The Government has published an interim Code of Practice on the use of body scanners at airports. It fails to mention the fact that the Data Protection Act is engaged or that Privacy by Design (PdB) techniques should be used. However, many of the procedures identified in previous blogs (e.g. of 6th Jan and 9th Nov 2009) are included. So why I am a “whingeing Pom” with a Code that contains explicit sections entitled “Data Protection” and “Privacy”?
I am not complaining about certain provisions in the Code. For example, where the Code states that the security officer observing the scans should not be able to see or identify the individual passenger who is scanned, or the fact that a passenger who is scanned can ask for a “same sex” security officer to inspect his or her image. Images are deleted immediately after scanning and “destroyed irretrievably” and there has to be no method of “copying or transferring images” and individuals have to be informed that they “may be required to be screened using body scanning equipment” and that images “will not be saved”.
What I have concerns about are omissions such as the following:
• The Code, by failing to mention the Data Protection Act, fails to mention that there is an independent system of regulation to which passengers could complain. This link to legislation is also omitted in the fair processing statement in the Code – something that would reassure passengers that there exists an appropriate and independent regulatory mechanism.
• The Code fails to identify the types of criteria which make a passenger liable to be scanned.
• The Code fails to have a mechanism so that aggrieved data subjects can ask for the image to be retained (e.g. if there is a dispute over an image) or data subject consent for retention be asked. It is very difficult to learn from the mistakes that occur or engage the independent regulatory system if the personal data in question has been “destroyed irretrievably”.
• Although the Code requires Airport Operators to provide a mechanism so that individuals can provide “age, gender, race, ethnic origin and religion”, there is no explicit obligation in the Code for Airport Operators to retain such information in a specific form or for a specific period.
The last paragraph is especially important. In my “Nine Principles...” article (see references at end), I state that reporting mechanisms must be specified by the Regulator so that the effectiveness of the implementation of surveillance mechanism can be measured. So as far as I can see, there is no guarantee that any meaningful statistics concerning the use of these scanners will be generated because only those who want to provide this information will do so and only if the Airport retains such information. To describe this provision as “absolutely useless” would be to overstate its utility.
The Code also ignores the PdB work with airport scanners done by the Canadian Data Protection Authorities in particular Dr. Ann Cavoukian. In that document, Dr. Cavoukian states that scanners can produce images that can be processed in a form that does not reveal details of genitals or even facial features. One would hope that even in a “interim Code” an aspiration to move to these type of scanners could be signalled.
Finally, some of Dr. Cavoukian’s work related to scanners that did not use ionising radiation - unlike the UK scanners which appear to use x-rays albeit in a very small exposure timeframe. Do you think that the Code should recommend that passengers (e.g. pregnant women) be informed that ionising radiation is used?
Overall one gets the impression that the Code has been quickly cobbled together – and that is why it is called “Interim”. Let us hope the “non-Interim” version appears soon.
References: The Scanner Code of Practice on http://www.dft.gov.uk/pgr/security/aviation/airport/bodyscanners/codeofpractice. “Nine principles for assessing whether privacy is protected in a surveillance society (Part 2) – 2008” on http://www.amberhawk.com/policydoc.asp. Dr. Cavoukian’s document on Airport Scanning http://www.ipc.on.ca/images/Resources/wholebodyimaging.pdf
Chris - from a PbD perspective, I would have thought that the privacy cost of enabling *any* image retention outweighs the benefits of allowing images to be stored in certain circumstances. A scanner without any kind of storage or outputs is much more permanently privacy-protective than one where software changes could enable images to be more systematically retained.
Posted by: Ian Brown | 12/02/2010 at 09:57 AM
I see that the government has slipped out with little fanfare the consultation on the code of practice - deadline for comments is 21 June. Chris, are you intending to respond to the consultation along the lines you set out above?
http://www.dft.gov.uk/consultations/open/2010-23/consultation.pdf
Posted by: RM | 10/06/2010 at 11:35 AM
Yes I completely with you Ian at the point that "A scanner without any kind of storage or outputs is much more permanently privacy-protective than one where software changes could enable images to be more systematically retained". It is very useful thing for security.
Posted by: business card scanner | 22/09/2010 at 09:33 AM
The fact that the data are not retained improves the privacy position. It still is an invasion of privacy.
Many people are strip searched. There is no personal data processed to do a strip search. Don't fall into the trap of saying there is no privacy problem because no personal data are processed or retained
Posted by: CP | 23/09/2010 at 12:33 AM