House of Lords Constitution Committee 2008-2009 session - Second Report: Surveillance: Citizens and the State
This report is important, bur we fear that the usual Labour Government combination of technological fantasist ignorance, together with their "nanny police state knows best" political arrogance and media spin, will try to cherry pick it, and will ignore its most important recommendations.
There is a good summary of this report published by the Open Rights Group:
The Constitution Committee recommends
* Encryption of personal data should be mandatory in some circumstances
* Fines on data controllers for deliberately or recklessly breaching the data protection principles
* Remove people who are not convicted from the National DNA Database
* Tidy up the Regulation of Investigatory Powers Act
* Oversight for surveillance carried out by public authorities
* Changes in organisational cultures, leadership, accountability, transparency, training and awareness
* Appropriate use of encryption throughout the public and private sectors
* An independent review of the proclaimed but largely unproven benefits of CCTV
The two areas missing from the report are comments on the government's current plans for a new national database containing the electronic communications data of the entire population and the powers for unrestrained information sharing granted in Clause 152 of the Coroners and Justice Bill, currently being debated in Commons Committee.
What happens next? The Government will provide a written response to the report within the next two months. After that, a debate will be scheduled in the House. The more pressure we can bring to bear on Government, the better. The subject of the report is enormously important. Privacy is essential to a free society. Without it, the state is all-powerful.
The NO2ID Campaign press release One piece missing from Lords surveillance report sums up our reaction:
Phil Booth, NO2ID's National Coordinator said:
`The report screams - Stop! Stop unwarranted surveillance. Stop abusing, misusing and losing citizens' information. Stop building the database state.
`But the government has just stamped on the accelerator. It is not listening.'
452. We regard privacy and the application of executive and legislative restraint to the use of surveillance and data collection powers as necessary conditions for the exercise of individual freedom and liberty. Privacy and executive and legislative restraint should be taken into account at all times by the executive, government agencies, and public bodies. (paragraph 144)
Recommendations relating to the commissioners
453. Before introducing any new surveillance measure, the Government should endeavour to establish its likely effect on public trust and the consequences for public compliance. This task could be undertaken by an independent review body or non-governmental organisation, possibly in conjunction with the Information Commissioner's Office. (paragraph 110)
454. The Government should consider expanding the remit of the Information Commissioner to include responsibility for monitoring the effects of government and private surveillance practices on the rights of the public at large under Article 8 of the European Convention on Human Rights. (paragraph 137)
455. We regret that the Government have often failed to consult the Information Commissioner at an early stage of policy development with privacy implications. We recommend that the Government instruct departments to consult the Information Commissioner at the earliest stages of policy development and that the Government should set out in the explanatory notes to bills how and when they consulted the Information Commissioner, and with what result. (paragraph 231)
456. We welcome the Government's decision to provide a statutory basis for the Information Commissioner to carry out inspections without consent of public sector organisations which process personal information systems, but regret the decision not to legislate for a comparable power with respect to private sector organisations. We recommend that the Government reconsider this matter. Organisations which refuse to allow the Commissioner to carry out inspections are likely to be those with something to hide. In addition, the protection of citizens' data may in the absence of legislation be vitiated given the growing exchange of personal data between the public and private sectors. (paragraph 238)
457. We welcome the new powers for the Information Commissioner to levy fines on data controllers for deliberately or recklessly breaching the data protection principles, and we recommend that the Government bring these powers into force as soon as possible. The maximum level of penalties should mirror that available to comparable regulators, and should not be disproportionate. This must be subject to an appropriate appeals procedure. (paragraph 243)
The amount of money and resources which the Information Commissioner's Office operates on, supposedly to safeguard a huge section of then national economy and the private lives of all of the people in the UK, is far, far less than that of many much more limited quangos and government agencies e.g. the Health and Safety Executive or the Financial Services Authority.
Privacy and security and data protection ,is so fundamental to our 21st century lives, that there should really be a Cabinet level ministry, with the full resources of a Government department scrutinising the rest of Government and the private sector data users and abusers.
