ICO evidence raises Freedoms Bill data worries
Where are the weak spots?
The Information Commissioner (ICO) has just published a critique of the Home Office’s Freedoms Bill, which is being sold to the public as reining in New Labour’s surveillance state.
Although there is general applause for the fact that the Government has recognised that there has been excessive intrusion into privacy, the ICO’s analysis points to a number of serious deficiencies.
I report most of these difficulties mainly in the Commissioner’s own words; they need little in the way of further explanation.
The Information Commissioner notes that the Freedoms Bill creates two further Commissioners in relation to CCTV and DNA with the result that “there is potential for confusion between some the provisions of this Bill and legislation within the Information Commissioner’s regulatory competence”. This is because “there is potential for overlap between the roles and functions of the Information Commissioner and others set out in the in the Bill”.
The ICO adds: “On other points, there is a lack of detail and potential for confusion over the substance of the Bill itself”, noting wryly that “some of these provisions may have benefited from more detailed consultation with the Information Commissioner during their development to ensure greater clarity from the outset”.
Not consulting with the ICO when planning new legislation (e.g. over ID Cards, data retention) was standard Home Office practice in the New Labour era. Nothing new here then!
The DNA changes
The Commissioner “is concerned that although there is provision to delete fingerprints and DNA profiles there does not appear to be a provision to delete the allied biographical information, as in the arrest record, contained on either Police National Computer (PNC) or Police National Database (PND)”.
This is because “the very existence of a PNC identity record created as a result of a biometric sample being taken on arrest could prejudice the interests of the individual to whom it relates by creating inaccurate assumptions about his or her criminal past when that record is accessed”.
“The Information Commissioner believes that there is no justification for the police to continue to retain a PNC identity record which is linked to other biometric records that the police are required to delete having served their purpose”.
The Commissioner is also concerned “that there is no facility available for individuals to request deletion of their DNA and fingerprints”.
In relation to the National DNA Database Strategy Board that governs the use of DNA, the ICO notes that “there are other interests (to be) reflected in the composition of the Board rather than just comprising of representatives of the law enforcement community”. This is a stark warning that DNA governance could well be dictated by the needs of the law-enforcement community under the supervision of the Home Office.
All I add is a simple comment: “Well this is exactly what one would expect the Home Office to do!”
The CCTV changes
In relation to the regulation of CCTV and other surveillance camera technology, the Information Commissioner “is keen to ensure the provisions of the code are consistent with and complement existing data protection safeguards and do not lead to any confusion over what regulatory requirements apply in practice”.
The Information Commissioner is concerned that “only the police and local government will be obliged to follow the proposed (CCTV statutory) code, at least initially. This could cause problems in practice given the many partnership arrangements between the public and private sectors for town centre monitoring” (i.e. these joint systems could be beyond the reach of the statutory Code).
He notes “There is also widespread use of CCTV and ANPR systems across all sectors including government agencies and increasing deployment of ANPR in the private sector such as with car park operation, where sometimes details of people’s vehicle movements are stored indefinitely and insufficient safeguards are in place regarding security, access and further use”.
He adds for good measure that “There is no mechanism in the Bill for direct enforcement of the code or for dealing with individual complaints about non compliance with the code”.
His general conclusion is “there is a risk that regulation becomes fragmentary, confusing and contradictory, especially if commissioners take different approaches”.
In summary, the ICO’s critique confirms much of what I said in my blog of 16/02/2011 (“Protection of Freedoms Bill promotes efficient CCTV surveillance not effective privacy”).
The criminal record changes
In relation to criminal conviction data used in vetting, the Commissioner is concerned about “the increased flow of personal data that will undoubtedly result from the provisions in this Bill” and that “increased data flows generally mean increased data protection risks”.
In particular the Commissioner states that “there does not appear to be any specific provisions to:
• filter to remove old and minor conviction information from criminal records checks;
• ensure penalties and sanctions for employers knowingly making unlawful criminal records checks are rigorously enforced; or
• to introduce basic level criminal record checks in England and Wales”.
