Fixing the integrity of passport could undermine privacy.

I made a mistake in my blog “Uncomfortable questions over biometric ID Cards and national security” posted on the 18th Feb.  A couple of days after I had posted the text, the BBC carried reports that the Foreign Secretary had said that the new UK biometric passports were not used by those who assassinated a Hamas official in Dubai. I had written the blog assuming the passports were the biometric ones, so obviously my comments about how the biometric details were compromised was 100% wrong.

However, I do think that the Foreign Secretary’s claim that biometric passports would not have been exposed in this same way is misleading. The reason for saying this is that the use of biometrics raises a new set of privacy problems.

So, suppose someone tries to enter a country with a fake passport. How does one know that the passport is invalid, assuming that it is not an obvious error (e.g. incorrect design; wrong quality of paper or a serial number with an incorrect checksum)? If there is a chip embedded in passport, then the chip will no doubt be loaded with the biometric of the passport holder – the impersonator.

I think the only sure way is to check the details on the passport with the enrolment data and biometrics provided when the passport was issued. This in turn means that UK biometric data would have to be shared world-wide to most international airports – thus increasing the risk of compromising the biometric data of all travellers (as well as other passport details).

In addition, the audit trail associated with the Passport database would have to contain details of the check (i.e. where and when travellers were checked – and of course dated). The same would go for when the passport is examined by hotel reception, or traffic police, or in connection with eligibility for free health care or whatever.

This problem also pervades the ID Card, now promoted as a way for young adults to gain entrance to pubs and clubs. How is a bouncer on the door of a night club going to know whether the ID Card is a “good ‘un”? Answer, I think, by doing a check against what has been enrolled – and this updates the details on the audit trail of the National Identity Register.

In other words, fixing the problem of compromised passports could result in transfers of personal data and audit trails that could easily compromise the notion of privacy.

Uncomfortable questions over national security

(For completeness: this is the text of my revised 18th Feb blog that has not been removed)

Last week, the Foreign Secretary got up in the House of Commons to say that his legal action before the Court of Appeal was to protect intelligence vital to national security given to the UK by the USA’s national security agencies.

In relation to the intelligence issue, I accept that there are immense difficulties. However, if we start from the position that intelligence is information from which one can deduced or infer a possible action, then the position becomes clearer. For example, if “X has been in contact with Y” then it might be important to put “Y” on a watch list. 

I also do not think that “X has been water-boarded” qualifies as intelligence – it is a description of what has happened to X. It might be confidential to qualify the intelligence by explaining that “intelligence from X has been gained under torture”, but there again, it is the information that is provided that is the “intelligence” and not the means by which it was extracted from the informant.

In other words, the Foreign Secretary’s claim that “The seven paragraphs contain summaries of American intelligence relating to Mr Mohamed’s case held in UK files” cannot possibly be substantiated by the facts. One cannot possibly undermine the principle of protecting intelligence sharing if the information itself does not qualify as intelligence (in this case, it relates to inhuman or degrading treatment).

Reference: In my evidence to the Joint Committee on Human Rights published in 2006, I explore national security in the context of Parliamentary scrutiny, data protection, human rights and terrorism. I explain why the UK system of scrutiny desperately needs an overhaul (http://www.amberhawk.com/policydoc.asp)

ICO concerned that DNA retention law neuters four data protection principles

The Information Commissioner has criticised the Government’s proposals in relation to the retention of DNA personal data as removing the protection of the First, Third, Fifth and Sixth Data Protection Principles from data subjects. Although his measured memorandum to Parliament does not couch his concerns in this way, anyone how has knowledge of how data protection works will arrive at a very stark conclusion.

The Commissioner states that “he is concerned that the evidence for the 6 year retention period for 'non-convicted' adults is still unreliable” and is worried about “inconsistencies in approach” towards retention. He says “In particular the proposed 6 year retention period for 16-17 year olds arrested for but not convicted of serious crime sits oddly with the argument that the evidence does not support any such distinction between serious and minor crimes in the proposed 6 year retention period for 'non-convicted' adults”.

The Commissioner's first concern is that Home Office research is "misleading" because the policy of “comparing those who have been arrested with the general population is misleading as the police are more likely to re-arrest those who have already been arrested because they now have an arrest record and are on the Police National Computer (PNC)”. This reiterates the unfair processing claim in relation to the re-arrest of black men made by the Human Rights Commission in its evidence to Parliament.

