Government to withdraw "data sharing" clauses

Three weeks ago I blogged about the extraordinary and questionable way in which wide-ranging data-sharing powers were being introduced in the UK, buried deep in a Bill with the innocent-sounding phrase “Coroners and Justice” written on the front.

(Incidentally, you can now instantly tell whether or not you are a sad Hitchhiker fan by noting whether or not the phrase “Beware of the Leopard” popped out of nowhere like a large drinks bill as you read that last sentence…).

If you recall, apart from the worrying breadth of the data-sharing powers proposed, the Bill introduced them through the bizarre mechanism of amending another, otherwise quite unrelated piece of primary legislation (the Data Protection Act 1998). Well, I say “amending”… the effect of clauses 152-154 of the Coroners and Justice Bill (CLB) appeared to be to completely overturn the 2nd Data Protection Principle, namely that data collected for one purpose should not be re-used for another.

Well, the story is now appearing, on VNUnet and in the Telegraph Online, that Justice Secretary Jack Straw is to drop the clauses from the Bill and start a fresh attempt to reach consensus on a less sweeping alternative. If true (and both Phil Booth of No2ID and Simon Davies of Privacy International appear to think that it is), this is a welcome concession to the 30 or so bodies which wrote to Mr Straw last week to tell him what a bad idea they thought the clauses were.

According to the VNUnet article,

“Straw will instead ask the Information Commissioner to lead a public consultation on the issue so that public bodies can share information where there is a clear benefit – for example, previous reviews have highlighted the many different agencies that need to be informed when someone has died.”

That’s all well and good, but in citing the hoary old ‘bereavement’ example it almost entirely misses the point. If the proposals are intended to allow public sector organisations to share data where there is supposedly a clear benefit to the citizen, then the key criterion to be satisfied before any such sharing takes place must be: does the citizen in question want it to happen?

If I choose to be obliged to contact multiple agencies should I have to notify them of someone’s death, that choice ought to be mine, and I ought to be allowed to make it on the basis of helpful information about the risks, as well as the potential benefits, of allowing my data to be shared. Until the principle of informed consent is more rigorously applied to plans for the sharing of citizens’ data, any new proposals are likely to be just as unacceptable as the one which, I hope, is about to be consigned to the drafter’s bin.


Straw vetoes publication of Cabinet minutes

For the first time since the introduction of the UK’s Freedom of Information Act, the Justice Secretary has decided to use the ministerial veto option to prevent the publication of Cabinet minutes from 2003. The minutes in question relate to the Cabinet’s discussion of the legality of going to war with Iraq.

The Information Commissioner had already ruled that the minutes should be released; the Government appealed to the Information Tribunal for a review of that decision, and the Information Tribunal rejected their appeal. Interestingly, the Justice Minister had a choice: he could have taken the Information Tribunal’s decision to the High Court – but instead has peremptorily vetoed it, guillotining the legal process.

This will do little to quell the suspicions of those who believe that the minutes would show that the public were misled about the decision to invade Iraq.

See clauses 152-154

The British Computer Society (BCS) has issued a bluntly-worded critique of the data-sharing proposals buried in the Coroners and Justice Bill. Buried in the Bill are clauses which set out powers for any government minister to make an order for the sharing of personal data “in order to secure a relevant policy objective”.

The BCS document notes that these powers are wide-ranging and general, and that the Bill does not set out any corresponding checks and balances to curtail their inappropriate use.

The BCS further notes that the Bill is likely to contravene UK and EU Human Rights legislation, that it undermines the fundamental principles of the Data Protection Act 1998, that it weakens the independence of the incoming Information Commissioner (welcome to your new job, Mr Graham…), and that it will do further damage to the public’s condifence in government’s ability (and willingness) to process personal data with due regard to personal privacy.

The BCS’ position is neither trivial nor new. As David Evans points out in his blog post here, it is based on, among other things, a programme of consultation going back to 2006. The current Information Commissioner, Richard Thomas, expressed his deep concerns at the Bill last year, both in formal statements from his office, and in his keynote speech at the Privacy By Design conference.

It seems clear that, at one level, the intention of clauses 152-154 is simplification. Someone, somewhere must have concluded that the current position on data-sharing is just too complex, and that what is needed is a straightforward clause which cuts through all the nonsense and says “here’s why we want to share this data, it’s obviously sensible for us to do so, let’s get on with it”.

The issue is that, complicated and confusing as it may be, the patchwork of privacy-enhancing legislative measures we have in the UK consists of elements which are there for a reason, and are intended to protect both individuals and the public good. The main effect of introducing a ‘simplfying’ clause which allows ministers to over-ride existing protections is actually to make matters more complicated and more confusing – because these conflicting laws will now have to be played off against one another, both in plans to implement public policy and (with a grinding inevitability) in the national and European courts.

