Cartoon

 

  ©Chris Slane

 

   

Cartoon goes with the blog with the same date

Body scanner Code of Practice still defective

A blog reader asked me to look at the Code of Practice on the acceptable use of body scanners to enhance security at UK airports. The consultation period associated with the Code ended four weeks ago, so I apologise for a severe case of “better late than never”.

In summary, the Code still ignores several key issues. However, to be fair to the incoming Coalition Government, the consultation had been commenced in the dying days of the previous administration. It had no choice but to finish a process that carries all the hallmarks of New Labour’s dismissive approach to most privacy concerns.

The Code gives the impression that the Data Protection Act only applies at the margins. This is illustrated by a 400 word Privacy Impact Assessment which fails to impress (see references); it is limited mainly to some security commentary – as if these were the only issues. The PIA does not consider the fairness elements of the processing of personal data, an area where the Code needs most work.

For instance, the fair processing notice implied by the Code fails to explain important elements. For instance, those who are scanned can request a same sex member of staff to see the scanned images. So how is this option going to be exercised, if this does not form part of the fair processing arrangements?

Also, I think the fair processing procedure excludes its most obvious component. Anybody selected for scanning, I am sure, will be thinking: “How does this system display my ‘bits’”? So how can a passenger be properly informed about the processing of his personal data if he has no idea what kind of images are produced (or displayed) by the specific scanning system used?

I think another major problem is an absence of a commitment to implement privacy enhanced scanning technologies as a matter of principle. Instead, the decision of “which choice of scanner” (ionising X ray or non-ionising millimetre wave) is merely “an operational decision for individual airports” (e.g. on cost grounds).

The consultation thus ignores the research published by Dr Anne Cavoukian that shows there are solutions that can protect privacy  (See blog of 06/01/2010: “Privacy Commissioner states that full body scanners can avoid data protection problems”). I would have liked the Code to make a commitment to implement such non-ionising scanners as soon as their operational effectiveness is proven.

Also I think the Code is misleading when it tells passengers that they have a choice – they can either “be scanned” or “not fly”. I don’t believe this to be the relevant choice. For instance, suppose an individual tries to get on a plane and is selected for random scanning. Suppose further that the individual refuses to be scanned for whatever reason. Do you think that the refusal to be scanned would be the end of it?

To provide an extreme example: do you really think that someone who might be a terrorist who has opted-out of a scan because he might be discovered will merely be escorted away from the secure passenger side of the airport and let go?

Nope! I think any refusal to be scanned would result in close scrutiny of that individual and anybody remotely “suspicious” would be searched. And if the security people are then going to search “suspects” and find nothing, why can’t the searched individual then go on to fly?

I think the whole proposition in the Code is based on an fallacy. The option is not between “be scanned” or “don’t fly” - the only real option is between “be scanned” or “be searched”.

In other words, those who refuse to be scanned and "don't fly" are likely to be searched. And if this is the case, why can’t someone state that they would prefer to be searched at the outset? Another example. Suppose the scanner sees “something”; that passenger will then be searched. And if that is the case, why can’t people choose to be searched before the scan?

I therefore think the Code is wrong to insist that those with electronic heart pacemakers, pregnant women, external medical bags (e.g. stoma), the disabled and young children have to be scanned (e.g. by ionising radiation) if selected.

Indeed with respect to ionising radiation, the Code confidently states that analysis has shown that procedure “does not constitute any unacceptable risk to health” – almost with the same certainty of those who said the Titanic was unsinkable.  But if you are that passenger with an electronic pacemaker or a young child or a patient with a certain medical condition, I do not think you will be reassured by Government statisticans. This reinforces my view that a choice between “scan” or “search” should be available.

The Code acknowledges that the Data Protection Act applies to the scanning regime, but fails to mention some of the consequences of this. For example, there is no mention of the fact that the ICO has regulatory powers over the use of scanners; instead the Code refers to inspectors from the Department of Transport taking enforcement action against those Airports.

This shows that the Code has not got its data protection analysis correct. I would expect that any complainant would prefer to contact the ICO if there was an issue with the scanners and not deal with the Department of State that has a vested interest in installing these scanners.

Offences in the Act are overlooked. I would have thought passengers would be reassured that any leering security guard could face criminal sanction under the Act.