In the Commissioner's opinion the “Home Office "estimated hazard curve" shows a significant narrowing around the 2 year mark. It is strongly arguable that this is the point where the interference no longer remains justifiable”. In other words, a two year retention period for those arrested and not convicted.

The Commissioner is also of the view that “the decision to remove a DNA record should be a pro-active one by the police not one that is triggered only by a complaint from the individual to whom the record relates”. He adds that “in the absence of any complaint from an individual, the police continue to retain DNA data in circumstances that clearly meet the defined conditions for removal, for example where the arrest was unlawful, that would be contrary to the requirements of the Data Protection Act 1998”.

He adds “Whether personal data are irrelevant, excessive or kept for longer than is necessary is not dependent on whether an application for removal of the data has been made”. In other words, the legislation is removing the protection of the Third and Fifth Data Protection Principles.

The Commissioner states that “the Bill makes no provisions for an independent appeal mechanism against a chief officer's decision under the proposed removal arrangements” adding that “the Home Secretary still appears to regard the question of whether there is a need for an appeal system as something for discussion and debate rather than as a given”. In other words, the Government’s proposals significantly diminish the ability of the data subject to exercise the right to object to the processing (and as a conseqeunce the Sixth Principle).

In his conclusion “the Commissioner welcomes the Government's efforts to put the operation of the national DNA database on a sound legal basis”. However “he remains concerned that the way this evidence is being interpreted at present does not provide an appropriate basis for the proposed retention periods” (i.e. no Schedule 2 condition as required by the First Principle) and that “The Commissioner does not consider that the evidence presented supports a general retention period of anything like six years”.

He believes that “there still need to be additional safeguards surrounding the decision to retain on acquittal, the proactive review of records subject to deletion and an appropriate appeal mechanism to protect against unwarranted decisions to retain records”.

In conclusion, can repeat the conclusion I reached in “Nine principles for assessing whether privacy is protected in a surveillance society (Part 1) – 2008” which explains why the current framework of privacy protection in the UK is so deficient. The Government’s Crime and Security Bill and its DNA retention policies is another example in a very long list of examples where there is a systemic undermining of the protection afforded by the data protection principles (and Article 8 human rights).

References: ICO’s memorandum on: http://www.publications.parliament.uk/pa/cm200910/cmpublic/crimeandsecurity/memos/uccr0502.htm. The document "Nine principles for assessing whether privacy is protected in a surveillance society – 2008" (two parts) on http://www.amberhawk.com/policydoc.asp. Human Rights Commission "Evidence to the Home Office re the DNA database" is downloadable from http://www.equalityhumanrights.com/legislative-framework/consultation-responses/response-to-consultation-on-dna-database-proposals/.

 

Uncomfortable questions over national security

Note: added by author. I have modified the text of this blog (on 28th Feb) as it became clear that biometric passports were not used in the assassination of the Hamas Officials. It follows that my text about the biometric passport was completely wrong and needs removing so that no mistake can be made. I have left the commentary on national security as this is still relevant I have put another blog (1st March) dealing with the updated passport position. Chris Pounder

Last week, the Foreign Secretary got up in the House of Commons to say that his legal action before the Court of Appeal was to protect intelligence vital to national security given to the UK by the USA’s national security agencies.

In relation to the intelligence issue, I accept that there are immense difficulties. However, if we start from the position that intelligence is information from which one can deduced or infer a possible action, then the position becomes clearer. For example, if “X has been in contact with Y” then it might be important to put “Y” on a watch list. 

However, I do not think that “X has been water-boarded” qualifies as intelligence – it is a description of what has happened to X. It might be confidential to qualify the intelligence by explaining that “intelligence from X has been gained under torture”, but there again, it is the information that is provided that is the “intelligence” and not the means by which it was extracted from the informant.

In other words, the Foreign Secretary’s claim that “The seven paragraphs contain summaries of American intelligence relating to Mr Mohamed’s case held in UK files” cannot possibly be substantiated by the facts. One cannot possibly undermine the principle of protecting intelligence sharing if the information itself does not qualify as intelligence (in this case, it relates to inhuman or degrading treatment).

