Feeds

Freedoms Bill good for CCTV, not for privacy

Code of practice in surveillance leaves little to protect privacy

SANS - Survey on application security programs

The Protection of Freedoms Bill promotes efficient CCTV surveillance, but not effective privacy. The hype surrounding the CCTV/ANPR provisions in the Protection of Freedoms Bill is misplaced. In fact, I would argue the bill’s provision for a Statutory Code of Practice in the CCTV area represents little change on the privacy front, but a huge change in the potential for enhanced surveillance.

A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions.

Also not covered in the code is the use of CCTV in the domestic circumstance; although I have to admit that this is a very difficult area to get right. However, having said what is not covered, I should point out that the Home Secretary is seeking powers that could extend the bodies that are subject to the code.

Conflicting codes

There is no penalty if the code is breached, although a breach of the code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the code.

So, if a Surveillance Camera Commissioner regulates the CCTV Statutory Code of Practice and the Information Commissioner presumably maintains his own voluntary CCTV Code of Practice, then local authorities and police have the pleasure of dealing with two codes. If these codes diverge, there will be confusion as to what set of rules take precedent. The bill does not set out a mechanism to resolve any conflict between these codes.

There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones.

The bill’s current text ensures that conflict between the two codes is a distinct possibility. For example: the installation or positioning of cameras overlaps with the use, collection and relevance of personal data (first and third principles); access to and disclosure of images overlaps with subject access, security, and incompatible disclosure purposes (first, second, sixth and seventh principles); the system use by staff and management overlaps with organisational measures (seventh principle); and the transparency arrangements overlap with the fair processing notice (first principle).

There is no provision in the code with respect of retention of CCTV images, but retention provisions can be included in the code at any time (overlaps with the fifth principle; see the use of the word “include” in section 29(3) of the bill). Individuals could also complain to two commissioners about the same CCTV image; one commissioner has an obligation to do an assessment, the other doesn’t.

Although the consultation about the code’s content is supposed to avoid these areas of conflict, it is the secretary of state who has the last word. A Statutory Instrument brings the code into effect; this means that Parliament’s involvement in the code’s content is minimal.

Which code is likely to be more balanced in relation to "privacy versus surveillance"? The code produced by the home secretary (who has political responsibility for policing and a vested interest in the success of CCTV policy) or the one produced by the Information Commissioner? Let’s be honest, that was a loaded question – but the answer explains why the statutory code is unlikely to protect privacy.

This is because the person who is politically responsible for the interference is also identifying the protection from such interference. This is an impossible conflict of interest that cannot be resolved; it is a structural faultline in the system of privacy protection in the UK.

I have said this before: it is like having a Code of Practice regulated by Count Dracula, who sets standards as to how his brides should use bottles of blood from a transfusion centre.

To break ANY potential for conflict in this area is simple. The legislation could have easily have said something like: “Where a code makes a provision that relates to the processing of personal data, that provision must be approved by the Information Commissioner”. The bill doesn’t include such a simple provision – so what conclusion is one supposed to draw?

High performance access to file storage

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.