Members of Parliament are concerned about last week’s resignation of the Health Secretary and this is not because Mr. Hancock breached his own COVID regulations and was caught canoodling in front of a CCTV camera. The concern arises because the CCTV images were covertly taken from inside Mr. Hancock’s Ministerial Office and disclosed, without authority, to The Sun newspaper.
If this can happen to a Cabinet Minister, MPs are wondering, what is the level of state surveillance that can be turned on other Ministers and on them?
The Department of Health and Social Care (DoHSC) has launched an internal investigation with input from the Computer Security Group of the Cabinet Office. As there has been no commitment from Government to make any aspect of the investigation public, the risk of deliberate obfuscation is considerable; this blog lists the questions that investigation needs to answer if it is to have any credibility.
I should add that the Urgent Question recording (see references) on the subject, as debated in Parliament, is very interesting; worth a watch.
FOI and IPSO Editor’s Code
First, however, to other fall-out from the Hancock resignation.
Yesterday the ICO announced she has started an investigation into the use of private emails by Mr. Hancock. The allegation is that Mr. Hancock used his private email accounts for official business (e.g. to award PPE contracts) in order to avoid releasing information as a result of requests under the Freedom of Information Act.
All I would say, that the practice of using private emails for official business has been going on for at least a decade; Mr. Gove was one of the first Government Ministers to try and avoid scrutiny via the FOI regime in 2011 (see references for early blogs on this subject). As an aside, Mr. Gove’s irritation on losing his FOI case, is one reason why Ministerial responsibility for FOI and data protection was moved from the MoJ.
Secondly The Sun newspaper appears to in breach of the IPSO Editor’s Code of Practice when it published photographs of Mr. Hancock inside a restaurant with his paramour. Paragraph 2(iii) of this Code states: “It is unacceptable to photograph individuals, without their consent, in public or private places where there is a reasonable expectation of privacy”.
Clearly, “unacceptable” restrictions do not apply to The Sun. I do not see how a photograph taken inside of a restaurant of two diners (where there is a reasonable expectation of privacy) adds much in the way of “public interest” given the ‘all embracing’ CCTV footage that was actually published by The Sun (see references).
Data protection issues
I now turn to the Data Protection questions the internal DoHSC investigation needs to cover.
Who is the controller for the CCTV personal data? Options include: the DoHSC; some other UK organisation that has a role to authorise covert surveillance, and some other person (e.g. rogue employee or contractor).
What was the purpose of installing the cameras? If the purpose is “security of a Ministerial Office” what does “security” entail in practice? What were the objectives associated with the CCTV installation?
What was the coverage of the cameras? Did the camera just cover the entrance to the Ministerial Office or could the camera cover other parts of the Office away from the entrance? If CCTV is continuously monitored by staff in real time, CCTV can enhance office security, but if CCTV is not monitored in this way, it acts to record evidence of what has happened (e.g. who was inside an office). So the purpose of “securing a Ministerial Office” without continuous monitoring by staff is contradictory.
Did the camera have an audio recording functionality? MPs appear to assume that this functionality was present but this is not confirmed. It is difficult to see how an audio recording functionality adds to the security purpose(s) normally associated with CCTV.
The irrelevance of the Wilson Doctrine. MPs in the Parliamentary exchanges raised the issue of the “Wilson Doctrine” (which I think does not apply).
This Doctrine is named after Prime Minister Harold Wilson who, in 1966, suspected that MI5 was involved in tapping his phone calls; he made a statement in the House of Commons saying that MPs phones would not be tapped. The Doctrine does not apply as the surveillance under investigation does not involve the tapping of phones (e.g. so that both sides of a conversation are recorded). In this case, any audio capacity would record what the Minister said but not what was said to the Minister by a caller.
Covert surveillance of MPs is covered by other legislation, but the Minister did confirm that the Wilson Doctrine (which is irrelevant in my view) still applied.
I should add, there is an important issue about surveillance of MPs in general other than telephone tapping (e.g. to what extent should Communications Data of MPs be made available to Ministers when the Government is trying to find who is making unauthorised leaks of official information).