Reference: In my evidence to the Joint Committee on Human Rights published in 2006, I explore national security in the context of Parliamentary scrutiny, data protection, human rights and terrorism. I explain why the UK system of scrutiny desperately needs an overhaul (http://www.amberhawk.com/policydoc.asp)

Breach of a Principle? Then expect the CEO to sign an “Undertaking”

Every week or so there is a press announcement from the ICO dealing with an errant data controller who has reported a data loss. The statement usually says that “so and so organisation” has lost a memory stick or laptop or whatever and has signed a public undertaking to improve matters and to behave properly in future.

For example, last week the Alzheimer’s Society promised to improve data security after staff details were lost. In fact, the Society is rather recidivist in relation to data loss as it reported three separate breaches involving personal data to the ICO during 2009.

The data loss (presumably the third of a series) that tipped the ICO into “asking” for an Undertaking from the Society involved the loss of several unencrypted laptops. The laptops were neither physically secured by cable locks nor locked away securely; one of the laptops contained personal details including names, addresses, national insurance numbers and salary details for about 1,000 staff across England, Wales and Northern Ireland. Staff were notified of the loss.

Signed undertakings are “requested” when there has been a serious breach of any data protection principle brought to the attention of the Commissioner where the issue is not so serious that an Enforcement Notice is a more appropriate sanction. The Commissioner’s decision between an Undertaking or an Enforcement Notice is the result of a thought experiment (or the product of paranoia if one is unkind) as it depends on what any putative data-thief could do with the lost personal data and not on what any thief actually does.

If a data controller accepts an “Undertaking”, it does not require the Commissioner to obtain the evidence that is needed to serve an Enforcement Notice. It also means that the Commissioner does not have to have to consider an appeal (as there isn’t one) and the Undertaking can be couched in general terms. A signed Undertaking (and the promise of future action to improve data protection compliance) is a quick way and non-statutory way of getting a serious problem off the Commissioner’s books so to speak.

There are rumours going around the data protection circuit that a Borough Council in the North West of England has suffered a second significant data loss, subsequent to a first Undertaking for another data loss. If that Council is judged not to have acted diligently with respect to the first Undertaking, it can expect an Enforcement Notice with respect to the second data loss. The rumour is that an Enforcement Notice is in the post,

So, it is important to understand that if you have to sign an Undertaking there is an element of “drinking at the last chance saloon”.  So if your CEO signs one, don’t stay in the pub after closing time!

Reference: to assist users I have prepared a detailed analysis of  the Commissioner’s Undertaking policy on http://www.amberhawk.com/policydoc.asp). This policy will form part of the UPDATE sessions we are holding with our Pinsent Masons colleagues in April in London, Manchester and Edinburgh (details on www.amberhawk.com).

Data Protection: custodial sentences for misuse of personal data to be delayed

The official announcement is expected next week but the bush-telegraph is beating out the message that the custodial sentences associated with the deliberate misuse of personal data are not going to commence, as promised, in May. This is not surprising, even though there was a hastily made consultation process ending in early January.

The sticking point I suspect is the application of the offence to the special purposes and in particular journalism. It has dawned on the Government that embracing legislation which could imprison journalists has very little to commend it when a General Election is looming. One can also imagine the fuss if this measure was actually passed by a Parliament full of MPs whose credibility is about zero, thanks the expenses scandal.

I should add that I am not expecting the custodial offence to be enacted after the Election as well - perhaps towards the end of the year at the earliest. Just consider. You are an incoming Government with a fresh mandate to cut back public spending and introduce whatever major reforms.

Do you enact legislation related to your political mandate or pussy-foot around with legislation that could lead to the imprisonment of journalists from newspapers that have supported your election effort? If there is a Bill of Rights, expect more delay on the grounds that freedom of expression has to be balanced properly with any privacy right (if it is expressed as a privacy right).

 

Airport scanner Code of Practice downplays data protection and Privacy by Design angles

 

The Government has published an interim Code of Practice on the use of body scanners at airports. It fails to mention the fact that the Data Protection Act is engaged or that Privacy by Design (PdB) techniques should be used. However, many of the procedures identified in previous blogs (e.g. of 6th Jan and 9th Nov 2009) are included. So why I am a “whingeing Pom” with a Code that contains explicit sections entitled “Data Protection” and “Privacy”?

