Feeds

ICO evidence raises Freedoms Bill data worries

Where are the weak spots?

New hybrid storage solutions

The Information Commissioner (ICO) has just published a critique of the Home Office’s Freedoms Bill, which is being sold to the public as reining in New Labour’s surveillance state.

Although there is general applause for the fact that the Government has recognised that there has been excessive intrusion into privacy, the ICO’s analysis points to a number of serious deficiencies.

I report most of these difficulties mainly in the Commissioner’s own words; they need little in the way of further explanation.

The Information Commissioner notes that the Freedoms Bill creates two further Commissioners in relation to CCTV and DNA with the result that “there is potential for confusion between some the provisions of this Bill and legislation within the Information Commissioner’s regulatory competence”. This is because “there is potential for overlap between the roles and functions of the Information Commissioner and others set out in the in the Bill”.

The ICO adds: “On other points, there is a lack of detail and potential for confusion over the substance of the Bill itself”, noting wryly that “some of these provisions may have benefited from more detailed consultation with the Information Commissioner during their development to ensure greater clarity from the outset”.

Not consulting with the ICO when planning new legislation (e.g. over ID Cards, data retention) was standard Home Office practice in the New Labour era. Nothing new here then!

The DNA changes

The Commissioner “is concerned that although there is provision to delete fingerprints and DNA profiles there does not appear to be a provision to delete the allied biographical information, as in the arrest record, contained on either Police National Computer (PNC) or Police National Database (PND)”.

This is because “the very existence of a PNC identity record created as a result of a biometric sample being taken on arrest could prejudice the interests of the individual to whom it relates by creating inaccurate assumptions about his or her criminal past when that record is accessed”.

“The Information Commissioner believes that there is no justification for the police to continue to retain a PNC identity record which is linked to other biometric records that the police are required to delete having served their purpose”.

The Commissioner is also concerned “that there is no facility available for individuals to request deletion of their DNA and fingerprints”.

In relation to the National DNA Database Strategy Board that governs the use of DNA, the ICO notes that “there are other interests (to be) reflected in the composition of the Board rather than just comprising of representatives of the law enforcement community”. This is a stark warning that DNA governance could well be dictated by the needs of the law-enforcement community under the supervision of the Home Office.

All I add is a simple comment: “Well this is exactly what one would expect the Home Office to do!”

The CCTV changes

In relation to the regulation of CCTV and other surveillance camera technology, the Information Commissioner “is keen to ensure the provisions of the code are consistent with and complement existing data protection safeguards and do not lead to any confusion over what regulatory requirements apply in practice”.

The Information Commissioner is concerned that “only the police and local government will be obliged to follow the proposed (CCTV statutory) code, at least initially. This could cause problems in practice given the many partnership arrangements between the public and private sectors for town centre monitoring” (i.e. these joint systems could be beyond the reach of the statutory Code).

He notes “There is also widespread use of CCTV and ANPR systems across all sectors including government agencies and increasing deployment of ANPR in the private sector such as with car park operation, where sometimes details of people’s vehicle movements are stored indefinitely and insufficient safeguards are in place regarding security, access and further use”.

He adds for good measure that “There is no mechanism in the Bill for direct enforcement of the code or for dealing with individual complaints about non compliance with the code”.

His general conclusion is “there is a risk that regulation becomes fragmentary, confusing and contradictory, especially if commissioners take different approaches”.

In summary, the ICO’s critique confirms much of what I said in my blog of 16/02/2011 (“Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”).

The criminal record changes

In relation to criminal conviction data used in vetting, the Commissioner is concerned about “the increased flow of personal data that will undoubtedly result from the provisions in this Bill” and that “increased data flows generally mean increased data protection risks”.

In particular the Commissioner states that “there does not appear to be any specific provisions to:

• filter to remove old and minor conviction information from criminal records checks;

• ensure penalties and sanctions for employers knowingly making unlawful criminal records checks are rigorously enforced; or

• to introduce basic level criminal record checks in England and Wales”.

In general, the Commissioner believes that “The onus should not be on the individual to disclose old or minor conviction information to a potential employer where it is irrelevant and excessive in relation to the job role”. He adds that “the introduction of basic disclosures would provide a more privacy friendly and proportionate way of providing prospective employers with unspent conviction information, or confirmation that there is no such information, with important safeguards in place”.

The “Basic Disclosure” (or more accurately, the disclosure of a “criminal conviction certificate”) forms part of the Police Act 1997 is supposed to be the procedure where organisations can look at an individual’s convictions that are unspent in terms of Rehabilitation of Offenders legislation. It is supposed to work by allowing an individual to obtain his own Certificate which then can be shown to anybody via that individual’s consent.

After 13 years of trying, the Criminal Record Bureau has not been able to deliver the Basic Disclosure of criminal data to individuals. For all of this time, the operation of the Criminal Records Bureau was (and still is) a Home Office responsibility. No explanation has been given as to the difficulties of commencing a Basic Disclosure.

The Commission warns that if the Basic Disclosure is not implemented “the scaling back of the Vetting and Barring Scheme could lead to an increase in ‘enforced subject access’” where “bodies who will have been able to undertake criminal records checks may not be able to now and these bodies could potentially require the individual to make a subject access request to obtain that conviction information”.

I should add that many Embassies currently use Enforced Subject Access in their emigration or visa application processes. The Home Office is fully aware that the commencement of the offence the Commissioner wants could interfere with the practices now endemically employed by these Embassies. That is a major reason as to why it hasn’t happened.

The Commission concludes that “Without the introduction of sanctions to deal with enforced subject access the criminal record disclosure regime will continue to be undermined”. My own conclusion is not so generous: this undermining is precisely what the Home Office has tolerated since 1997.

Security for virtualized datacentres

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.