Is the Surveillance State being resurrected? Assessing whether privacy is protected when surveillance policy is developed

April is becoming a month of resurrections. The last blog referred to the Members of an Information Rights Tribunal resurrecting the corpse of Durant which then bit them; they were thus turned into zombies and issued a Decision that I will politely call “provocative and novel”.

Last month Theresa May resurrected the data retention ambitions of GCHQ so that all contact details, dates and times of all electronic communications between all individuals in the UK are retained for a year or so and captured in real-time (the electronic communication can be in any format - email, social network, VOIP).

Now Francis Maude appears to have resurrected the data sharing ambitions of the previous Government, quoting Thomas Walport as justification. In a speech on 6th February, he said that he had established a Taskforce that “is committed to removing barriers to sharing information and it is prepared to recommend changes to legislation where there are unnecessary legal barriers”.

Somewhere down the line, Mr Maud appears to have formed a different view of Thomas Walport which concluded on page 2 (of a 200 page report) that:

“There can be no formulaic answer as to whether or not it is appropriate to share personal information. The legal context for the sharing of personal information is encompassed by the common law, the European Union Data Protection Directive, the Data Protection Act and the Human Rights Act. We have found that in the vast majority of cases, the law itself does not provide a barrier to the sharing of personal data” (my emphasis).

So I have decided that it is time to do some resurrecting of my own.

Four years ago, I became fed up of New Labour Ministers saying stuff like: “Don’t panic! Privacy is safeguarded in the ID Card system, Childrens' database etc etc as the Data Protection Act applies”.

I decided to set out formally why reliance on the current framework of data protection or human rights legislation, or on the current regulatory regime would not and could not protect privacy. This is still the case if the Government’s current plans go-ahead.

I developed a set of Principles that were to be used to assess whether individual privacy is comprehensively considered/protected whenever surveillance policy is developed by Government. These Principles can be applied to surveillance in the UK to identify the structural improvements that could create an effective balance between the citizen and the state.

These Principles have little to do with a Privacy Impact Assessment (PIA) which is focused on ensuring compliance with the existing framework of law. What I was showing was that a PIA  is irrelevant as it looks at HOW to make sure that surveillance is complaint with the existing law; PIA does not really consider WHETHER  some surveillance activity should be made lawful in the first place. The difference is that a PIA largely applies "post-legislation"; my Principles are definitely "pre-legislation". They are a guide to the process of scrutiny.

For completeness these Principles are:

Principle 1: THE JUSTIFICATION PRINCIPLE: Information relating to any legislation or policy that involves surveillance (or extension to an existing surveillance policy) is provided so an assessment can be made to ensure that the surveillance can be justified in terms of pressing social needs and measurable outcomes; this information is provided prior to the approval of legislation or policy.

Principle 2: THE APPROVAL PRINCIPLE: Any surveillance is limited to lawful purposes defined in legislation where such legislation has been thoroughly scrutinised by a fully informed Parliament and, where appropriate, informed public debate has taken place.

Principle 3: THE SEPARATION PRINCIPLE:  Procedures which authorise or legitimise a surveillance activity are separate from procedures related to the actual surveillance itself; the more invasive the surveillance, the wider the degree of separation.

Principle 4: THE ADHERENCE PRINCIPLE:  Procedures which authorise a surveillance activity are professionally managed and audited; staff involved in a surveillance activity are fully trained to follow relevant procedures and that such training is assessed if appropriate; any malfeasance in relation to a surveillance activity can be identified and individuals concerned suitably punished.

Principle 5: THE REPORTING PRINCIPLE: A Regulator shall determine what records, including statistical records, are retained and maintained concerning a surveillance activity, in order to ensure transparency and accountability to the Regulator, to the public and to Parliament.

Principle 6: THE INDEPENDENT SUPERVISION PRINCIPLE: The system of supervision for a surveillance activity is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.

Principle 7: THE PRIVACY PRINCIPLE: Individuals should be granted a right to privacy of personal data, via data protection legislation, which can be enforced by a Data Protection Commissioner, and should possess a much simpler right to object to the processing of personal data in appropriate circumstances.

Principle 8: THE COMPENSATION PRINCIPLE: An individual should obtain compensation if a surveillance activity has caused damage, distress or detriment that proves to be unjustified.

