The House of Lords Constitution Committee report Surveillance: Citizens and the State is out today. The Open Rights Group gave evidence to the committee and we are pleased with many of their recommendations.
The report argues that privacy and the application of executive and legislative restraint to the use of surveillance and data collection powers are necessary conditions for the exercise of individual freedom and liberty. Those with nothing to hide can still have a great deal to fear. The report is a positive step forward and this post takes you through some of the recommendations we feel the government should follow. (Assuming you don't want to read all 130 pages of it yourself.)
The Constitution Committee recommends
The two areas missing from the report are comments on the government's current plans for a new national database containing the electronic communications data of the entire population and the powers for unrestrained information sharing granted in Clause 152 of the Coroners and Justice Bill, currently being debated in Commons Committee.
What happens next? The Government will provide a written response to the report within the next two months. After that, a debate will be scheduled in the House. The more pressure we can bring to bear on Government, the better. The subject of the report is enormously important. Privacy is essential to a free society. Without it, the state is all-powerful.
We welcome the UK Computing Research Committee's suggestion that the encryption of personal data should be mandatory in some circumstances. Organisations should avoid connecting to the internet computers which contain large amounts of personal information. We recommend that the Government introduce appropriate regulations.
Surveillance: Citizens and the State paragraph 117
We believe that encryption has a vital role to play in ensuring the security of data, and that the Government should insist upon its use as appropriate throughout the public and private sectors.
Surveillance: Citizens and the State paragraph 331
We have been keeping a log of dataloss incidents in the UK. In the vast majority of these incidents there is no mention of encryption. Very simple and cheap encryption would have greatly reduced the potential impact of these losses. However, in many cases there is no real need for the data to leave the building and when it comes to large databases with thousands of people approved to access them, the most likely causes of data loss are lax human systems or corruption. Unfortunately, in a few of the known incidents, although the data was encrypted the password was attached to the storage device or, as in the case of the Department of Work and Pensions, the encryption keys themselves were lost. However, while we would like to be very clear that encryption is by no means the total solution, it is a first step.
We welcome the new powers for the Information Commissioner to levy fines on data controllers for deliberately or recklessly breaching the data protection principles, and we recommend that the Government bring these powers into force as soon as possible. The maximum level of penalties should mirror that available to comparable regulators, and should not be disproportionate. This must be subject to an appropriate appeals procedure..
Surveillance: Citizens and the State paragraph 243
One reason why the Data Protection Act is not taken seriously in business, at Board level, is its lack of sanctions. Section 55A of the Data Protection Act introduced a new fine for data controllers who recklessly or repeatedly allow significant data breaches. Now, in this report, the Committee is recommending that the maximum fine be increased.
To date, prosecutions brought under the any part of section 55 have generally resulted in low penalties. Between November 2002 and January 2006, only two out of 22 cases ended with fines above £5,000. Other investigations led to frustrating outcomes, despite the harm caused to individuals and public confidence more generally. Since 2006 there have been two further successful prosecutions and a further individual cautioned, resulting in fines ranging between £3,300 and £4,200. This is small change to many businesses and does not present a significant deterrent, so we welcome the recommendation to increase maximum fines.
It is also worth reading our overview of the Data Sharing Review, commissioned by the Prime Minister last October to look at the use and sharing of personal information in the public and private sectors, which makes an almost identical recommendation.
We believe that DNA profiles should only be retained on the National DNA Database (NDNAD) where it can be shown that such retention is justified or deserved. We expect the Government to comply fully, and as soon as possible, with the judgment of the European Court of Human Rights in the case of S. and Marper v. the United Kingdom, and to ensure that the DNA profiles of people arrested for, or charged with, a recordable offence but not subsequently convicted are not retained on the NDNAD for an unlimited period of time.The proportion of British citizens whose details are logged on a DNA database, whether or not they have been convicted of a crime, is the highest in the world.
Surveillance: Citizens and the State (paragraph 197)
The peers rightly insist that it is not acceptable for the state to hang onto the DNA of individuals never convicted of a crime, purely on the arbitrary basis that they once came under suspicion. The European Court, in Strasbourg, recently decided the same, in a ruling that the Government has yet to comply with.
The Regulation of Investigatory Powers Act (RIPA) established a framework for the use of surveillance and data collection techniques by the police, the security services, and other law enforcement agencies. In addition to criminalising the interception of communications over a public network without consent or a warrant, something Phorm seems to not understand, the Act set out the circumstances under which public authorities can legally engage in various types of surveillance activities.
Part three of RIPA grants the police the power to ask for encryption keys to be disclosed to them or to force suspects to decrypt encrypted data. A person instructed to disclose keys can also be prevented from telling anyone else about it, except an attorney.
We recommend that the Government consider introducing a system of judicial oversight for surveillance carried out by public authorities, and that individuals who have been made the subject of surveillance be informed of that surveillance, when completed, where no investigation might be prejudiced as a result. We recommend that compensation should be available to those subject to unlawful surveillance by the police, intelligence services, or other public bodies acting under the powers conferred by the Regulation of Investigatory Powers Act 2000.
Surveillance: Citizens and the State (paragraph 159)
RIPA Powers are often self-authorising, with lower-level communications data powers being authorised internally and even the highest level interception powers only requiring the authority of a government minister. This in stark contrast to the USA where independent judicial authorisation is embedded firmly at the heart of the surveillance process.
We recommend that the Government consultation on proposed changes to the Regulation of Investigatory Powers Act 2000 should consider whether local authorities, rather than the police, are the appropriate bodies to exercise such powers. If it is concluded that they are the appropriate bodies, we believe that such powers should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years. We recommend that the Government take steps to ensure that these powers are only exercised where strictly necessary, and in an appropriate and proportionate manner.
Surveillance: Citizens and the State (paragraph 177)
There have been several well-publicised examples of local authorities using the surveillance powers granted in RIPA to combat fly tipping, reduce dog fouling and investigate potentially fraudulent applications to schools - a direct contradiction of the assurances made by Government while the Bill was passing through Parliament, about how these powers would be used. These cases demonstrate that the regulatory controls introduced at the time are insufficient.
We support the recommendations made in the Thomas-Walport Data Sharing Review Report for changes in organisational cultures, leadership, accountability, transparency, training and awareness, and welcome the Government's acceptance of them. We urge the Government to report on their progress to Parliament.
Surveillance: Citizens and the State (paragraph 292)
We agree that in the long term these changes are needed, but think this recommendation is the least likely to be achieved. Recommendations 1 to 5 of the Thomas-Walport Data Sharing Review Report are rather woolly, advising: training for staff who handle personnel data; knowing what personnel data you hold, what you do with it and what the controls are, etc. Recommendation 5 is the closest to a nod in the right direction, but even here its worth pointing out that most organisations do not need to authenticate you, many interactions can be done anonymously.
For more detail, see our overview of the Data Sharing Review.
The UK is a world leader in terms of surveillance (use of CCTV cameras, retention of DNA) and much of this surveillance is not adequately controlled. There is a generally recognised case for some surveillance - in the interests of national security, crime detection and prevention and the like - but it needs to be proportionate and clearly justified.
"The report screams - Stop! Stop unwarranted surveillance. Stop abusing, misusing and losing citizens' information. Stop building the database state."
"But the government has just stamped on the accelerator. It is not listening."