This should not simply be full of lawyers and jobsworths, but should include plenty of technologically literate people as well i.e. not the Ministry of Justice,
458. We recommend that the Chief Surveillance Commissioner and the Interception of Communications Commissioner should introduce more flexibility to their inspection regimes, so that they can promptly investigate cases where there is widespread concern that powers under the Regulation of Investigatory Powers Act 2000 have been used disproportionately or unnecessarily, and that they seek appropriate advice from the Information Commissioner. (paragraph 257)
459. We recommend that the Investigatory Powers Tribunal publicise its role, and make its existence and powers more widely known to the general public. (paragraph 259)
How can the RIPA Commissioners and the information Tribunal really give the public any assurance that the secret state is being run properly and ethically, when they themselves are so secretive and unapproachable ?
It is only people like the regular readers of Spy Blog who even know of their exiatance, let alone how to contact them to complain about something.
See our UK Commissioners list of contact details.
460. We recommend that the Government amend the provisions of the Data Protection Act 1998 so as to make it mandatory for government departments to produce an independent, publicly available, full and detailed Privacy Impact Assessment (PIA) prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing. The Information Commissioner, or other independent authorities, should have a role in scrutinising and approving these PIAs. We also recommend that the Government--after public consultation--consider introducing a similar system for the private sector. (paragraph 307)
461. We believe that the Information Commissioner should have a greater role in advising Parliament in respect of surveillance and data issues. We therefore recommend that the Government should be required, by statute, to consult the Information Commissioner on bills or statutory instruments which involve surveillance or data processing powers. The Information Commissioner could then report any matters of concern to Parliament. (paragraph 370)
462. We recommend that the Government, in conjunction with the Information Commissioner, undertake a review of the law governing citizens' consent to use of their personal data. (paragraph 397)
463. We share the Information Commissioner's disappointment that the Government have not made a specific commitment to working with the Information Commissioner's Office to raise public awareness. We recommend that the Government reconsider this matter and commit to a plan of action agreed with the Information Commissioner. (paragraph 436)
Recommendations relating to the National DNA Database
464. We believe that DNA profiles should only be retained on the National DNA Database (NDNAD) where it can be shown that such retention is justified or deserved. We expect the Government to comply fully, and as soon as possible, with the judgment of the European Court of Human Rights in the case of S. and Marper v. the United Kingdom, and to ensure that the DNA profiles of people arrested for, or charged with, a recordable offence but not subsequently convicted are not retained on the NDNAD for an unlimited period of time. (paragraph 197)
465. Whilst a universal National DNA Database would be more logical than the current arrangements, we think that it would be undesirable both in principle on the grounds of civil liberties, and in practice on the grounds of cost. (paragraph 200)
466. We recommend that the law enforcement authorities should improve the transparency of consent procedures and forms in respect of the National DNA Database (NDNAD). We believe that the DNA profiles of volunteers should as a matter of law be removed from the NDNAD at the close of an inquiry unless the volunteer consents to its retention. (paragraph 208)
467. We are concerned that the National DNA Database (NDNAD) is not governed by a single statute. We recommend that the Government introduce a bill to replace the existing regulatory framework, providing an opportunity to reassess the rules on the length of time for which DNA profiles are retained, and to provide regulatory oversight of the NDNAD. (paragraph 212)
There is no excuse why innocent peopl's DNA tissue samples, DNA profiles and fingerprints should boy already have been removed from the national databases, following the European Court of Human Rights Marper judgment.
However,, so far, the Government has been dithering, again, and nothing has happened.
Do not be fooled by the protestations by Government Ministers in evidence to this Committee, that they do not intend a universal DNA satanase - that skirts over the technological fact that it is already possible to do speculative Familial DNA database trawling i.e. only one identifiable member of your family needs to be on the DNA database, for you and all the rest of your relatives to become criminal suspects or intelligence agency or political repression or genocide targets.
These same politicians would , hypocritically, react with horror, if you accused them of discriminating on the basis of Racial group on the colour of someone's skin, but they are happy to classify millions of innocent people by means of their much more specific DNA information.
Recommendations relating to CCTV
468. We recommend that the Home Office commission an independent appraisal of the existing research evidence on the effectiveness of CCTV in preventing, detecting and investigating crime. (paragraph 82)
469. We recommend that the Government should propose a statutory regime for the use of CCTV by both the public and private sectors, introduce codes of practice that are legally binding on all CCTV schemes and establish a system of complaints and remedies. This system should be overseen by the Office of Surveillance Commissioners in conjunction with the Information Commissioner's Office. (paragraph 219)
Spy Blog has been calling for a level playing field of nationally applicable, legally enforceable regulations covering CCTV camera surveillance systems, for over 10 years now.
