Citizens or data subjects

Just by the by, and for those with more than a passing interest in the subject, here’s a draft of a rather opinionated survey article on privacy that I’ve just written for a UK think tank. Health warning; it’s over 2000 words. Plus side; I’ve tried to keep it reasonably chatty. Apologies to any commenters (if indeed there are any) – I’m off to Chamonix for two days of terror on the nursery slopes so won’t be checking back in until Monday.

Citizens or data subjects? The erosion of privacy in the U.K.

The Labour government’s policy on personal data is simple; ‘we want all the data on all the people all the time’. But the government’s voracious appetite for citizens’ personal data is matched only by secrecy about its own objectives.

We are living through the unfortunate coincidence of a famously illiberal Home Secretary and an amorphous and open-ended ‘war on terror’. David Blunkett regards civil liberties as airy fairy, and opponents of compulsory identity cards as ‘intellectual pygmies’. The Anti-Terrorism, Crime and Security Act 2001 was a rushed measure tinged by naked opportunism – a veritable Christmas list of radical measures rejected from other Home Office bills in the previous two years. The Civil Contingencies Bill has had a longer gestation but cuts just as deeply into long cherished civil rights.

Britain knows from experience that emergency measures introduced to fight terrorism tend to linger on for decades, and are only repealed when absorbed into general criminal justice legislation. If some civil servants see anti-terrorism legislation as a chance to extend draconian powers in the general criminal law, their political masters are motivated by the fear of being condemned later on for not having ‘done something, anything’.

The use of personal data by governments of the hard left and hard right has a dirty history. It’s no accident that data protection laws – rules that limit the collection and use of personal data, and give data subjects clear rights – were developed in Germany in the late 1960s and 1970s. Since then, democratic governments and international organisations have worked hard to establish what is acceptable and workable when dealing with the personal information of their citizens and of consumers in general.

The OECD produced its influential privacy guidelines in 1980, and these principles were put into action by the 1995 European data protection directive (95/46). Data protection principles were applied to the world of electronic communications by a 1997 directive, and in 1998 the U.K. produced its own Data Protection Act. Also in the 1990s, and after much lobbying by computer experts in the U.S. and U.K., many restrictions on cryptography were lifted, giving individuals the practical means to protect their own information and communications.

But by 2002, when the time came to revise the 1997 directive on privacy of communications, the tide had turned, leaving privacy rights and legislation beached above the high tide line, abandoned and unloved (by governments at least). Despite the efforts of many members of the European Parliament, the combined force of member state governments, led by the UK, and the Commission gutted from the directive any protection against using the communications infrastructure to do constant and mass surveillance of the entire citizenry. For the past three years, the U.K. government has consistently worked to undermine privacy rights, both at home and abroad. Not content with making Britain the most surveilled democracy in the world, the Labour government has turned to Brussels to undermine privacy throughout the European Union.

What are the principles of European data protection law?

 Collection of personal data should be limited, lawful and fair, and the data should only be processed with the clear consent of the individual or data subject.
 No more than the essential data should be collected, and it should be kept accurate, complete and kept up-to-date.
 Individuals should be told why their personal data are collected at the time of data collection and the data should not be used for other purposes.
 Individuals should be told who holds their personal data and given access and correction rights to it. If personal data is to be passed to a third party, individuals should be told who and why at the time their data is collected.
 Data controllers must take proper security measures to protect the data.
 There are extra protections for personal data that reveal individuals’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Data protection law is equally binding on private and public organisations, but EU governments can restrict it use to safeguard security and defence, fight crime, protect important economic or financial interests of the government or EU, protect the data subject himself or the rights and freedoms of others.

For the purposes of the government, there are two types of personal data; that collected and held by government departments and agencies, and by the private sector. Publicly held personal data includes tax returns, medical data, property information, criminal records, and social benefits information. The private sector collects personably identifiable data such as billing and subscription records, financial data, communications data such as numbers called or the location of a mobile phone, details of email and internet access, and products and services purchased.

The government has worked assiduously to be able to comb through both publicly and privately held data-sets, and with plenty of useful applications;

 To find out when a declared income of £20,000 doesn’t match up to a Sainsburys loyalty card record suggesting a £60,000 lifestyle.
 Using mobile phone location data, to establish if a suspect individual (or at least their phone) was in the vicinity when a crime was committed.
 To analyse phone, mobile and internet records to see who’s talking to who in the criminal fraternity.
 To combine data from school registers and local authorities to trace and help families whose children have fallen through cracks in the system.
 To aggregate data for research to better analyse public needs and improve policy development and delivery.

But to actually do ‘joined up government’, you need the ability to create and access ‘joined up data sets’ as the need arises.

This requires that:
 The private sector keep and make available the necessary personal data,
 The public sector share personal data amongst agencies and departments, and
 The government can reliably identify and track all its citizens.

Private sector held personal data can be a rich source of useful information for law enforcement and intelligence agencies, Customs & Excise, and the Inland Revenue. There are well-established powers to compel phone companies, retailers, airlines and so on, to hand over specific personal data in response to production orders. As long as proper restrictions and oversight procedures are in place, few people would question the need for these powers.