Principle 9: THE UNACCEPTABILITY PRINCIPLE :If the  other Principles cannot be complied with in relation to a surveillance activity then within a reasonable time:

(a) the activity ceases; or
(b) alternative steps are taken to bring the activity into conformity with the other Principles; or
(c) Parliament or a Parliamentary Committee approves the non-compliance with the relevant Principle.

So, if for example, the Government wants to propose legislation so that personal data between Department X and Department Y are shared (or to capture more communications data),  you can use these Principles to assess whether the policy  or legislation and the degree of interference with privacy:

• is justified in terms of pressing social need;
• is properly scrutinised by Parliament;
• is subject to a rigorous approval process and separation of powers;
• is supported by rigorous procedures that can be independently audited by an independent regulator who can investigate fully and require certain records to be kept and require changes of procedure or even halt the processing;
• is protected by Article 8 of the Human Rights Act;
• is subject to compensation when things go wrong, and
• is subject to the above rules at all times.

In other words, these Principles provide a means of exploring possible deficiencies in information law governance when Parliament's is scrutinising the executive's proposals. They will allow you to make your own conclusion as to where the Government are leaving privacy loopholes and whether promises made by Ministers are worth the paper they are written on. They also identify where policy and legislation needs to be strengthened.

Health warning: if you apply them to some of the stuff the European Commission has agreed (e.g. USA-EU PNR)  you get a migraine.

References

Download my analysis of why data protection cannot protect privacy when Government legislate and more details of the Principles specified above. Download Assess surveillance principles

Thomas Walport can be obtained here: Download Thomas Walport DataSharingReview2008

Francis Maude Speech promising more data sharing on http://www.cabinetoffice.gov.uk/news/francis-maude-speech-tackling-financial-loss-government-fraud-error-debt.

Durant strikes again! The names of those investigating complaints are not personal data

The Information Tribunal has just adjudged that the names of three junior members of staff who had a part in an applicant’s complaint to the Financial Services Authority (FSA) can be disclosed as part of a Freedom of Information (FOI) request. The Information Rights Tribunal, following Durant, concluded that the names of these staff were not personal data.

As every data protection aficionado knows, mentioning Durant is rather like swearing in public, as its application can result in bizarre conclusions; this Tribunal determination, I think, is one of these. So this blog explains where I think the Tribunal went wrong and suggests what should happen with such FOI requests.

The Tribunal Decision

The appeal concerned a request made by an applicant to the FSA for a copy of information it held about his complaint. Paragraph 21 of the Information Commissioner’s Decision Notice confirms that the requested information included the names of “the staff in question (who) worked on the complainant’s complaint” (see references).

In its decision (see references) the Information Rights Tribunal said that these employee names were not personal data because the name did not "affect the individuals' privacy, whether in their personal or family life, business or professional capacity". This overturned the ICO’s Decision Notice which concluded that the FSA was right to withhold these details because:

“21 The Commissioner notes that while the staff in question worked on the complainant’s complaint, they did not correspond with him about it. He also notes that the public authority has confirmed that they were not in public facing roles and that these individuals were of a grade below that of manager. It is the Commissioner’s view that these members of staff would have had no expectation that their names would be released into the public domain.

22. The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned”.

By contrast, the Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".

Slavishly following Durant, the Tribunal concluded that "In our view the Disputed Information (these are the names of employees) is not biographical in any significant sense" and that in this case "The information does not go beyond the recording of the data subjects' involvement in a matter that has no personal connotations. It simply concerns a transaction or matter in which the individuals in question were involved".

The Tribunal was careful to say that this would not always be the case. For instance, "there are a number of organisations, the nature of whose activities are such that information that a particular individual was employed by them, might well amount to personal data" and that disclosing the name of an individual who was employed by an organisation licensed to conduct experiments on animals "may disclose something about his likely opinion on the often contentious subject of animal rights, and could lead to harassment by so-called animal rights activists".

In such cases, the Tribunal said this information would be personal data that were exempt under FOI as the requested details were "biographical" and did indeed impact on an individual's privacy.

Where the Tribunal went wrong

We can now see what has happened? The Tribunal has asked:

a. Is the requested information “data”? Answer “yes”
b. Does it relate to a living individual? Answer “yes”
c. Does it relate to a living individual in a biographically significant way? Answer “No”
d. Is there a context that makes it biographically significant? Answer “No – we can’t see one” (despite the fact that “the staff in question worked on the complainant’s complaint”!)