In general, the Commissioner believes that “The onus should not be on the individual to disclose old or minor conviction information to a potential employer where it is irrelevant and excessive in relation to the job role”. He adds that “the introduction of basic disclosures would provide a more privacy friendly and proportionate way of providing prospective employers with unspent conviction information, or confirmation that there is no such information, with important safeguards in place”.
The “Basic Disclosure” (or more accurately, the disclosure of a “criminal conviction certificate”) forms part of the Police Act 1997 is supposed to be the procedure where organisations can look at an individual’s convictions that are unspent in terms of Rehabilitation of Offenders legislation. It is supposed to work by allowing an individual to obtain his own Certificate which then can be shown to anybody via that individual’s consent.
After 13 years of trying, the Criminal Record Bureau has not been able to deliver the Basic Disclosure of criminal data to individuals. For all of this time, the operation of the Criminal Records Bureau was (and still is) a Home Office responsibility. No explanation has been given as to the difficulties of commencing a Basic Disclosure.
The Commission warns that if the Basic Disclosure is not implemented “the scaling back of the Vetting and Barring Scheme could lead to an increase in ‘enforced subject access’” where “bodies who will have been able to undertake criminal records checks may not be able to now and these bodies could potentially require the individual to make a subject access request to obtain that conviction information”.
I should add that many Embassies currently use Enforced Subject Access in their emigration or visa application processes. The Home Office is fully aware that the commencement of the offence the Commissioner wants could interfere with the practices now endemically employed by these Embassies. That is a major reason as to why it hasn’t happened.
The Commission concludes that “Without the introduction of sanctions to deal with enforced subject access the criminal record disclosure regime will continue to be undermined”. My own conclusion is not so generous: this undermining is precisely what the Home Office has tolerated since 1997.
Offences related to homosexuality
The Commissioner is also concerned about the “disregarding of certain convictions for buggery” where criminal offences relating to homosexuality are to be “deleted” (don’t cheer – read what follows!).
The reason for the absence of any cheering is that the ICO complains about the Alice in Wonderland use of the word “delete”, where this word is used to mean the precise opposite. In this case a definition of “delete” which actually means “retain”.
The Commission notes that “delete” is defined in the Bill as “recording the fact the conviction or caution is disregarded and the effect of it being such a conviction or caution”. Note that the chief police officer thus does not “delete” these sensitive personal data, but rather he retains the details of all these convictions and cautions but “disregards” them as if they did not exist.
So when the Secretary of State claims that “these personal data should be deleted”, what in practice happens is that these data are retained on police records. This is classic Home Office drafting – worthy of a literary prize in my view.
The Commissioner then adds that despite the bizarre definition of deletion, “all of these convictions or cautions should be disregarded automatically rather than relying on the person who was convicted, or cautioned, to make an application to the Secretary of State”.
To do otherwise would mean “Police Forces should not be holding irrelevant or excessive personal data about individuals” and “If information relating to these offences is no longer relevant it should not be retained”. In other words, the current provisions would legitimise what in normal terms would be a breach of two Data Protection Principles (Third and Fifth).
The change to the ICO’s data protection function
Finally the Commissioner is concerned the term of his appointment is reduced to one of five years whilst “all the previous post-holders have had their initial five year terms extended to varying degrees and this has helped ensure continuity in the work of the Information Commissioner’s Office”.
I agree with this position. A five year term for a Commissioner means that by the time a new Commissioner gets into the job properly and begins to develop some long-term approach to information rights regulation, his term of office would be half way through and he would be a lame duck.
I am very confident that if certain public authorities (no names but one of them begins with “H”) do not like what one Commissioner was doing, they could easily delay matters so that the issue would become the responsibility of a new Commissioner, possibly one “more understanding”. That is why the Commissioner recommends the Canadian approach where “the federal commissioner is appointed for a seven year term”.
Although New Labour’s surveillance state is being reduced, all is not what it seems. In my view, the Commissioner’s analysis demonstrates the fundamental contradiction that arises when the Government Department responsible for the expansion of that surveillance state is tasked with designing safeguards to produce a restricted version.
In summary, the Home Office prime function is to give the law enforcement agencies what they need; it’s function is not to protect the privacy of individuals. And that is why this Bill shows all the defects the Commissioner has identified.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.