Scottish Government to extend coverage of FOISA? Hold your breath!

With a General Election looming, the Scottish minority SNP Government has decided to put clear “Skye-Blue” water between its attitude to Freedom of Information and that of the Labour Party – the main opposition in Scotland.

Scottish Minister for Parliamentary Business Bruce Crawford has confirmed the Scottish Government will consult in spring 2010 on whether to extend the Freedom of Information (Scotland) Act 2002 [FOISA] for the first time to cover a wider range of bodies who deliver public services in Scotland.

The organisations to be consulted on extending the FOISA legislation are:

• Local authority trusts and bodies with responsibility for providing leisure, sport and cultural services.
• Private prison operators running Scottish prisons and private contractors providing prisoner escort services.
• Glasgow Housing Association (mainly because of its size and influence) but no other Housing Association.
• Private contractors who build and maintain schools and hospitals, and those who operate and maintain trunk roads across Scotland.

However there is a large “get-out” provision. The Government promises to “listen to organisations who raise concerns about being able to meet the requirements of FOI".

When the UK Government set out a similar consultation exercise with 'high-falutin' objectives it ended up "listening" very intently. The result was that Jack Straw produced a mighty mouse of an extension to FOI (see my blog of 23/07/2009; “The Freedom of Information equivalent of ‘not tonight Josephine’?”).

Something similar could still happen in Scotland. As I said, don’t get too excited – it could just be politics.

Note: we are thinking of putting together some FOI/EIR courses based on Scottish law but we are not sure of the demand. If interested, please contact us (info@amberhawk.com).

Cartoon

 
©Chris Slane 

Prime Minister speaks: more FOI, more re-use and, by inference, less ID Card

There are three consequences arising from the Prime Minister’s speech today. The first is that more information is to be made public and the publication scheme might be the vehicle for this enhancement; the second is that the reuse of public information is to be expanded considerably and reuse is likely to be free (i.e. no licence fee); the third relates to the ID Card project (which might be in trouble).

In relation to more access to information, the PM said “I can announce today that we will actively publish all public services performance data online during 2010 completing the process by 2011. Crime data, hospital costs and parts of the national pupil database will go on line in 2010. We will use this data to benchmark the best and the worst and drive better value for money".

All I would say is that the public has to know where to find such stuff – hence the publication scheme might assume increased importance for FOI practitioners. and their respective public authorities.

In relation to the re-use of public sector information, the Gordon Brown said: “Releasing data can and must unleash the innovation and entrepreneurship at which Britain excels - one of the most powerful forces of change we can harness”. He continued “All of this will be available for free commercial re-use, enabling people for the first time to take the material and easily turn it into applications, like fix my street or the postcode paper” and “we will also release public transport data hitherto inaccessible or expensive and release significant underlying data for weather forecasts for free download and re-use”. So there you have it – more reuse and for free.

In relation to the demise of the ID Card system, my observation starts from what the PM said about Transformational Government. He said that “Switching transactions to online channels also frees up staff to provide personal support and advice. ... So during the next year we will set out service by service how transactions with government will move online as rapidly as possible, starting with student loans, jobseekers allowance, working tax credits and then child benefit. In 2011 we will move to exclusive online vat returns and employer tax returns”.

He added “Our aim is - within the next five years - to shift the great majority of our large transactional services to become online only - and this has the potential to save as a first step 400 million pounds but as transaction after transaction goes on line billions more”.

Now, transformational government needs an Identity Management system and that system is NOT the centralised ID Card if the next 5 year deadline is to be realised. In any event, submitting tax returns on-line does not need to have my 10 fingerprints taken! So will the Government have two or more ID management systems? I think not. The conclusion is to divest yourself of ID Card shares quickly or expect that project to be mothballed or the passport system to take its place!

Reference: full speech on http://www.number10.gov.uk/Page21633

Indefinite retention produces a DNA database that spans the population.

