ICO evidence raises Freedoms Bill data worries
Where are the weak spots?
The Information Commissioner (ICO) has just published a critique of the Home Office’s Freedoms Bill, which is being sold to the public as reining in New Labour’s surveillance state.
Although there is general applause for the fact that the Government has recognised that there has been excessive intrusion into privacy, the ICO’s analysis points to a number of serious deficiencies.
I report most of these difficulties mainly in the Commissioner’s own words; they need little in the way of further explanation.
The Information Commissioner notes that the Freedoms Bill creates two further Commissioners in relation to CCTV and DNA with the result that “there is potential for confusion between some the provisions of this Bill and legislation within the Information Commissioner’s regulatory competence”. This is because “there is potential for overlap between the roles and functions of the Information Commissioner and others set out in the in the Bill”.
The ICO adds: “On other points, there is a lack of detail and potential for confusion over the substance of the Bill itself”, noting wryly that “some of these provisions may have benefited from more detailed consultation with the Information Commissioner during their development to ensure greater clarity from the outset”.
Not consulting with the ICO when planning new legislation (e.g. over ID Cards, data retention) was standard Home Office practice in the New Labour era. Nothing new here then!
The DNA changes
The Commissioner “is concerned that although there is provision to delete fingerprints and DNA profiles there does not appear to be a provision to delete the allied biographical information, as in the arrest record, contained on either Police National Computer (PNC) or Police National Database (PND)”.
This is because “the very existence of a PNC identity record created as a result of a biometric sample being taken on arrest could prejudice the interests of the individual to whom it relates by creating inaccurate assumptions about his or her criminal past when that record is accessed”.
“The Information Commissioner believes that there is no justification for the police to continue to retain a PNC identity record which is linked to other biometric records that the police are required to delete having served their purpose”.
The Commissioner is also concerned “that there is no facility available for individuals to request deletion of their DNA and fingerprints”.
In relation to the National DNA Database Strategy Board that governs the use of DNA, the ICO notes that “there are other interests (to be) reflected in the composition of the Board rather than just comprising of representatives of the law enforcement community”. This is a stark warning that DNA governance could well be dictated by the needs of the law-enforcement community under the supervision of the Home Office.
All I add is a simple comment: “Well this is exactly what one would expect the Home Office to do!”
The CCTV changes
In relation to the regulation of CCTV and other surveillance camera technology, the Information Commissioner “is keen to ensure the provisions of the code are consistent with and complement existing data protection safeguards and do not lead to any confusion over what regulatory requirements apply in practice”.
The Information Commissioner is concerned that “only the police and local government will be obliged to follow the proposed (CCTV statutory) code, at least initially. This could cause problems in practice given the many partnership arrangements between the public and private sectors for town centre monitoring” (i.e. these joint systems could be beyond the reach of the statutory Code).
He notes “There is also widespread use of CCTV and ANPR systems across all sectors including government agencies and increasing deployment of ANPR in the private sector such as with car park operation, where sometimes details of people’s vehicle movements are stored indefinitely and insufficient safeguards are in place regarding security, access and further use”.
He adds for good measure that “There is no mechanism in the Bill for direct enforcement of the code or for dealing with individual complaints about non compliance with the code”.
His general conclusion is “there is a risk that regulation becomes fragmentary, confusing and contradictory, especially if commissioners take different approaches”.
In summary, the ICO’s critique confirms much of what I said in my blog of 16/02/2011 (“Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”).
The criminal record changes
In relation to criminal conviction data used in vetting, the Commissioner is concerned about “the increased flow of personal data that will undoubtedly result from the provisions in this Bill” and that “increased data flows generally mean increased data protection risks”.
In particular the Commissioner states that “there does not appear to be any specific provisions to:
• filter to remove old and minor conviction information from criminal records checks;
• ensure penalties and sanctions for employers knowingly making unlawful criminal records checks are rigorously enforced; or
• to introduce basic level criminal record checks in England and Wales”.
In general, the Commissioner believes that “The onus should not be on the individual to disclose old or minor conviction information to a potential employer where it is irrelevant and excessive in relation to the job role”. He adds that “the introduction of basic disclosures would provide a more privacy friendly and proportionate way of providing prospective employers with unspent conviction information, or confirmation that there is no such information, with important safeguards in place”.
The “Basic Disclosure” (or more accurately, the disclosure of a “criminal conviction certificate”) forms part of the Police Act 1997 is supposed to be the procedure where organisations can look at an individual’s convictions that are unspent in terms of Rehabilitation of Offenders legislation. It is supposed to work by allowing an individual to obtain his own Certificate which then can be shown to anybody via that individual’s consent.
After 13 years of trying, the Criminal Record Bureau has not been able to deliver the Basic Disclosure of criminal data to individuals. For all of this time, the operation of the Criminal Records Bureau was (and still is) a Home Office responsibility. No explanation has been given as to the difficulties of commencing a Basic Disclosure.
The Commission warns that if the Basic Disclosure is not implemented “the scaling back of the Vetting and Barring Scheme could lead to an increase in ‘enforced subject access’” where “bodies who will have been able to undertake criminal records checks may not be able to now and these bodies could potentially require the individual to make a subject access request to obtain that conviction information”.
I should add that many Embassies currently use Enforced Subject Access in their emigration or visa application processes. The Home Office is fully aware that the commencement of the offence the Commissioner wants could interfere with the practices now endemically employed by these Embassies. That is a major reason as to why it hasn’t happened.
The Commission concludes that “Without the introduction of sanctions to deal with enforced subject access the criminal record disclosure regime will continue to be undermined”. My own conclusion is not so generous: this undermining is precisely what the Home Office has tolerated since 1997.
Sponsored: DevOps and continuous delivery