However, law enforcement agencies in the UK argue that it’s not enough to approach, for example, a phone company when the police have already identified their suspect(s) and begun an investigation. What if the data have been erased already? After all, the Data Protection Act requires companies to delete personal data when it is no longer commercially necessary. Nor are the UK police content with the power of data preservation entailed in the Council of Europe Convention on Cybercrime. A data preservation order could be issued to a phone company simply asking it to freeze all the data relating to an individual, pending a production order to give the police access to the data later on. A year before the 9/11 attacks, the Association of Chief Police Officers said it would be satisfied with no less than the forced retention by phone and internet companies of all communications data of all customers all the time for a period of seven years. The Home Office concurred, but saw no way politically to achieve this.

The Anti-Terrorism, Crime and Security Act (2001),rushed through Parliament in the weeks following 9/11, mandated communications data retention as a means to fight terrorism. The only critical analysis of the Act was in the House of Lords where a determined band of Liberal Democrats and Conservatives wrested a small number of concessions from the government. One so-called concession was that widescale communications data retention was to be done only for the purposes of fighting terrorism.

This seemed like a small win for civil liberties. It wasn’t. It doesn’t matter that internet service providers are compelled to keep all the details of their customers’ emails and web-surfing for the purposes of fighting terrorism when the regime for access to that data (the Regulation of Investigatory Powers Act 2000) allows it to be released for investigating crime and many other purposes, and not just terrorism. Indeed, when the secondary legislation for access to citizens’ communications data was finally passed in November 2003, it gave access rights to peoples’ phone and internet records to a wide variety of government agencies and quangos.

Is it legally permissible to store vast quantities of personal data of citizens who are not suspected of any wrongdoing, just in case it might some day be useful? No one is sure. The government’s position is quite simple; this restriction of data privacy in the name of security is necessary and therefore legal, and the government should be trusted to make that judgement. With the war on terror giving carte blanche to push aside data protection law in order to protect security, data protection is increasingly disregarded just when it is most needed.

By massively increasing its powers to compel data retention by private companies, the government acted in bad faith, losing face and trust. The stated objective of fighting terrorism was used to impose a measure which is disproportionate when it comes to the broad range of criminal and non-criminal investigations which data retention serves.

The second requirement of joined up data sets is for the public sector to share personal data between agencies and departments. The Cabinet Office Strategy Unit produced a report in 2002 on the benefits of data-sharing between public services. The report emphasised the many benefits to the public of data-sharing, but acknowledged that the government had a lot of work to do to improve the public’s trust in how the government uses personal data.

One largely cosmetic measure has followed; a public consultation on a Public Services Trust Charter, or guarantee, about how public bodies deal with individuals’ personal data. Though written clearly in plain English, the guarantee is very much a watered down version of data protection principles, and doesn’t even mention individuals’ rights of access to their data. It gives a ‘mother knows best’ response to who will have access to the data and how long it will be kept, saying no-one will have access ‘who shouldn’t’ and it won’t be kept any longer ‘than necessary’. But the most telling response to the draft charter was the significant body of public servants who worried that it gives an unrealistic impression to the public of how their data will be treated. Perhaps it is time for the Information Commissioner to take a long and hard look at whether public bodies are fully complying with data protection law.

Data-sharing has many benefits for the public. But public bodies have clear difficulties complying with data protection law, maintaining accurate and up to date data, properly managing access privileges, implementing basic standards of information security, and preventing abuse or wrongful access to data. Until government departments and agencies can be seen to be complying with existing data protection law and meeting recognised information security standards, creating bigger pools of personal data, and wider access to that data, is simply a bad idea.

Thirdly, joined up data sets require that the government can reliably identify and track citizens. It’s a couple of years since we’ve heard much about a national public key infrastructure with digital signatures for one and all. It’s not at all clear that sufficient tracking can’t be done using social insurance numbers. But David Blunkett’s heart’s desire, that every UK citizen over the age of 16 carry an identity card, just won’t go away.

The various rationales for compulsory ID cards – fighting terrorism, dole fraud, identity theft, illegal immigration – seem to change as often as the Daily Mail’s headline. But the theory underneath is the same; a reversal of the liberal and constitutional tradition of the U.K. which holds that the state exists for the benefit of the people, and not the other way around.

So when we think about privacy and the role of the state, and how individual liberty and privacy must be traded off against the public interest, we should ask ourselves, what exactly do we mean by ‘the public interest’?. Who defines it? Surely not the public servants who benefit from the extension of their powers and role.

We also need to question the worn-out platitude that we must ‘balance privacy and security’, and its inherent assumption that privacy will always come off worse. More often than not, the trade-offs aren’t between privacy and security, but between projected cost and efficiency savings – such as tracking down deadbeat dads, finding and removing illegal immigrants, preventing dole fraud – and individual privacy and liberty. For some people, these trade-offs are acceptable, for others, not. But in order to even debate these questions, we have to drill right down through government spin and into the policy and legislative proposals to examine whether their stated objectives are their actual ones. Only then can we determine whether the sacrifices are worth it.

Finally, three concrete suggestions for avoiding the pitfalls this government seems intent on plunging into:
 Use the scheduled review and sunset provisions of the Anti-Terrorism, Crime and Security Act to repeal the parts that are not specifically counter-terrorism measures, and re-introduce these powers in general criminal justice legislation where they will be subject to proper Parliamentary scrutiny.
 Support a test case to the European Court of Human Rights, under Article 8 of the European Convention on Human Rights, on the legality of widescale data retention regarding non-suspect individuals.
 Begin an audit, reporting and compliance process of all public services that handle the public’s personal data to ensure absolute compliance with the Data Protection Act. Implementation of a concrete information security standard like BS7799, in whole or in part as appropriate, should also be encouraged.