Most citizens in the UK should expect to be linked to the proposed DNA database. This is the conclusion I have reached when considering a policy that permits indefinite retention of DNA data of those who have committed “recordable criminal offences” (as defined by the Home Secretary, see this week’s blogs).

To show that this prospect is inevitable let’s go back to some official statistics. The first one is: “Research recently carried out on men born in 1953 revealed that one in three had a conviction before they were 46 years old”. The second statistic is: “Across England and Wales, the rate of men aged 18 or over found guilty of offences in 2005 was four times higher than that of women aged 18 and over (55 men per 1,000 population compared with 12 for women)”. So, if one in three males has an offence, and this is four times the women offenders’ ratio, we can roughly assume that one in twelve women has a conviction.

Other statistics state that in 2008, the population in England and Wales was about 54.5 million. A statement to Parliament in November 2008, revealed that in March of that year there were “857,366 people on the NDNAD who had been sampled by England and Wales police forces did not have a current criminal record on PNC” (Hansard, 4 Nov 2008 : Column 358W). A simple division tells us that around 1.6% of a random population will have no criminal record but will be on the DNA database.

Because of the proposed six year retention period (instead of indefinite retention), this means we have to treat the 1.6% as an upper-limit. However, at least we have a number: Ministers for some reason can’t even do the calculation above. They repeatedly claim in Parliament that “It is not possible to say how many people on the NDNAD (the DNA database) have not been convicted” (Hansard, 15 Sep 2008, Column 2070W) so it is nice for Hawktalk to be of assistance.

Now imagine decades of indefinite retention of criminal records (which is the policy of all main political parties). For every group of 1000 individuals equally divided into 500 men and 500 women, there will 167 male criminals (one third of males) and 42 female criminals (one twelfth of women) and up to 16 “non criminals” (1.6% of 1000) with a DNA sample on the database. This means that between 209 and 225 individuals (or 21%- 22.5% of the population) will be on the DNA database.

The point being made is that if current criminal trends remain constant and the Government’s indefinite retention proposals are enacted into law, it reasonable to assume that the DNA database entries will eventually accumulate to around 21%–22.5% of the UK population.

Note that this estimate ignores the impact of the retention of DNA data relating to those who have died. One of the statutory functions of the DNA database is to identify deceased persons – so this means dead persons DNA are retained (indefinitely if they had a recordable criminal record).

Now ask yourself two questions:

(1) where does your DNA profile come from and who have you given your DNA to? Answer from your parents (2 of them) and to your children (2.3 of them!), so 50% your DNA is closely linked to about 4.3 individuals.

(2) Will the police aim to develop techniques that map the DNA data that they can legally keep (e.g. individuals committing recordable offences) onto those whose DNA they haven’t got? Obviously yes.

Now assume that such a technique has been developed. A DNA database that maps 21%-22.5% of the criminal population really has a multiplier of around 4.3 attached (i.e. 90%-97% of the population) and this is not taking into account of the indefinite retention of DNA data on dead criminals. The better the technique the more coverage is achieved (e.g. a technique that maps your DNA to DNA from grandparents or grandchildren would imply a multiplier of over 8).

This explains why I think that the DNA database, even though it is limited to data relating to recordable offence criminals, will eventually span most of the UK population. It is not a question of whether, it is a question of when; this prospect needs only the passage of time and a technical innovation. In other words, the policies of all political parties is for a universal DNA database to arise, by default, in the UK. 

So I conclude that the real question with respect to DNA retention policy is whether to keep DNA data on everyone for a policing purpose. If not, let us have some sensible retention criteria? If yes, why stop at DNA? Why not to keep telecommunications data, or banking records, or anything else indefinitely for the police?

Statistics references:  Men http://www.statistics.gov.uk/STATBASE/ssdataset.asp?vlnk=4480&More=Y: Women http://www.statistics.gov.uk/cci/nugget.asp?id=1968. UK population: http://www.statistics.gov.uk/cci/nugget.asp?ID=6

Information Commissioner is the regulator for the DNA database.