Get on with it now !
Recommendations for legislation and the legislative process
470. We welcome the UK Computing Research Committee's suggestion that the encryption of personal data should be mandatory in some circumstances. Organisations should avoid connecting to the internet computers which contain large amounts of personal information. We recommend that the Government introduce appropriate regulations. (paragraph 117)
This needs to be backed up with criminal penalties, including prison sentences, for senior civil servants and company directors etc. who fail to ensure that their underlings always encrypt sensitive personal data in transit.
471. We recommend that the Government undertake a review of the administrative procedures set out in the Regulation of Investigatory Powers Act 2000 so as to resolve the contrasting views expressed by the Association of Chief Police Officers (ACPO) and the Office of Surveillance Commissioners about the effectiveness of the current legal framework and the system of authorisations. (paragraph 159)
472. We recommend that the Government consultation on proposed changes to the Regulation of Investigatory Powers Act 2000 should consider whether local authorities, rather than the police, are the appropriate bodies to exercise such powers. If it is concluded that they are the appropriate bodies, we believe that such powers should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years. We recommend that the Government take steps to ensure that these powers are only exercised where strictly necessary, and in an appropriate and proportionate manner. (paragraph 177)
Electronic surveillance (phone and email tapping) and Intrusive Surveillance (planting bugging devices, using informers or infiltrators or spies or double agents) powers under RIPA should be removed from Local Authorities and from non-police or intelligence agency Government Departments, who do not have the regular experience and training to deal with these situations professionally.
If a criminal investigation has become serious enough to trigger the RIPA test of proportionality i.e. "likely to leaf to a prison sentence of at least 3 years, for a first time offender if convicted", then the Police etc. should be the ones handling that aspect of, possibly , a joint investigation, not Local Authority trading standards or environmental health officers or even the tax inspectors at HMRC.
473. We are concerned that three different offices overseeing the operation of the Regulation of Investigatory Powers Act 2000 (RIPA) may result in inefficiencies and disjointed inspection. We recommend that the Government examine the feasibility of rationalising the inspection system and the activities of the three RIPA Commissioners. (paragraph 252)
474. We are concerned that primary legislation in the fields of surveillance and data processing all too often does not contain sufficient detail and specificity to allow Parliament to scrutinise the proposed measures effectively. We support the conclusion of the Joint Committee on Human Rights that the Government's powers should be set out in primary legislation, and we urge the Government to ensure that this happens in future. We will keep this matter under close review in the course of our bill scrutiny activities. (paragraph 357)
475. We urge the Government to give high priority to post-legislative scrutiny of key statutes involving surveillance and data processing powers, including those passed more than three years ago. The statutes should be considered as part of a whole, rather than in isolation. This post-legislative role could be carried out effectively by a new Joint Committee on surveillance and data powers. (paragraph 379)
Other specific actions for the Government
476. We recommend that the Government should instruct government agencies and private organisations involved in surveillance and data use on how the rights contained in Article 8 of the European Convention on Human Rights are to be implemented. The Government should provide clear and publicly available guidance as to the legal meanings of necessity and proportionality. We recommend that a complaints procedure be established by the Government and that, where appropriate, legal aid should be made available for Article 8 claims. (paragraph 134)
477. We recommend that the Government consider introducing a system of judicial oversight for surveillance carried out by public authorities, and that individuals who have been made the subject of surveillance be informed of that surveillance, when completed, where no investigation might be prejudiced as a result. We recommend that compensation should be available to those subject to unlawful surveillance by the police, intelligence services, or other public bodies acting under the powers conferred by the Regulation of Investigatory Powers Act 2000. (paragraph 163)
478. We recommend that the Government's development of identification systems should give priority to citizen-oriented considerations. (paragraph 268)
479. We agree with the recommendation of the Joint Committee on Human Rights that the role of data protection minister should be enhanced and its profile elevated, and are disappointed that the Government's response has not grasped the main point about the need for more effective central leadership. The Government should report to the House through this Committee on the feasibility of having Ministry of Justice (MoJ) lawyers working in other departments and reporting to the MoJ on departmental policies with data protection implications, and of certification of legislative compatibility with the Human Rights Act 1998. This should be in conjunction with the current system of certification of compatibility by the Minister in charge of each bill going through Parliament. (paragraph 290)