Was the surveillance deliberately covert? Well if Matt Hancock knew the camera was present, he acted in a way that was truly astonishing. Remember if deliberate covert surveillance has occurred, it is subject to other legislation and data protection law is largely irrelevant. In any event, the UK’s data protection regime provides for surveillance to be exempt from transparency obligations in certain circumstances (e.g. suspected criminal activity).
To my mind, the surveillance is covert; the reason for that covertness has to be explained in a credible form. “Ooops, this was an accident” simply lacks credibility. Just imagine your work environment where a colleague says: “I have ‘accidently’ placed a secret CCTV audio-camera into the managing director’s office; do you want to look at the recordings?”. Accidents like that do not happen.
Should the processing have been transparent? Data subjects should know that cameras recording their images for security purposes are in operation and where they are located (especially if cameras are located in offices). So what effort was expended by the DoHSC to provide transparency?
If the security purpose errs on the side of a “national security” purpose then the cameras can be lawfully covert, but this raises questions of compliance with surveillance specific legislation and whether the DoHSC can undertake such surveillance.
Duration of processing? How long has the camera been recording personal data? How long are images and voice recordings (if any) are retained?
Did any official data sharing occur? (e.g. between other parts of Government). So who are the Recipients and Third Parties (if any) to whom images have been shared.
Who in the DoHSC authorised the location and functionality of the camera? Clearly, it is not Minister.
Will there an attempt to pass the blame to a processor? This “pass the parcel” does not work as the controller gives instructions to a processor who is then supervised by the controller.
Is the Ministerial Office in the DoHSC unique? It is difficult to see any official justification for placing cameras in a Ministerial Office being unique to the DoHSC, unless there are specific national security or criminality concerns.
Is there an audit trail covering who has access? I am sure that Mr Hancock can recall time and date of these images, so a list of Recipients who have had access to images should be limited. If there is no reasonable audit trail, then there has been a likely breach of the security obligations in the GDPR.
Has an offence under the Data Protection Act 2018 in the picture. Yes, it looks as if there has been a disclosure of personal data by someone to The Sun without the consent of the controller (presumably the DoHSC) contrary to Section 170(1)(a) of the DPA2018.
Concluding comment
I suspect that any official report will conclude “It’s all been an almighty cock-up” and “the installation was an error” or something like. If the explanation is on these lines, and the above questions have not been addressed satisfactorily, then take any conclusion with a shovel-load of salt.
Remember also that it is the DoHSC that is directing the collection of bulk personal data from GP surgeries and is centralising powers under the Health and Care Bill just published. If the lead Department cannot give a straight answer with its CCTV, why should the public trust the bulk medical personal data collection from GP surgeries and other NHS bodies.
Practitioner Data Protection Course (Sept)
Because of spread of the Indian variant of COVID and possible doubts concerning the justification for ending of the COVID lockdown, the following course can be attended in person or via Zoom or a mixture (it's up to you). The Data Protection Practitioner Course is in London, and starts September 7 (6 days).
Full details on www.amberhawk.com/StandardDP.asp or by emailing [email protected]
References
BBC Iplayer Parliamentary report of the above (44 mins; 4:10pm, 28 Jun 2021): https://www.bbc.co.uk/iplayer/episode/m000xvhw/house-of-commons-live-urgent-question-on-security-in-ministerial-offices
The Sun’s CCTV footage including a photo inside a restaurant: https://www.thesun.co.uk/news/15397278/matt-hancock-gina-coladangelo-date/
Parliamentary Debate Hansard (Urgent Notice Question): Commons (28 June): https://hansard.parliament.uk/commons/2021-06-28/debates/39713A34-4F3E-491B-B736-FD7F38658881/SecurityOfMinisters%E2%80%99OfficesAndCommunications
Blogs of 2011 & 2012 reporting on Ministerial use of private emails to avoid FOI requirements:
- Do all Conservative Ministers use personal emails and texts to avoid FOIA? https://amberhawk.typepad.com/amberhawk/2012/06/do-all-conservative-ministers-use-personal-emails-and-texts-to-avoid-foia.html
- Could Mr Gove’s emails breach the Data Protection Act as well as Freedom of Information? https://amberhawk.typepad.com/amberhawk/2011/09/could-mr-goves-emails-breach-the-data-protection-act-as-well-as-freedom-of-information.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.