The Government has decided not to have a specific “DNA Commissioner”. This means that because DNA data are personal data, the Information Commissioner will become the prime regulator in relation to the Government’s DNA retention provisions. However, as will be discovered, the Commissioner will have his hands tied behind his back by the legislation as currently drafted.

For example, the intention is that DNA data will be retained for specific periods of time (e.g. those convicted of a recordable offence have indefinite retention - see yesterday’s blog). This means that the Information Commissioner cannot enforce the Fifth Data Protection Principle dealing with retention, as the law has specified the lawful retention period. Neither can the Commissioner effectively regulate DNA data that relate to individuals who have died, because those data are not personal data.

Note the Data Protection Act cannot balance the interests of the police in retention of DNA data versus the interests of the data subjects in having DNA data deleted. It is the Home Secretary who determines where that balance of interests lies, even though the Home Secretary has political responsibility for the police and a vested interest in the outcome of any DNA retention policy.

The Home Secretary argues that he is protecting individuals. In a written statement, he says under the heading “Destruction of DNA and fingerprints profiles before the end of retention period” that “Currently, Chief Officers may consider the exceptional destruction of DNA and fingerprints under the exceptional case procedure. We propose to introduce greater transparency by setting out in statute more clearly defined criteria where deletion would be appropriate. This should bring greater clarity to the public and also the police”.

This, frankly, is a load of tosh. If you look at the Crime and Security Bill, a Chief Constable must delete DNA data if its collection was unlawful. Hang on a second - this is not a protection - it is a statement of the bleeding obvious! What would you say if someone argued thus: “I know the personal data were collected unlawfully, but I will continue processing in any event”.

Then there is a condition that requires deletion of DNA if there is mistaken identity. This is also very limited: for example, if a police officer misinterprets the evidence and makes an arrest of the wrong person, then this is not a case of mistaken identity. He has arrested the right person but on false grounds.

Finally the Chief Constable can determine whether it is “appropriate” to remove the DNA data depending on the circumstances of the case. It is with this latter provision, the Government has deliberately reduced the protection afforded to data subjects by the right to object granted by Data Protection Act.

The Act’s right to object would allow a data subject to argue that although the police have processed the DNA data in accordance with its statutory needs, the processing has caused substantial unwarranted distress or substantial unwarranted damage.  Note that this right to object balances the various interests, has an independent umpire (the Commissioner) and an accessible appeal process (The Tribunal) to determine whether or not DNA should be retained or not.

By contrast the Government’s “greater clarity” procedure lets the data controller who is responsible for the processing of the DNA data in the first place (the police) decide whether the data should be deleted or not.

In short, the kind of  “balance”  that is achieved by letting Count Dracula decide whether patients or vampires should receive blood transfusions from the NHS.

Cartoon

©Chris Slane

Government proposals permit DNA database to expand with minimal scrutiny

The Home Secretary’s statement on DNA retention confidently states “we propose the indefinite retention of DNA profiles of convicted adults”. So far so good as most people, when they think of “convicted adults” think of a burglar, a bank robber or a rapist.

However, this is not what the Home Secretary means. He has in mind something far more lowly in the hierarchy of criminal acts to justify indefinite retention of DNA; it includes the actions of people who do one-off stupid things in their life (e.g. get cautioned for being drunk or reprimanded for some youthful prank).

The Government’s proposals allow the police to obtain a DNA sample (and therefore retain that sample and related personal data) if the offence is a “recordable offence”. It follows that an expansive meaning of a “recordable offence” will result in a DNA database that will be more densely populated with entries.

So what is a “recordable offence” and how does Parliament scrutinise its definition?

The answer lies in Sections 27(4&5) of the Police and Criminal Evidence Act 1984. It tells us that “The Secretary of State may by regulations make provision for recording in national police records convictions for such offences as are specified in the regulations” where “regulations under this section shall be made by statutory instrument and shall be subject to annulment in pursuance of a resolution of either House of Parliament”.

So have you got it? The Home Secretary orders “I want so and so be a recordable offence” and, hey presto, the offence is recordable and DNA samples can be collected. To reject the Home Secretary’s Order, Parliament would have to vote down his proposal – a Parliamentary event so common that it has yet to occur. In short, the Home Secretary has “Alice in Wonderland” powers over this definition: effectively “a recordable offence” is what the Home Secretary wants it to mean.

This is what happened in 2000, when the National Police Records (Recordable Offences) Regulations were enacted. With no Parliamentary debate (see reference below) cautions, reprimands and warnings became “recordable offences”; subsequently individuals arrested in relation to these minor matters (and not charged or convicted) had their DNA sample retained indefinitely.

The Explanatory Memorandum to the Bill (produced by the Home Office) fails to mention that the Home Secretary is in control of the term: it merely says that: “‘Recordable offence’ is defined in sections 118 and 27 of PACE. In practice, all offences which are punishable with imprisonment are recordable offences, as are around 60 other more minor offences which are specified in regulations made under section 27”. It only takes three words in parenthesis (“negative resolution procedures”)  after ther word "regulations" to give the complete picture. The omission of these three words is not something I would expect to see in a document purporting to be an “Explanatory Memorandum”.

So any future Home Secretary wanting to extend the DNA database, could equip transport police forces with mobile DNA sampling technology and arrest drivers who commit a certain type of motoring offence (in 2000 there were over 10 million motoring offences so there is a lot to choose from).

Oh – by the way – it doesn’t matter whether the driver is innocent or guilty. That is not relevant as an arrest should do the trick for six year’s retention at least!

Comment: It is also interesting that there are amendments to Section 27(1-3) of Police and Criminal Evidence Act 1984, but not to Sections 27(4-5) which is the subject matter of the blog. I raise this point merely to note that the Home Office did look at Section 27 and must have concluded that sections 27(4-5) did not need changing.

In “Nine principles for assessing whether privacy is protected in a surveillance society” (see www.amberhawk.com/policydoc.asp) I argue that the organisation wanting powers to undertake the surveillance should not regulate the balance that provides protection from misuse of those powers or surveillance. Section 27(4-5) provides another clear example which shows that the risk of letting that balance be determined by the organisation responsible for the surveillance (in this case, the Home Secretary).

References: The only Parliamentary scrutiny of the 2000 Regulations was made by the “Joint Committee on Statutory Instruments Nineteenth Report” (http://www.publications.parliament.uk/pa/jt199900/jtselect/jtstatin/47-xix/6503.htm); it said there was nothing to report.

Long retention of DNA personal data has little to do with detecting ordinary crime

The Human Genetics Commission Chair, Professor Jonathan Montgomery, has asked a simple question: "It is not clear how far holding DNA profiles on a central database improves police investigations?".  The HGC has just published a report containing the damaging allegation that police were arresting individuals in order to populate the DNA database.

Well I think I have found the answer to the Professor's question with an analysis of the Government’s own crime statistics. My answer undermines arguments for long DNA retention periods based on improving criminal detection in general, and suggests that the much vaunted Scottish retention period for DNA data is also questionable.
 
The first statistic I am using reads as follows “Research recently carried out on men born in 1953 revealed that one in three had a conviction before they were 46 years old. The same research shows that of the male offenders born in 1953, around half of them had been convicted on only one occasion”.
 
The second set of statistics is from a table “Time to reconviction: by gender, 1995-97”. This includes details of under-21 offenders who are released from prison; the commentary adds “Overall there was little difference in the reconviction rates for those released from prison and those who had served community sentences” (references at bottom of blog). The statistics relate to male young offenders under 21 serving custodial sentences are as follows:

16% of males re-offend within 3 months
35% of males re-offend within 6 months
50% of males re-offend within 9 months
60% of males re-offend within 12 months
67% of males re-offend within 15 months
71% of males re-offend within 18 months
74% of males re-offend within 21 months
77% of males re-offend within 24 months

The table shows that within 2 years (24 months) from release from prison, 77% of young male offenders who have been in custody will re-offend. This is a rather shocking statistic in itself (how useful is prison then?) but it appears that 60% of those who will re-offend do that re-offending within 1 year (12 months). This means 17% will re-offend in year 2. The table shows a tailing off towards the end of the two year period (months 18-24) which is significant and pronounced.
 
