ICO evidence raises Freedoms Bill data worries

Where are the weak spots?

SANS - Survey on application security programs

The Information Commissioner (ICO) has just published a critique of the Home Office’s Freedoms Bill, which is being sold to the public as reining in New Labour’s surveillance state.

Although there is general applause for the fact that the Government has recognised that there has been excessive intrusion into privacy, the ICO’s analysis points to a number of serious deficiencies.

I report most of these difficulties mainly in the Commissioner’s own words; they need little in the way of further explanation.

The Information Commissioner notes that the Freedoms Bill creates two further Commissioners in relation to CCTV and DNA with the result that “there is potential for confusion between some the provisions of this Bill and legislation within the Information Commissioner’s regulatory competence”. This is because “there is potential for overlap between the roles and functions of the Information Commissioner and others set out in the in the Bill”.

The ICO adds: “On other points, there is a lack of detail and potential for confusion over the substance of the Bill itself”, noting wryly that “some of these provisions may have benefited from more detailed consultation with the Information Commissioner during their development to ensure greater clarity from the outset”.

Not consulting with the ICO when planning new legislation (e.g. over ID Cards, data retention) was standard Home Office practice in the New Labour era. Nothing new here then!

The DNA changes

The Commissioner “is concerned that although there is provision to delete fingerprints and DNA profiles there does not appear to be a provision to delete the allied biographical information, as in the arrest record, contained on either Police National Computer (PNC) or Police National Database (PND)”.

This is because “the very existence of a PNC identity record created as a result of a biometric sample being taken on arrest could prejudice the interests of the individual to whom it relates by creating inaccurate assumptions about his or her criminal past when that record is accessed”.

“The Information Commissioner believes that there is no justification for the police to continue to retain a PNC identity record which is linked to other biometric records that the police are required to delete having served their purpose”.

The Commissioner is also concerned “that there is no facility available for individuals to request deletion of their DNA and fingerprints”.

In relation to the National DNA Database Strategy Board that governs the use of DNA, the ICO notes that “there are other interests (to be) reflected in the composition of the Board rather than just comprising of representatives of the law enforcement community”. This is a stark warning that DNA governance could well be dictated by the needs of the law-enforcement community under the supervision of the Home Office.

All I add is a simple comment: “Well this is exactly what one would expect the Home Office to do!”

The CCTV changes

In relation to the regulation of CCTV and other surveillance camera technology, the Information Commissioner “is keen to ensure the provisions of the code are consistent with and complement existing data protection safeguards and do not lead to any confusion over what regulatory requirements apply in practice”.

The Information Commissioner is concerned that “only the police and local government will be obliged to follow the proposed (CCTV statutory) code, at least initially. This could cause problems in practice given the many partnership arrangements between the public and private sectors for town centre monitoring” (i.e. these joint systems could be beyond the reach of the statutory Code).

He notes “There is also widespread use of CCTV and ANPR systems across all sectors including government agencies and increasing deployment of ANPR in the private sector such as with car park operation, where sometimes details of people’s vehicle movements are stored indefinitely and insufficient safeguards are in place regarding security, access and further use”.

He adds for good measure that “There is no mechanism in the Bill for direct enforcement of the code or for dealing with individual complaints about non compliance with the code”.

His general conclusion is “there is a risk that regulation becomes fragmentary, confusing and contradictory, especially if commissioners take different approaches”.

In summary, the ICO’s critique confirms much of what I said in my blog of 16/02/2011 (“Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”).

The criminal record changes

In relation to criminal conviction data used in vetting, the Commissioner is concerned about “the increased flow of personal data that will undoubtedly result from the provisions in this Bill” and that “increased data flows generally mean increased data protection risks”.

In particular the Commissioner states that “there does not appear to be any specific provisions to:

• filter to remove old and minor conviction information from criminal records checks;

• ensure penalties and sanctions for employers knowingly making unlawful criminal records checks are rigorously enforced; or

• to introduce basic level criminal record checks in England and Wales”.

In general, the Commissioner believes that “The onus should not be on the individual to disclose old or minor conviction information to a potential employer where it is irrelevant and excessive in relation to the job role”. He adds that “the introduction of basic disclosures would provide a more privacy friendly and proportionate way of providing prospective employers with unspent conviction information, or confirmation that there is no such information, with important safeguards in place”.

The “Basic Disclosure” (or more accurately, the disclosure of a “criminal conviction certificate”) forms part of the Police Act 1997 is supposed to be the procedure where organisations can look at an individual’s convictions that are unspent in terms of Rehabilitation of Offenders legislation. It is supposed to work by allowing an individual to obtain his own Certificate which then can be shown to anybody via that individual’s consent.

After 13 years of trying, the Criminal Record Bureau has not been able to deliver the Basic Disclosure of criminal data to individuals. For all of this time, the operation of the Criminal Records Bureau was (and still is) a Home Office responsibility. No explanation has been given as to the difficulties of commencing a Basic Disclosure.

The Commission warns that if the Basic Disclosure is not implemented “the scaling back of the Vetting and Barring Scheme could lead to an increase in ‘enforced subject access’” where “bodies who will have been able to undertake criminal records checks may not be able to now and these bodies could potentially require the individual to make a subject access request to obtain that conviction information”.

I should add that many Embassies currently use Enforced Subject Access in their emigration or visa application processes. The Home Office is fully aware that the commencement of the offence the Commissioner wants could interfere with the practices now endemically employed by these Embassies. That is a major reason as to why it hasn’t happened.

The Commission concludes that “Without the introduction of sanctions to deal with enforced subject access the criminal record disclosure regime will continue to be undermined”. My own conclusion is not so generous: this undermining is precisely what the Home Office has tolerated since 1997.

High performance access to file storage

More from The Register

next story
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.