Finally, as with all the previous Government’s surveillance activity, there is no mention in the Code about measuring outcomes. For instance, how many people are scanned? How much does it cost per scan? How many false positives?  How many searches? How many passengers objected to compulsory scanning? How many choose not to fly? All these numbers allow for these scanners to be assessed. The numbers to allow assessment are simply not collected and it is simply not good enough.

In summary, there is no change of mind from me. This Code needs a total rethink.

Message: Hawktalk is migrating to sunnier climes for the summer; we are back on our perch in about 3 weeks time.

References: The Consultation document is on http://www.dft.gov.uk/consultations/closed/2010-23/consultation.doc . The “expansive” Privacy Impact Assessment (which takes a minute to read) is on pages 12 and 13 of http://www.dft.gov.uk/consultations/closed/2010-23/ia.pdf.

Marketing:  We have dates for our Data Protection Update sessions in Autumn (£95+VAT; book early as they are very popular; these include a session devoted to what FOI Decisions tell us about personal data. Also, we have a set of Data Protection courses (Edinburgh commencing in late August and in London on July 13th). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Details on www.amberhawk.com

Some FOI requests for personal data are not purpose blind

After imbibing some Bavarian Lager and a number of Decision Notices (including some Scottish ones), I have come to the conclusion that FOI requests of the kind “Please provide, in electronic form, the email addresses of all members of staff” can be resisted until a public authority is certain that the balance of interest lies with disclosure. This blog explains why I think this is the case, so please argue with me if you think I am wrong.

I started down this path when I realised that the Scottish Information Commissioner (SIC) and the Sassenach equivalent (the ICO) take a different view of the balance of interest test in Schedule 2, paragraph 6 of the Data Protection Act (DPA). This is the Schedule 2 ground that is used to test whether the interests of the public in the publication of requested personal data under FOI prevails over the interests of the data subject in the non-publication of such data.

Schedule 2, paragraph 6 of the DPA sets out the balance of interest as follows:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.

First to the different approach between the ICO and SIC. In summary, the SIC considers whether the requesting “third party” has a specific legitimate interest in disclosure whilst the ICO considers whether the “third parties” in general have a collective legitimate interest. I prefer the ICO approach to this test, but this divergence of approach is not the subject of this blog.

So, for example, in a Decision Notice 018/2010 involving a “Ms Y” (see references), the SIC asks the question “Does Ms Y have a legitimate interest in being given this personal data” and if so “is disclosure necessary to achieve those legitimate aims?”. Indeed he asks this question as a matter of routine in relation to the application of the personal data exemption in FOISA (so I can reassure you that I am not picking on “Ms Y”!).

Now to the thought that occurred to me: if the SIC asks this question, why can’t it be asked by any public authority when it cannot identify the outcome of the “balance of interests” test? Note that my argument does not apply to requests where those interests are clear (e.g. “Please provide me details of the number of registered sex offenders in the same post-code area as so-and-so Junior School”) but does apply when the request is a general one (e.g.  “for all email addresses”).

“Ah – but FOI is purpose blind”, I hear you say. I agree. However, I am not challenging that premise. All I am suggesting that where the balance between conflicting interests is uncertain (i.e. the legitimate interests of the public versus the legitimate interests of the data subject), questions can be asked of the requestor to help resolve the matter?

Strange as it might seem, this issue was also raised in the Durant decision in another guise. In section 7(4) of the Data Protection Act, the data controller is faced with the dilemma of whether it is reasonable in all the circumstances to release (or not to release) the identity of other individuals identified in personal data that have been requested by a data subject.

Para 61 of Durant states that where the data controller cannot resolve this dilemma “The data controller ....  should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled...”. In other words, if in doubt, as the requestor.

Indeed the ICO in his recent Decision Notice (FS50164940 dated 4 March 2010; see references), implies this line. He writes that Schedule 2, paragraph 6 “establishes a three part test which must be satisfied”. These three parts are:

• “there must be legitimate interests in disclosing the information”,

• “the disclosure must be necessary for a legitimate interest of the public”, and

• “even where the disclosure is necessary, it nevertheless must not cause unwarranted interference (or prejudice) to the rights, freedoms and legitimate interests of the data subject”.

