April is becoming a month of resurrections. The last blog referred to the Members of an Information Rights Tribunal resurrecting the corpse of Durant which then bit them; they were thus turned into zombies and issued a Decision that I will politely call “provocative and novel”.
Last month Theresa May resurrected the data retention ambitions of GCHQ so that all contact details, dates and times of all electronic communications between all individuals in the UK are retained for a year or so and captured in real-time (the electronic communication can be in any format - email, social network, VOIP).
Now Francis Maude appears to have resurrected the data sharing ambitions of the previous Government, quoting Thomas Walport as justification. In a speech on 6th February, he said that he had established a Taskforce that “is committed to removing barriers to sharing information and it is prepared to recommend changes to legislation where there are unnecessary legal barriers”.
Somewhere down the line, Mr Maud appears to have formed a different view of Thomas Walport which concluded on page 2 (of a 200 page report) that:
“There can be no formulaic answer as to whether or not it is appropriate to share personal information. The legal context for the sharing of personal information is encompassed by the common law, the European Union Data Protection Directive, the Data Protection Act and the Human Rights Act. We have found that in the vast majority of cases, the law itself does not provide a barrier to the sharing of personal data” (my emphasis).
So I have decided that it is time to do some resurrecting of my own.
Four years ago, I became fed up of New Labour Ministers saying stuff like: “Don’t panic! Privacy is safeguarded in the ID Card system, Childrens' database etc etc as the Data Protection Act applies”.
I decided to set out formally why reliance on the current framework of data protection or human rights legislation, or on the current regulatory regime would not and could not protect privacy. This is still the case if the Government’s current plans go-ahead.
I developed a set of Principles that were to be used to assess whether individual privacy is comprehensively considered/protected whenever surveillance policy is developed by Government. These Principles can be applied to surveillance in the UK to identify the structural improvements that could create an effective balance between the citizen and the state.
These Principles have little to do with a Privacy Impact Assessment (PIA) which is focused on ensuring compliance with the existing framework of law. What I was showing was that a PIA is irrelevant as it looks at HOW to make sure that surveillance is complaint with the existing law; PIA does not really consider WHETHER some surveillance activity should be made lawful in the first place. The difference is that a PIA largely applies "post-legislation"; my Principles are definitely "pre-legislation". They are a guide to the process of scrutiny.
For completeness these Principles are:
Principle 1: THE JUSTIFICATION PRINCIPLE: Information relating to any legislation or policy that involves surveillance (or extension to an existing surveillance policy) is provided so an assessment can be made to ensure that the surveillance can be justified in terms of pressing social needs and measurable outcomes; this information is provided prior to the approval of legislation or policy.
Principle 2: THE APPROVAL PRINCIPLE: Any surveillance is limited to lawful purposes defined in legislation where such legislation has been thoroughly scrutinised by a fully informed Parliament and, where appropriate, informed public debate has taken place.
Principle 3: THE SEPARATION PRINCIPLE: Procedures which authorise or legitimise a surveillance activity are separate from procedures related to the actual surveillance itself; the more invasive the surveillance, the wider the degree of separation.
Principle 4: THE ADHERENCE PRINCIPLE: Procedures which authorise a surveillance activity are professionally managed and audited; staff involved in a surveillance activity are fully trained to follow relevant procedures and that such training is assessed if appropriate; any malfeasance in relation to a surveillance activity can be identified and individuals concerned suitably punished.
Principle 5: THE REPORTING PRINCIPLE: A Regulator shall determine what records, including statistical records, are retained and maintained concerning a surveillance activity, in order to ensure transparency and accountability to the Regulator, to the public and to Parliament.
Principle 6: THE INDEPENDENT SUPERVISION PRINCIPLE: The system of supervision for a surveillance activity is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.
Principle 7: THE PRIVACY PRINCIPLE: Individuals should be granted a right to privacy of personal data, via data protection legislation, which can be enforced by a Data Protection Commissioner, and should possess a much simpler right to object to the processing of personal data in appropriate circumstances.
Principle 8: THE COMPENSATION PRINCIPLE: An individual should obtain compensation if a surveillance activity has caused damage, distress or detriment that proves to be unjustified.
Principle 9: THE UNACCEPTABILITY PRINCIPLE :If the other Principles cannot be complied with in relation to a surveillance activity then within a reasonable time:
(a) the activity ceases; or
(b) alternative steps are taken to bring the activity into conformity with the other Principles; or
(c) Parliament or a Parliamentary Committee approves the non-compliance with the relevant Principle.
So, if for example, the Government wants to propose legislation so that personal data between Department X and Department Y are shared (or to capture more communications data), you can use these Principles to assess whether the policy or legislation and the degree of interference with privacy:
• is justified in terms of pressing social need;
• is properly scrutinised by Parliament;
• is subject to a rigorous approval process and separation of powers;
• is supported by rigorous procedures that can be independently audited by an independent regulator who can investigate fully and require certain records to be kept and require changes of procedure or even halt the processing;
• is protected by Article 8 of the Human Rights Act;
• is subject to compensation when things go wrong, and
• is subject to the above rules at all times.
In other words, these Principles provide a means of exploring possible deficiencies in information law governance when Parliament's is scrutinising the executive's proposals. They will allow you to make your own conclusion as to where the Government are leaving privacy loopholes and whether promises made by Ministers are worth the paper they are written on. They also identify where policy and legislation needs to be strengthened.
Health warning: if you apply them to some of the stuff the European Commission has agreed (e.g. USA-EU PNR) you get a migraine.
Download my analysis of why data protection cannot protect privacy when Government legislate and more details of the Principles specified above. Download Assess surveillance principles
Thomas Walport can be obtained here: Download Thomas Walport DataSharingReview2008
Francis Maude Speech promising more data sharing on http://www.cabinetoffice.gov.uk/news/francis-maude-speech-tackling-financial-loss-government-fraud-error-debt.