I am not complaining about certain provisions in the Code. For example, where the Code states that the security officer observing the scans should not be able to see or identify the individual passenger who is scanned, or the fact that a passenger who is scanned can ask for a “same sex” security officer to inspect his or her image. Images are deleted immediately after scanning and “destroyed irretrievably” and there has to be no method of “copying or transferring images” and individuals have to be informed that they “may be required to be screened using body scanning equipment” and that images “will not be saved”.

What I have concerns about are omissions such as the following:

 

• The Code, by failing to mention the Data Protection Act, fails to mention that there is an independent system of regulation to which passengers could complain. This link to legislation is also omitted in the fair processing statement in the Code – something that would reassure passengers that there exists an appropriate and independent regulatory mechanism.

 

• The Code fails to identify the types of criteria which make a passenger liable to be scanned.

 

• The Code fails to have a mechanism so that aggrieved data subjects can ask for the image to be retained (e.g. if there is a dispute over an image) or data subject consent for retention be asked. It is very difficult to learn from the mistakes that occur or engage the independent regulatory system if the personal data in question has been “destroyed irretrievably”.

 

• Although the Code requires Airport Operators to provide a mechanism so that individuals can provide “age, gender, race, ethnic origin and religion”, there is no explicit obligation in the Code for Airport Operators to retain such information in a specific form or for a specific period.

The last paragraph is especially important. In my “Nine Principles...” article (see references at end), I state that reporting mechanisms must be specified by the Regulator so that the effectiveness of the implementation of surveillance mechanism can be measured.  So as far as I can see, there is no guarantee that any meaningful statistics concerning the use of these scanners will be generated because only those who want to provide this information will do so and only if the Airport retains such information. To describe this provision as “absolutely useless” would be to overstate its utility.

 

The Code also ignores the PdB work with airport scanners done by the Canadian Data Protection Authorities in particular Dr. Ann Cavoukian.  In that document, Dr. Cavoukian states that  scanners can produce images that can be processed in a form that does not reveal details of genitals  or even facial features. One would hope that even in a “interim Code” an aspiration to move to these type of scanners could be signalled.

 

Finally, some of Dr. Cavoukian’s work related to scanners that did not use ionising radiation - unlike the UK scanners which appear to use x-rays albeit in a very small exposure timeframe. Do you think that the Code should recommend that passengers (e.g. pregnant women) be informed that ionising radiation is used?

 

Overall one gets the impression that the Code has been quickly cobbled together – and that is why it is called “Interim”. Let us hope the “non-Interim” version appears soon.

References: The Scanner Code of Practice on http://www.dft.gov.uk/pgr/security/aviation/airport/bodyscanners/codeofpractice. “Nine principles for assessing whether privacy is protected in a surveillance society (Part 2) – 2008” on http://www.amberhawk.com/policydoc.asp. Dr. Cavoukian’s document on Airport Scanning http://www.ipc.on.ca/images/Resources/wholebodyimaging.pdf

 

 

The Answer is Yes

©Chris Slane 

John Terry: why the injunction failed to protect his privacy

I have a lot of sympathy for John Terry.  Whenever there are lurid headlines of the form “Celebrity romp with mystery hunk”, I instantly worry that I have been identified.  No doubt, this weekend will see more “revelations” and “privacy” versus “the public interest in the prurient” will be in the headlines again.

John Terry’s injunction failed because the main worry was not his privacy. In summary, this is not a case of “privacy” versus “freedom of expression”; it is a case of “can we use a privacy argument to stop damage occurring to an individual’s commercial interests”. To show this, I thought readers might want to read the “real McCoy” and to make things clear, I reproduce the two paragraphs of the judgment.

To keep his name out of the transcript, the transcript uses “LNS”  for John Terry (JT). Note that as the next letters along from LNS is JMT, so the court has not employed what is called in the trade “a strong encryption algorithm”.