Remember the premise is that in an FOI request “for an electronic copy of all staff email addresses”, the outcome of the balancing test is not clear. So, I would argue that it would be helpful to ask the applicant why the legitimate interest in disclosure should prevail, especially as the FOI requestor (if he gets the personal data following the request) would have obligations as a data controller (when he gets an electronic list of emails).

Surely, the public authority is properly balancing the conflicting interests by ensuring that any disclosure of personal data is to a FOI requestor who is aware of his obligations as data controller? Isn’t it reasonable to ask such an FOI requestor for a copy of his notification under the Act (or to identify which exemption from notification he is relying on)?

I think it is reasonable for the public authority to seek confirmation that any personal data disclosed falls within the domestic purpose exemption (S.36) of the DPA. If the answer is “yes”, then requestor cannot use the personal data for a business purpose without taking a significant risk (see later).

In order to protect the rights of data subjects, you could ask the requestor whether the personal data are to be used for a marketing purpose and if so, how is he to meet the right to object to the marketing purpose? In fact, I suspect that the FOI requestor, as data controller, would be processing personal data in circumstances where the general right to object to the processing (S.10) would apply.

So you can ask whether it would be “helpful” to the requestor if individuals subject to his request were advised of their rights? Perhaps you can ask whether it would “help” to send data subjects the requestor’s fair processing notice and an email address where data subjects can register any objection to his processing or marketing purpose?

I think that this approach is also in accordance with the Interpretation of the Second Data Protection Principle. This states that “In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed”. How can the public authority release personal data about staff to an FOI requestor without having any regard to what the requestor’s purpose is?

And what about the Third Principle? How can a public authority know that the personal data is relevant to the legitimate purpose pursued by the requestor if that public authority cannot, with any certainty, identify what that legitimate purpose is?

If the requestor fails to assist the public authority in its decision making processes, then I would argue there are a number of Principles that could easily be breached. In such circumstances it is reasonable for a public authority to refuse such requests.

Now we come to last week's "Bavarian Lager" judgment by the European Court, following an appeal pursued by the Commission at the behest of the last UK “New Labour” Government (interesting that, isn’t it?). Paragraph 78 of that judgment (see references) determined that the names of civil servants who made decisions about guest beers in UK pubs were reasonably redacted by the Commission.

This was because “Bavarian Lager has not provided any express and legitimate justification or any convincing argument in order to demonstrate the necessity for those personal data to be transferred” and “the Commission has not been able to weigh up the various interests of the parties concerned”.

So there we have it. When European Court cannot decide where the balance of interest lies, it wants details as to why the requestor wants the personal data. When the SIC makes a decision, he asks about the requestor’s legitimate interest. When the ICO makes a decision he asks about “the disclosure being necessary for a legitimate interest of the public”.

That is why I have concluded that when a public authority receives a request on the lines outlined above, it is perfectly proper to ask modest questions of the requestor about his legitimate interest.

I would also add a sting in the tail. If I was a public authority on the receiving end of an “everybody’s email” request, and there were to be a disclosure to the requestor, I would tell the requestor that the personal data have been seeded with email addresses whose sole function is to identify misuse of personal data which of course could be an offence under Section 55 of the Act.

After all, I would argue that public authorities are protecting the legitimate interests of data subjects by protecting them from processing purposes,  which if identified prior to disclosure, could have resulted in the refusal of the request. FOI requestors should know that there are penalties for misleading public authorities into disclosing personal data under a FOI regime.

Will the above work? Well I think it would; if it doesn’t, I promise to visit on a regular basis! At the very least, you can send the requestor a copy of this blog so he is aware of the problem.

References: Decision 018/2010: Ms Y and East Ayrshire Council; http://www.itspublicknowledge.info/applicationsanddecisions/Decisions/2010/200901769.asp. Durant: [2003] EWCA Civ 1746 (8th December 2003). ICO Decision Notice FS50164940: http://www.ico.gov.uk/upload/documents/decisionnotices/2010/fs_50164940.pdf. ECJ - Bavarian Lager - Case C 28/08P concerning the DP/FOI interface specified in Regulation (EC) No 1049/200.

Marketing: We have dates for our Data Protection Update sessions in Autumn where we discuss the DP/FOI interface (£95+VAT; book early as are very popular). Also, we have a set of Data Protection courses in Edinburgh commencing in late August and our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Details on www.amberhawk.com.