480. We support the recommendations made in the Thomas-Walport Data Sharing Review Report for changes in organisational cultures, leadership, accountability, transparency, training and awareness, and welcome the Government's acceptance of them. We urge the Government to report on their progress to Parliament. (paragraph 292)
481. We recommend that the Government devote more resources to the training of individuals exercising statutory surveillance powers under the Regulation of Investigatory Powers Act 2000, with a view to improving the standard of practice and respect for privacy. We recommend that the principles of necessity and proportionality are publicly described and that the application of these principles to surveillance should be consistent across government. (paragraph 323)
482. We believe that encryption has a vital role to play in ensuring the security of data, and that the Government should insist upon its use as appropriate throughout the public and private sectors. (paragraph 331)
483. In the interests of strengthening the protection of personal data, we urge the Government to make the Manual of Protective Security subject to regular and rigorous peer review. (paragraph 342)
484. In the light of the potential threat to public confidence and individual privacy, we recommend that the Government should improve the safeguards and restrictions placed on surveillance and data handling. (paragraph 345)
The penalties for individuals and organisations who breach these supposed safeguards, should be at least as severe, as the criminal penalties (prison and unlimited fines), for currency counterfeiting, for exactly the same reason.
Currency counterfeiters can never hope to devalue a currency to the extent that the issuing Government monetary policy can do, but it is vitally important that public trust and confidence in the system as a whole is not undermined by fake pound notes in circulation.
Exactly the same issue of public trust and confidence applies to securing secret or personal sensitive data, and the criminal penalties should be the same.
485. We recommend that the Government review their procurement processes so as to incorporate design solutions that include privacy-enhancing technologies in new or planned data gathering and processing systems. (paragraph 349)
486. We recommend that the Government bring together relevant research councils, polling organisations and government research and statistics bodies to examine ways of improving the independent gathering of public opinion on a range of issues related to surveillance and data processing. (paragraph 400)
487. We recommend that the Government and local authorities should help citizens to understand the privacy and other implications for themselves and for society that may result from the use of surveillance and data processing. Government should involve schools, learned and other societies, and voluntary organisations in public discussion of the risks and benefits of surveillance and data processing. (paragraph 427)
488. We recommend that the Government should undertake an analysis of public consultations and their effectiveness, and should explore opportunities for applying versions of the Citizens' Inquiry technique to surveillance and data processing initiatives involving databases. (paragraph 432)
489. We recommend that the Government improve the design of the Information Charter, and report regularly to Parliament on the measures taken to publicise the Charter and on their monitoring of the public response to it. (paragraph 440)
490. We support the Government's acceptance of the Council for Science and Technology's recommendations for public dialogue and engagement in terms that commit them to the further development of techniques, governance structures, and relationships both within government and with external bodies. We recommend that the Government report to Parliament on the formal requirements which they are placing on departments and agencies to ensure that this commitment extends to policies and practices involving surveillance and data processing. (paragraph 445)
491. We believe that the Government should involve non-governmental organisations in the development and implementation of surveillance and data processing policies with significant implications for the citizen. (paragraph 451)
Recommendations relating to Parliament
492. We welcome the Government's plans for better data handling. We recommend that the Government's report on progress on data handling and security be scrutinised by parliamentary committees. (paragraph 337)
493. We encourage the Merits of Statutory Instruments Committee to apply the tests of necessity and proportionality to all secondary legislation which extends surveillance and data processing powers, and to alert the House in the normal way where there are any doubts about the appropriateness of the instruments. (paragraph 365)
494. We recommend that a Joint Committee on the surveillance and data powers of the state be established, with the ability to draw upon outside research. Any legislation or proposed legislation which would expand surveillance or data processing powers should be scrutinised by this Committee. (paragraph 376)
Recommendation relating to all public and private sector organisations
495. As surveillance is potentially a threat to privacy, we recommend that before public or private sector organisations adopt any new surveillance or personal data processing system, they should first consider the likely effect on individual privacy. (paragraph 103)
Please feel free to comment on any of the Committee's recommendations below: