UK Fails Data Protection Principles

May 31st, 2008 • Category: Lead Story, UK Liberties: Privacy

CCTVThe EU Human Rights Commissioner, Thomas Hammarberg, has written an interesting article in which he argues for strong data protection rules to prevent the emergence of a surveillance society. Some might say he’s too late, but his intervention is still welcome.

Hammarberg outlines seven basic principles he finds “particularly relevant”. I thought it would be interesting to informally compare them with the UK government’s position.

Principle 1: All processing of personal data for law enforcement and anti-terrorist purposes must be based on clear and specific binding and published legal rules
UK rules are binding and published, however the issue of “clear and specific” is problematic. The government increasingly enacts fuzzy laws that leave detail unclear and up to ministers to decide by regulation. For example some local councils have used the Regulation of Investigatory Powers Act (RIPA) to chase council tax dodgers. This was authorised by a regulatory change made after the Act had become law. It was definitely not a clear and specific intent on the face of the original Act which was sold to parliament as essential for the fight against terrorism and organised crime. As for ID Cards, the 2006 Identity Cards Act gives the Home Secretary sweeping non-specific powers to authorise who can see what information.
UK Result: FAIL

Principle 2: The collection of data on individuals solely on the basis of ethnic origin, religious conviction, sexual behaviour or political opinions or belonging to particular movements or organisations which are not proscribed by law should be prohibited
This is complex. Such targetted surveillance isn’t specifically authorised by UK law but isn’t specifically forbidden either. Hazel Blears infamously stated “some of our counter-terrorism powers will be disproportionately experienced by the Muslim community”. With ID Cards and the huge, intrusive National Identity Register (NIR) the government plans to circumvent this principle by collecting everything about everyone. Data mining could later be used to target particular groups.
UK Result: Needs to Improve

Principle 3: The collection of data on persons not suspected on involvement in a specific crime or not posing a threat must be subject of to a particularly strict “necessity” and “proportionality” test. The concerned individual should be provided with an effective legal remedy to challenge the information, its storage and use
Well RIPA blew this one out of the water, that’s why it’s known as a snoopers’ charter. And the NIR is about as far from this principle as can be imagined.
UK Result: FAIL

Principle 4: Access to police and secret service files should only be allowed on a case-by-case basis, for specified purposes and subject to judicial control
Well, the government gets round this principle by not making the RIPA and NIR “police and secret service files”. They’re Home Office files and hence not covered. Actual police and secret service files are restricted, but this hardly matters when so much important personal information is held outwith them
UK Result: Needs to Improve

Principle 5: There must be limits to the length of time for which once collected information can be retained
RIPA specifies minimum retention periods but no maximum. The NIR will hold information forever, even after death.
UK Result: FAIL

Principle 6: There must be strong safeguards established by law which ensure appropriate and effective supervision over the activities of the police and the secret services – also in the fight against terrorism. This supervision should be carried out by the judiciary and/or through parliamentary scrutiny
For now the UK passes this test. Over the last ten years the judiciary has ben one of the few restraining influences on the government.
UK Result: PASS

Principle 7: All personal data processing operations should be subject to close and effective supervision by independent and impartial data protection authorities. National authorities have an obligation to ensure that these standards are fully respected by the recipients before any personal data are shared with another country
The supervision of the proposed NIR will be via a special commissioner whose role is so limited as to be meaningless. As for international data sharing the UK has already signed up to an EU data sharing pact and has a long history of sharing “intelligence” data with the US.
UK Result: FAIL

So, of seven principles the UK fails four and passes only one. When Hammarberg comes to the UK stable door he’ll find the horse long gone.

Image copyright © Stefan Witas / iStockphoto

Share This:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Live
  • Reddit
  • StumbleUpon
  • Technorati
  • YahooMyWeb

Related posts:
Police Want Compulsory Pub CCTV

2 Responses »

  1. Dave on June 1st, 2008 at 12:37 am:

    These are interesting articles (both his and yours).

    It seems to me that in some cases Hammarberg is phrasing his points to cover the targetted collection of information about specific individuals or groups of individuals, as opposed to data that is collected about everybody. As you say, if information about everyone is available, it can be used for many purposes. However, it seems to me that the UK passes point 2, because it doesn’t collect information about people’s religion, political opinions etc as a matter of course and therefore can’t mine the data over these attributes. (It does collect some of this data in the census but that isn’t integrated into, e.g. data about phone and internet traffic). It might be better if data mining on the grounds of these attributes was specifically outlawed (except for research); even so, I think the UK passes this point.

    On the RIPA, I am convinced you are wrong when you say “RIPA blew that out of the water”. I am fairly certain that the police and security services were already using records of phone calls in their investigations long before this act was enacted. The government claimed that RIPA regularised this situation and that has some credence. Of course, if you disagree with the principle, the fact that this practice was already established won’t make you feel any better;-). The main problem with RIPA seems to be the wide range of bodies and people that are allowed access to this data. (I’m also not sure how much this access is audited). So I think that Hammarberg’s principles4 and 5 need to be combined; if data is to be collected, the proportionality depends in part on who has access to that data and when. It may be reasonable to store data on phone calls and e-mails for a year, provided that it can only be accessed by limited parties (e.g. the police) in particular circumstances (e.g. a person is already a suspect in a crime). My own analysis of point 3 would be that the UK fails, not because of RIPA (which I would give a “Needs to improve), but because of the national DNA database.

    Principle 5 is a good point.

    On principle 7, the request by the information commissioner for investigative powers seems highly relevant here., within the UK. Regarding the EU data sharing convention, presumably the countries of the EU have some faith in each others’ ability to protect personal data? A

  2. trevor on June 1st, 2008 at 3:16 pm:

    Regarding point 2 the problem is the NIR audit trail. If ID Cards become as ubiquitous as the government hopes then it wil contain a huge amount of information about our movements and behaviour, from which it will be possible to make deductions. A trivial example would be someone who makes frequent purchases from Gay Muslims R Us. With the amount of data the NIR audit trail will contain it will be possible for data mining techniques to spot far more subtle patterns than simple spending habits. Of course such profiling wouldn’t be infallible but that’s not exactly reassuring.

Leave a Reply