The problem is at questions (c) and (d) – so the question has to be asked “How does a public authority know what is biographically significant for a data subject and what is not”?

For the Tribunal, consideration of the “two notions” put forward by Auld LJ. in Durant is suffice (e.g. “biographical significance” and “continuum”). In other words, it is the public authority who determines these matters in every instance. However, I think this is a too simplistic approach to the three possible scenarios concerning “biographical significance”.

These scenarios are:

• The public authority knows for certain the personal details are biographically significant;
• The public authority knows for certain the personal details are not biographically significant; or 
• The public authority does not know whether the details are biographically significant or not.

I think we can agree that the essential problem is with the last issue (i.e. the public authority does not know).

This issue of “not knowing” was actually resolved in the Durant judgement. In section 7(4) of the Data Protection Act, the data controller is faced with the dilemma of whether it is reasonable in all the circumstances to release (or not to release) the identity of other individuals identified in personal data that have been requested by a data subject.

In paragraph 61 of Durant, Auld LJ. states that where the data controller cannot resolve this dilemma, “The data controller ....  should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled...”.  In other words, if in doubt, ask the requestor why he wants the name. This was not suggested by the Tribunal.

This “ask the requestor” idea is reinforced by interpreting the balance of interest tests in Schedule 2, paragraph 6 of the DPA which is used to justify release of personal data by FOI requests. This sets out the balance of interest as follows:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. (my emphasis)

So how does one know what weight to place on the “legitimate interests of the data subject” when you don’t know? Use a crystal ball? Employ Tarot Cards? Throw dice?

If you just ask “Who is in the best position to know what weight to place on the data subject’s legitimate interests?”, then I think the answer is obvious. So my conclusion: ask the requestor for why he wants the personal data and then, if needed, ask the data subject for a view? There is nothing in the FOI Act that I can see that stops this kind of approach.

Of course, the public authority after consideration of the data subject’s legitimate interests can still decide to release the personal data. In addition, there might be standard conditions when there is no need to ask the data subject for his view (these have been established by cases before the Tribunal such as those dealing with expenses of senior managers).

I should add that the Scottish Information Commissioner already asks this question of the FOISA applicant when he can’t fathom "the legitimate interests of the Third Party to whom personal data are disclosed" (see above). I raise this just to show that asking the requestor is not an alien FOI concept just made up by me for this blog (see references below).

Reverting to Durant, it is interesting to note that Mr Durant did not get the details of the individual handling his complaint at the FSA because, according to the judgment Auld LJ says “.....the name of an FSA employee which, in itself, can have been of little or no legitimate value to Mr. Durant and who had understandably withheld his or her consent because Mr. Durant had abused him or her over the telephone” (para 67 of Durant).

Note that it is this "little or no legitimate value" sentiment finds expression in the Commissioner’s Decision Notice, where he says “...The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned” (para 22 of the Decision).

So that is why I think that when a public authority receives a request on the lines outlined above and has difficulty in deciding what to do, it is perfectly proper for it to ask modest questions of the requestor AND/OR the data subject about his or her legitimate interest so that the correct balance can be struck. Indeed, I am brave enough to say that when a public authority does not know where the balance of interests lies, this is the only way for that authority to determine the correct balance of interests.

This is where the Tribunal went wrong. It has decided that the public autrhority in all instances should have a punt at arriving at the correct balance whereas it should have promoted the obvious mechanism which actually arrives at the correct balance.

Note that there is a sting in the tail for the FOI requestor who misleads the public authority as to his legitimate interest; such a requestor could be committing an offence under Section 55 of the Act if the public authority were to disclose personal data on the wrong basis.

This assures the public authority that the FOI requestor is unlikely to tell porkies.

References

Download the ICO’s Decision Notice: Download Fs_50312938_durant_names not personal data

Download the Tribunal Notice in this case:Download Fs_50312938_APPEAL_names not personal data

“Some FOI requests for personal data are not purpose blind” (this includes the SIC Decision Notice referred to above): http://amberhawk.typepad.com/amberhawk/2010/07/some-foi-requests-for-personal-data-are-not-purpose-blind.html