We can extrapolate the figures in the above table on a forward yearly basis by using the ratio (17/60=0.28) as a multiplier for each year of DNA retention (i.e. multiply the increase in offending by 0.28 for each year and add it to obtain the total of offending for the next year). We are thereby assuming that the rate of increase in re-offending in year 1 can be used to estimate the total offending in year 2 and so on to all subsequent years of the Government’s 6 year DNA retention period.
 
Such an assumption as tabulated below reproduces the tailing off displayed in the raw data and it is reassuring to note that the assumption does not permit 100% of offenders to re-offend (which of course is a nonsense). In other words, the extrapolation method does not provide rubbish and looks reasonable. The other tables in the survey (Male adults over 21; female offenders) show exactly the same.
 
Applying this to the extrapolation we make we find that:

60% re-offend in    1 year
77% re-offend in    2 years
82% re-offend in    3 years
83% re-offend in    4 years
84% re-offend in    5 years
84.5% re-offend in 6 years

So in relation to those with a criminal record, a three year retention period for DNA appears opitimal in that it would allow most reoffending (82%) to be caught (assuming that the DNA was the only means of identifying the offender). The extra three years retention add about an additional 2.5%.

However, if you factor in the first statistic that “Research recently ...  shows that of the male offenders born in 1953, around half of them had been convicted on only one occasion”, and include arguments such as “if someone has not re-offended in three years, then there is a very good prospect that they are not going to re-offend at all” then it looks as if the benefit of DNA retention is around three years and that further retention does very little with respect to ordinary crime. This is the answer to Professor Montgomery's question.

As readers know there is not three years retention but indefinite DNA data retention on criminals which is the current policy in all parts of the UK - but the police would get 97% of the benefit needs only a three year retention.
 
In other words, a 6 year retention period borders on the excessive for criminals and obviously excessive in  relation to non-criminals (i.e. those arrested but not convicted). Put simply, if a 6 year retention period is hard to justify in terms of active criminals, it won't be justified in terms of prospective criminal activity of people who have no criminal record.

It also follows that the reason why the police want to retain DNA on the maximum number of people for the maximum time has nothing to do with ordinary crime as a three year retention criteria would do that.
 
It could be that the real reason is to get assistance in relation to serious random crime (e.g. rape and violence). But if that is the case, then the Government should be honest enough to focus public policy debate on this issue.
 
References:  1953 statistic from http://www.statistics.gov.uk/STATBASE/ssdataset.asp?vlnk=4480. Raw data table of offenders from http://www.statistics.gov.uk/STATBASE/xsdataset.asp?More=Y&vlnk=405&All=Y&B2.x=16&B2.y=7.
 
More details on the extrapolation: the increase in offending in 1 year is 60%; so an additional 0.28*60% = 17% re-offend in year 2. 60%+17% = 77% gives us the number who re-offend in the second year. In the third year, there is an additional 0.28*17% = 4.76% (5%) re-offend in year 3 so at the end of year 3, 77%+5%  = 82% have re-offended.

Information Commissioner makes offers you can’t refuse

Just a few brief comments about an exchange that occurred during the data protection conference recently run by the National Association of Data Protection Officers (NADPO), which had Deputy Information Commissioner, David Smith, as a keynote speaker.

The questioning surrounded the Enforcement Notice issued to M&S in 2008 relating to a data loss following the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees. Evidently M&S was offered an undertaking which they were reluctant to sign because a contractor was at fault.