Quite apart from any other consideration, it ought surely to arouse the most lively scepticism when an existing Act (the Data Protection Act) is fundamentally modified by clauses buried deep in a separate bill ostensibly about ‘Coroners and Justice’. Clauses 152-154 deserve to be flushed out of their obscure hiding-place in the Coroners and Justice Bill, and into that sunlight which Justice Louis Brandeis described as “the best disinfectant”.

Incidentally, Justice Brandeis said a couple of other things which bear repeating in this context:

“Electric light [is said to be] the most efficient policeman” – which, given that he said it in 1913, was as accurate a harbinger of the technological surveillance society as one could ask for. Today he would have referred to CCTV, communications interception and automatic numberplate recognition, but the underlying principle is the same.

He also said, though, that “if we desire respect for the law, we must first make the law respectable.” In that regard, clauses 152-154 set a regrettably poor example.

Interpreting the EU laws on privacy

In the preceding blog post, I mentioned the difficulties which arise when trying to work out exactly what “personal data” means in UK and EU legal terms. Thanks to the very useful EU Privacy and e-Commerce Alert from Hunton and Williams, I have an example. It concerns a recent ruling by the European Court of Justice, which found in favour of a Mr Huber and against the German Government.

Mr Huber (an Austrian citizen working in Germany) started out by contending that the German Government was discriminating against him (relative to German citizens) by keeping a record of his personal data in a central database of non-residents.

Here’s a quick summary from that part of the case records:

Mr Huber, an Austrian national, moved to Germany in 1996 in order to carry on business there as a self-employed insurance agent. The following data relating to him are stored in the AZR:
– his name, given name, date and place of birth, nationality, marital status, sex;
– a record of his entries into and exits from Germany, and his residence status; – particulars of passports issued to him;
– a record of his previous statements as to domicile; and
– reference numbers issued by the Bundesamt, particulars of the authorities which supplied the data and the reference numbers used by those authorities.

Since he took the view that he was discriminated against by reason of the processing of the data concerning him contained in the AZR, in particular because such a database does not exist in respect of German nationals, Mr Huber requested the deletion of those data on 22 July 2000. That request was rejected on 29 September 2000 by the administrative authority which was responsible for maintaining the AZR at the time.

As it happens, that claim didn’t go anywhere, but Mr Huber pressed on, and the ECJ has now ruled that recording his details in such a database is incompatible with the Data Protection Directive and fails the applicable test of ‘necessity’. I don’t know if the German Government can or will appeal against the ruling.

Rather than recite the rest of the case, I’ll let you link to the judgement if you are interested. Be warned, though, unless you are fluent in Eurospeak (the 24th official language of the European Commission) the references to this or that article, recital or preamble of various Directives will probably make your head spin.

Here, you will find links to three documents about the case.

I recommend you start with the document labelled “Opinion”, as that sets out the basic arguments in more human-readable terms. If that isn’t enough for you, take a deep breath and dive into the “Judgement”. Enjoy.

Surveillance, citizens and the state

A bit like the snow, some news stories are piling up almost too fast to blog about… so rather than include links inline as usual, I will put them all at the end of this post.

The House of Lords Constitution Committee has released a report entitled Surveillance: “Citizens and the State”, in which considers whether the pervasive nature of surveillance in 21st century Britain has fundamentally altered the relationship between the citizen and the state. If that seems to echo the Information Commissioner’s 2004 comment that the UK was in danger of “sleepwalking into a surveillance society”, and his subsequent 2006 report setting out some of the ways in which that was happening, that’s no accident. The Constitution Committee acknowledges that that was the impetus for its inquiry from 2004-2007 and subsequently the current report.

The report’s opening paragraph is clear and concise enough to deserve quoting in full:

“Surveillance is an inescapable part of life in the UK. Every time we make a telephone call, send an email, browse the internet, or even walk down our local high street, our actions may be monitored and recorded. To respond to crime, combat the threat of terrorism, and improve administrative efficiency, successive UK governments have gradually constructed one of the most extensive and technologically advanced surveillance systems in the world. At the same time, similar developments in the private sector have contributed to a profound change in the character of life in this country. The development of electronic surveillance and the collection and processing of personal information have become pervasive, routine, and almost taken for granted. Many of these surveillance practices are unknown to most people, and their potential consequences are not fully appreciated.”

That sounds to me like a “yes”. However, and I in no way mean this as a criticism, the report continues with a further 129 pages of analysis. It examines the issue from a number of different stakeholder perspectives: regulators, government, parliament and citizen, and also looks at Privacy Enhancing Technologies (PETs) and the closely-related issue of where the boundary between technology and policy should most sensibly fall. As far as the citizen perspective is concerned, it stresses the importance of consent, and notes the extent to which that depends on adequate information. All in all, it’s a very thorough piece of work.

