ICO evidence raises Freedoms Bill data worries

Where are the weak spots?

The Information Commissioner (ICO) has just published a critique of the Home Office’s Freedoms Bill, which is being sold to the public as reining in New Labour’s surveillance state.

Although there is general applause for the fact that the Government has recognised that there has been excessive intrusion into privacy, the ICO’s analysis points to a number of serious deficiencies.

I report most of these difficulties mainly in the Commissioner’s own words; they need little in the way of further explanation.

The Information Commissioner notes that the Freedoms Bill creates two further Commissioners in relation to CCTV and DNA with the result that “there is potential for confusion between some the provisions of this Bill and legislation within the Information Commissioner’s regulatory competence”. This is because “there is potential for overlap between the roles and functions of the Information Commissioner and others set out in the in the Bill”.

The ICO adds: “On other points, there is a lack of detail and potential for confusion over the substance of the Bill itself”, noting wryly that “some of these provisions may have benefited from more detailed consultation with the Information Commissioner during their development to ensure greater clarity from the outset”.

Not consulting with the ICO when planning new legislation (e.g. over ID Cards, data retention) was standard Home Office practice in the New Labour era. Nothing new here then!

The DNA changes

The Commissioner “is concerned that although there is provision to delete fingerprints and DNA profiles there does not appear to be a provision to delete the allied biographical information, as in the arrest record, contained on either Police National Computer (PNC) or Police National Database (PND)”.

This is because “the very existence of a PNC identity record created as a result of a biometric sample being taken on arrest could prejudice the interests of the individual to whom it relates by creating inaccurate assumptions about his or her criminal past when that record is accessed”.

“The Information Commissioner believes that there is no justification for the police to continue to retain a PNC identity record which is linked to other biometric records that the police are required to delete having served their purpose”.

The Commissioner is also concerned “that there is no facility available for individuals to request deletion of their DNA and fingerprints”.

In relation to the National DNA Database Strategy Board that governs the use of DNA, the ICO notes that “there are other interests (to be) reflected in the composition of the Board rather than just comprising of representatives of the law enforcement community”. This is a stark warning that DNA governance could well be dictated by the needs of the law-enforcement community under the supervision of the Home Office.

All I add is a simple comment: “Well this is exactly what one would expect the Home Office to do!”

The CCTV changes

In relation to the regulation of CCTV and other surveillance camera technology, the Information Commissioner “is keen to ensure the provisions of the code are consistent with and complement existing data protection safeguards and do not lead to any confusion over what regulatory requirements apply in practice”.

The Information Commissioner is concerned that “only the police and local government will be obliged to follow the proposed (CCTV statutory) code, at least initially. This could cause problems in practice given the many partnership arrangements between the public and private sectors for town centre monitoring” (i.e. these joint systems could be beyond the reach of the statutory Code).

He notes “There is also widespread use of CCTV and ANPR systems across all sectors including government agencies and increasing deployment of ANPR in the private sector such as with car park operation, where sometimes details of people’s vehicle movements are stored indefinitely and insufficient safeguards are in place regarding security, access and further use”.

He adds for good measure that “There is no mechanism in the Bill for direct enforcement of the code or for dealing with individual complaints about non compliance with the code”.

His general conclusion is “there is a risk that regulation becomes fragmentary, confusing and contradictory, especially if commissioners take different approaches”.

In summary, the ICO’s critique confirms much of what I said in my blog of 16/02/2011 (“Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”).

The criminal record changes

In relation to criminal conviction data used in vetting, the Commissioner is concerned about “the increased flow of personal data that will undoubtedly result from the provisions in this Bill” and that “increased data flows generally mean increased data protection risks”.

In particular the Commissioner states that “there does not appear to be any specific provisions to:

• filter to remove old and minor conviction information from criminal records checks;

• ensure penalties and sanctions for employers knowingly making unlawful criminal records checks are rigorously enforced; or

• to introduce basic level criminal record checks in England and Wales”.

In general, the Commissioner believes that “The onus should not be on the individual to disclose old or minor conviction information to a potential employer where it is irrelevant and excessive in relation to the job role”. He adds that “the introduction of basic disclosures would provide a more privacy friendly and proportionate way of providing prospective employers with unspent conviction information, or confirmation that there is no such information, with important safeguards in place”.

The “Basic Disclosure” (or more accurately, the disclosure of a “criminal conviction certificate”) forms part of the Police Act 1997 is supposed to be the procedure where organisations can look at an individual’s convictions that are unspent in terms of Rehabilitation of Offenders legislation. It is supposed to work by allowing an individual to obtain his own Certificate which then can be shown to anybody via that individual’s consent.

After 13 years of trying, the Criminal Record Bureau has not been able to deliver the Basic Disclosure of criminal data to individuals. For all of this time, the operation of the Criminal Records Bureau was (and still is) a Home Office responsibility. No explanation has been given as to the difficulties of commencing a Basic Disclosure.

The Commission warns that if the Basic Disclosure is not implemented “the scaling back of the Vetting and Barring Scheme could lead to an increase in ‘enforced subject access’” where “bodies who will have been able to undertake criminal records checks may not be able to now and these bodies could potentially require the individual to make a subject access request to obtain that conviction information”.

I should add that many Embassies currently use Enforced Subject Access in their emigration or visa application processes. The Home Office is fully aware that the commencement of the offence the Commissioner wants could interfere with the practices now endemically employed by these Embassies. That is a major reason as to why it hasn’t happened.

The Commission concludes that “Without the introduction of sanctions to deal with enforced subject access the criminal record disclosure regime will continue to be undermined”. My own conclusion is not so generous: this undermining is precisely what the Home Office has tolerated since 1997.

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.