the report said.

A 2008 Home Affairs Committee report, A Surveillance Society?, recommended that the ICO publish a report to Parliament on the state of surveillance. The ICO's latest report is a response to that request.

It said that even if there is increased scrutiny of privacy-affecting laws after they take effect, some should have clauses which limit their operation to a fixed period so that full Parliamentary review can take place.

"In certain cases consideration should be given to the inclusion of ‘sunset clauses’ which would cause legislation to lapse unless renewed on the basis of evidence of continuing value," it said.

The ICO also had advice for private organisations, which it said should take notice of privacy issues right from the start of the building of any service.

"The Commissioner recommends increased adoption of a ‘privacy by design’ approach through greater use of privacy impact assessments and adoption of privacy enhancing technologies across public and private sectors aimed at ensuring reductions in information risks [as well as] inclusion of robust privacy safeguards as the default setting when new on line services are offered to individuals," said the report.

“Many of the new laws that come into force every year in the UK have implications for privacy at their heart," said Information Commissioner Christopher Graham. "My concern is that after they are enacted there is no one looking back to see whether they are being used as intended, or whether the new powers were indeed justified in practice."

"One example of this is the use of covert CCTV surveillance by local councils to monitor parents in school catchment area disputes under powers designed to assist in crime prevention and detection," he said. "The report I’ve presented to Parliament today clearly makes the case for government departments to build post-legislative scrutiny into their work as a key way of ensuring the successful delivery of the new transparency and privacy agenda."

The ICO's report included the results of research into the state of surveillance since the watchdog last commissioned a report in 2006.

"There has been a better level of public, media and political debate since the previous report with surveillance becoming an election issue and being one of the first matters to be addressed by the incoming government," said the ICO's report. "However, there are still many areas where surveillance continues to intensify and expand. Technologies that used to be the subject of speculation have moved into mainstream use."

"The linking and sharing of data from different databases, development of facial recognition, the increased rollout of automatic number plate recognition (ANPR), private sector data gathering and analysis and increased information sharing are of particular note," it said. "In the longer term the continued development of ‘ubiquitous computing’, the deployment of sensing devices and the use of analytical tools to predict human behaviours will continue to challenge the existing regulatory repertoire and traditional assumptions."

"It concludes that important questions are whether current legal instruments on data protection and human rights at both domestic and European level are robust enough to limit surveillance and excessive collection of data and whether legal reform and better integration of the legal and other regulatory instruments will be the linchpin on which much else depends," said the ICO's report.