David Smith pointed out that it was now the policy of the Commissioner to issue an Enforcement Notice if a data controller refused to sign an undertaking.

The effect of this is as follows. Undertakings are only required when there has been a serious breach of any data protection principle where the issue is not so serious that an Enforcement Notice is a more appropriate sanction. Note that the Commissioner has identified the loss of unencrypted personal data on a laptop or memory stick as qualifying for consideration for a Monetary Penalty Notice – so getting an Undertaking in these circumstances can be considered to be a “let off”.

In addition, if an Enforcement Notice is served, the Notice will dictate what the Commissioner wants the data controller to do; failure to diligently follow the directions described in a Notice is a criminal offence. By contrast, with an Undertaking, there is a chance of negotiating something that at least considers some of a data controller’s specific problems when implementing new data protection requirements.

Finally, if a data controller accepts an “Undertaking”, it does not require the Commissioner to obtain the evidence that is needed to serve an Enforcement Notice. It also means that the Commissioner does not have to have one eye on an appeal against the Notice, or on the possibility of prosecuting an offence of not complying with the terms of a Notice. “Undertakings” are a quick way of getting a problem off the books so to speak.

In other words, if you are in the unhappy position of being offered an Undertaking, sign up like a man and take it on the chin. The alternatives are far worse.

Note: NADPO members qualify for a £250 discount on Amberhawk’s long DP and FOI courses leading to the ISEB qualification and £150 off our intensive DP and FOI courses. However, if you want to take advantage of this, contact info@amberhawk.com with your booking.

Data Protection Act fails to implement 50% of the Directive?

Some readers may know that in 2004, I made a FOI request to the European Commission to obtain details of possible infraction proceedings brought against the UK Government by the Commission. The Commission claimed that legal proceedings might be needed as the Data Protection Act did not properly implement the parent Data Protection Directive (95/46/EC).

The reason for my renewed interest in this subject is the Court of Appeal’s linkage between the “purpose of the processing" as used in three data protection principles and the “purpose” as notified to the Information Commissioner (see last Thursday and Friday’s blog). I have discovered that this linkage does not appear in the list of possible infractions identified by the Commission back in 2005.

Then, the Commission claimed that Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of the Directive had not been implemented properly by the UK Government – just under a third of the Directive. These Articles relate to: the definitions used in the Directive; the scope of the Directive's application to manual files; the conditions when sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek a remedy when there is a breach; the liability of organisations for breaches of data protection law; the transfer of personal data outside European Union; and the powers of the Information Commissioner.

Although the Commission eventually identified the Articles subject to possible proceedings, both Commission and the UK Government have consistently refused to provide any other specific information about the disputed implementation.

I now think the linkage introduced by the Court of Appeal also damages the UK implementation of Articles 6, 7, 14, 18 and 19. For example, the three Principles themselves (Article 6) and those parts of the Directive that relate to the purpose of the processing (Article 7(f)) or Article 14 (the data subject’s right to object to the purpose of the processing). In other words, half of the Directive’s Articles are now possibly defective.

It is important to stress that the notification requirements in Articles 18 and 19 of the Directive are also now improperly implemented: these Articles modify the “purpose of the processing” to permit simplified notification of the purpose to the Commissioner BUT NOT any other linkage.

In fact, thanks to the Court of Appeal, the UK Act linkage between “purpose of the processing” and the notified “purpose” has arguably allowed for the defective implementation of any Article or Principle that uses the word “purpose”.

Perhaps the last paragraph is too far. But if I am correct in my analysis, many Directive provisions that rely on the word “purpose” are compromised. It follows that certain “fractious” events might happen sooner than one thinks.

Reference: for original commentary on the infraction proceedings please look at http://www.out-law.com/default.aspx?page=8472. Durant v Financial Services Authority [2003] EWCA Civ 1746. If anyone wants a comprehensive analysis of Durant, just e-mail info@amberhawk.com with “Durant Heaven” in the subject title of the e-mail. I will then send you your Xmas reading!