One of its more worrying sections is Chapter 7, on the role of Parliament. It notes that witnesses to the inquiry described Parliament as being the only body which can block undesirable legislation, and act on behalf of the citizen in determining how far surveillance powers should be able to go. It goes on to say that Parliament is often prevented from giving privacy-related legislation the necessary scrutiny, because the laws are enacted in the form of vaguely-worded primary legislation, with the details put through later as secondary legislation (the Identity Cards Bill 2006 being a prime example). Parliament cannot amend or vote on secondary legislation.

The report also presents a valuable analysis of the Committee’s perspective on constitutional factors, including:

  • The laws which enable surveillance, data collection and data sharing;
  • The laws and regulations which are intended to protect the citizen;
  • The events which, over the period of the Committee’s work, have shaped policy in this area.

It is absolutely clear from the report that the legislative and regulatory environment is an extremely complex one, with multiple agencies able to collect and share data under the provisions of multiple laws (for example, the Regulation of Investigatory Powers Act, the ID Cards Act, and the Coroners and Justice Bill (!)), and with protection for the citizen correspondingly fragmented and piecemeal.

If you do read the full report, I’d offer one piece of advice: don’t be tempted to leap straight to Chapter 9 (Recommendations) in search of the quick précis. The body of the report is also punctuated with very specific and highly relevant recommendations.

In short, the report presents ample factual evidence in support of the opening paragraph.

The government’s reported response is rather more succinct. According to today’s BBC news article, Home Secretary Jacqui Smith ‘has rejected claims of a surveillance society as “not for one moment” true and called for “common sense” guidelines on CCTV and DNA.

She recently announced a consultation on possible changes to the Regulation of Investigatory Powers Act, under which public bodies can conduct covert surveillance and access data, to clarify who can use such powers and prevent “frivolous” investigations.”

On the face of it, this looks like a perpetuation of some of the shortcomings described in the Constitution Committee’s report.


House of Lords Constitution Committee’s report – (from the ICO website)
ICO response to the Committee’s report

ICO memorandum on data-sharing provisions in the Coroners and Justice Bill

ICO report on the Surveillance Society

Another useful couple of documents:

ICO paper on “what is personal data” – drafted in 2007, so good but probably a little out of date regarding the Article 29 Group’s current position;

ICO paper on “what is data”. May seem a daft question to have to ask, but that in itself gives an indication of how difficult it can be to work out whether information about a citizen is indeed protected by the law. (Let alone what to do about it if it is…)

What’s read and goes at 30 miles an hour?

An RFID-chipped passport, it seems…

Chris Paget, a security researcher in California, successfully read the data off US electronic passports from a range of 20 feet while driving past at 30 mph in a San Francisco street.

The bickering about how close to an RFID passport chip one has to be in order to read it has been going on for years… In 2006, when the implementers were saying that the chip and reader had to be no more than 2 cms apart, Dutch researchers had scanned chips at a range of 30 cms. Even back in 2004, Bruce Schneier reported RFID chips being read from 20 metres (about 70 feet), though from this article it’s not clear whether they were ISO 14443 e-passport chips – and different chips use different radio frequencies.

Given that even Visa Waiver candidates (such as UK citizens travelling to the US) now have to stand at the DHS officer’s counter for long enough to provide all 10 fingerprint biometrics and a facial photograph, what exactly is the legitimate requirement for contactless access to the passport chip?

For what it’s worth, I am still using the Faraday wallet I bought back in 2006…

Ontario IPC publishes new guidelines

Last November I attended a “Privacy By Design” workshop, hosted by the UK Information Commissioner’s Office to mark the launch of a report on that topic, produced by the excellent Toby Stevens of EPG. For once, the UK ICO was ahead of its Canadian counterpart ;^)

You may also have seen that the ICO has issued guidance to the effect that UK public sector bodies must now do a Privacy Impact Assessment for any project which involves the processing of personal data… in that instance, though, I have to report that the Ontario Commission beat them to it. Dr Ann Cavoukian and her team have been using PIAs for some time now (see, for instance, this 2005 paper applying PIA principles to the processing of personal healthcare information… a practice, incidentally, which might give many of us reassurance if applied to the UK’s Electronic Patient Record initiative).

The Ontario Commission is in the lead with its latest press release, too: this one is about what to do if your project not only deals with personal data but also crosses organisational boundaries. The answer is the F-PIA, or Federated Privacy Impact Assessment. This starts with the initial privacy principles for data-at-rest and extends them to apply to data-in-motion.

A recommended read… and here’s a link to the requisite page on the IPC website.