One key paragraph is paragraph 95. It says:

“On the evidence available to me now, I have reached the view that it is likely that the nub of LNS's complaint in this case is the protection of reputation, and not of any other aspect of LNS's private life. I note that in the evidence the most LNS is said to have expressed is "grave concern over the possibility of intrusion into [LNS's] private life". There is no mention of any personal distress. As to personal attributes, LNS appears to have a very robust personality, as one might expect of a leading professional sportsman. It does not seem likely to me that the concern expressed on [LNS's] behalf for the private lives of the other person and the interested persons is altruistic. This claim is essentially a business matter for LNS. That is why the assembling of the evidence has been put into the hands of the business partners and not of the solicitors. My present view is that the real basis for the concern of LNS is likely to be the impact of any adverse publicity upon the business of earning sponsorship and similar income”.

At the end of the judgement, the Judge declined to make any order for the following reasons:

“i) There is a threat to publish information about the fact of the Relationship, but I am not satisfied that the applicant is likely to establish that publication should not be allowed;

ii) I think it likely that the nub of the applicant's complaint is to protect [LNS’s] reputation, in particular with sponsors...

iii) I am not satisfied that the double hearsay account I have been given of the evidence of LNS and the other person is full and frank....

iv) I am not satisfied that the applicant is likely to establish that there has been a breach of a duty of confidence owed to LNS;

v) ... I am not satisfied that the applicant is likely to succeed in defeating a defence that it would be in the public interest for there to be a publication;

vi) There is insufficient evidence of a threat to publish photographs or sensitive details about the Relationship.

vii) Notice has not been given to any newspaper when it should have been, and, as a result, I have not had the benefit of arguments in opposition to the application, which might have assisted me to be satisfied of the matters of which I am not satisfied.”

So there you have it: a case of commercial interest versus freedom of expression.

Reference: LNS v Persons Unknown [2010] EWHC 119 (QB) (29 January 2010).

A bizarre tale from the data protection/FOI interface

The complexity of interface between Data Protection (DP) and Freedom of Information (FOI) Acts never ceases to amaze; the Commissioner’s Decision Notice in relation to Lord Ashcroft has just added another bizarre twist.

As is well known Lord Ashcroft is a large contributor to Conservative Party coffers and is at the centre of the dispute about political funding. In October 2007, for example, he was accused of funding local Conservative constituency organisations in key Labour marginals. Lord Ashcroft is also a part-time ex-pat and manages several exotic financial instruments from Belize, a Caribbean paradise that doubles as a tax-haven.

When he was offered a Peerage (in controversial circumstances), Lord Ashcroft gave an undertaking to make the UK his permanent residence (a code for “pay UK taxes”). Unfortunately, years after his ennoblement, his web-site still stated that his home was in Belize; hence the inevitable FOI request for a copy of that undertaking (from Labour MP, Gordon Prentice – but as everybody knows, FOI requests are applicant blind).

Whenever I deliver FOI training courses (places still available), I used to say: “don’t worry about the Second Condition in section 40(4) of the FOI/DP interface because it is easy to understand. What it essentially says is that if the data subject cannot gain access to his own personal data because there is an exemption from the right of access under the DPA, then someone else can’t gain access to the same personal data under FOI”.

“It is plain daft”, I used to confidently continue, “to allow anybody gain access to a data subject’s personal data and at the same time exempt the data subject from access”. The provision is mainly there for consistency “so that nothing idiotic can happen”.

Ah well – time to eat a huge portion of humble pie; the Commissioner has just done what I said was “plain daft” or “idiotic”. He has decided that even though Lord Ashcroft could have been refused access to the personal data on a subject access request, it is in the public interest that his personal data are revealed to a FOI requestor – in effect published to the world.

The Decision Notice clearly states that the ICO is satisfied that Lord Ashcroft’s undertaking is personal data, and that the data are exempt under the DPA because they are processed for the purpose of “conferring by the Crown of any honour”. However, as section 40(4) is not an absolute exemption, the Public Interest Test, once applied, falls in favour of disclosure (see the Decision Notice for details) of the personal data, even though Lord Ashcroft could be refused access.

The Cabinet Office has 35 days to work out what to do, so the next question is whether the Cabinet Office will appeal to the First–tier Tribunal (Information Rights)? Well another 35 days gets us to mid March with an expected General Election within a few weeks. So, if the information is damaging to the Tories, what do you think fair-minded Ministers will decide?

Reference: Decision Notice  FS50197952, issued 28 January 2010