Come to Britain and we will fingerprint your kids…

fingerprintLast week I mentioned the approval of the biometric passports scheme by the European Parliament, and that there were several countries that planned to fingerprint children under the age of 12 despite the legal, ethical and technical problems with this.

However, what I didn´t mention is that – surprise, surprise – Britain is one of the countries that does fingerprint kids, and indeed it has already been fingerprinting foreign children resident in Britain as young as 6. As Privacy International´s Gus Hossein argues on The Guardian´s Comment is Free website, the UK government claims that this is only bcause the EU has forced this upon them when in fact it was the UK government that forced the EU into adopting that position in the first place!

Now, as I mentioned, the European Parliament has pushed the age limit upwards, but will this make any difference to the UK Home Office? Given that the Home Office is still ´carefully considering´ its responce to the kicking it received from the European Court of Human Rights over the taking and retention of the DNA of 857,000 children, I wouldn´t bank on it.

Top Ten Problems with UK Information Sharing Proposals

Chris Pounder of Amberhawk information consultants sends me his Top Ten Problems with the British government´s new information-sharing proposals that are to be found buried deep in the Coroners and Justice Bill, where perhaps they thought no-one would notice… these are part of much lengthier and more thorough analysis submitted to the Joint parliamentary Committee on Human Rights (JCHR), which explains why the proposals ignore or conflict with the recommendations of 2008´s Data Sharing Review conducted by Richard Thomas and Mark Walport for the Ministry of Justice itself. These are sumarised by me here, and any errors and omissions are therefore my own:

  1. Lack of scrutiny. There is no provision for the JCHR to scrutinise this (or any other) wide-ranging statutory power which impacts on Article 8 of the European Convention on Human Rights (ECHR), nor any attempt to explain how this provision is consistent with human rights legislation.
  2. The extension of information sharing beyond personal data. The use of “any person” in the Bill means that it applies to information sharing by any public or private body or individual. “Information sharing” powers are not limited to personal data and the person who receives the shared information might be a foreign government or organisation. [for example the FBI´s proposed Server in the Sky]
  3. The “exceptional” may become the routine The Data Sharing Review recommended that the sharing of personal data should be legitimised in exceptional circumstances. However, in the Bill there is instead a legitimation of general information sharing, whenever it falls within a “relevant policy objective” [which is basically anything a Minister decides].
  4. The generality of an Information Sharing Order. There is no limit as to how “person”, “purpose” and “information class” are specified in an Order. There is no explicit requirement for the purpose of the information sharing to be one of those specified in Article 8(2) ECHR.
  5. The prospect of unlimited data sharing from large Government databases. The Bill appears to facilitate data sharing from any Government database without Parliament being explicitly informed of this sharing when an Order is before Parliament. The prohibition in the clause only relates to Part 1 of the Regulation of Investigatory Powers Act (RIPA). By implication, sharing from other national databases (e.g. the national identity register of the ID Cards Act) does not need to be explicitly mentioned in an Order. This means that unlimited data can be shared from these other national databases by means of a general order-making provision.
  6. The exclusion of critical comment on the purpose of the processing. In the Bill, the Information Commissioner is not allowed to comment on whether “the sharing of information enabled by the order is necessary to secure a relevant policy objective”. The effect is to inhibit the Commissioner from commenting on the purpose of the processing, which is the main purpose of the Information Commissioner! Plus, because this applies to more than personal information, much of the proposed sharing is outside his remit.”
  7. The range of the powers. The powers are widely drawn and their application is very broad. There is no explicit provision in the main sharing provisions which would facilitate data subject rights and freedoms (e.g. right to object ; need to obtain consent). Instead, these provisions can “modify” the application of any law (including the Data Protection Act and the Human Rights Act) which will weaken the protection afforded to data subjects.
  8. The lack of transparency. There is no obligation to disclose to the Information Commissioner or Parliament any background document or legal advice about a proposed Information Sharing Order. There is no obligation to answer any formal request for information from the Commissioner. There is no obligation to engage the public on the subject of a draft Information Sharing Order.
  9. The irrelevance of the proposed Code of Practice. There is nothing in these information sharing clauses which expressly states that the sharing of personal data has to be consistent with the proposed non-statutory Code of Practice. The Code is not subject to approval by Parliament; rather, it is subject to approval by the Secretary of State (SoS).There is no provision which sets out what happens if there is a disagreement between SoS and Information Commissioner about the content of a Code. There is no active role for Parliament in relation to the content of a Code.
  10. Orders can be implemented to achieve purely administrative objectives. For example, suppose Ministers are told by civil servants that the problems associated with one of the Government’s big database projects would be resolved if they used criminal convictions from the Police National Computer. The Bill allows the Minister to argue that the sharing was necessary to secure a policy objective, it was proportionate as there was no other way of securing the policy objective (abandoning a large IT project is not an option), and it was in the public interest to secure the policy objective (given the amount of money committed to the project). This means that sharing which could be excessive and disproportionate in terms of Article 8 becomes necessary and proportionate in terms of realising a policy objective.

Previously, I commented that No2ID were overstating their case that this proposal was the greatest threat to information rights after the ID Register. After reading Chris´s analysis, I think they might be underestimating its importance. The creation of a generalised and weakly accountable ability for the state to share information of any kind with any one they wish, is a far greater threat than the creation of any single database, however extensive. I disagree with their views on the Data Sharing Review, but No2ID’s data sharing site still has the best summary of proposals and action people can take…

Keep quiet or get labelled a terrorist…

BoingBoing brings this piece from the Daily Kos to my attention. It’s a disturbing story of what has happened on a number of occasions to people who annoy flight attendants and end up being labeled as terrorists. These ridiculous rulings have been severely debilitating – in the most extreme case, one woman lost access to her children, and in a Kafkaesque twist was unable to argue the case because she could not reach the custody hearing (in Hawai’i) because she was banned from flying!

These rulings have all occurred through extreme interpretations of the provisions of the US PATRIOT Act. However both this tendency for laws to extend their reach is not unique to the USA, indeed Britain may be far more culpable in this regard but in its mundane, bureaucratic way. Examples include the way that the Harassment Act, designed to protect people from stalkers, has become a tool of corporations against protestors, and the Regulation of Investigatory Powers Act (RIPA), which has enabled local authorities to employ intensive surveillance of individuals for such heinous acts as recycling wrongly.

The other issue here is once again, one of responsibilization, the enabling of ordinary people in minor positions of responsibility, or none, to use powers that would previously have been reserved to law enforcement officials or the court system. In the USA, it is flight attendants, whose role has increased markedly as post-9/11 provisions have ratcheted up expectations of passenger behaviour, but in Britain, the New Labour administration has enabled hundreds of bureaucrats to issue fines without any court process through the Regulatory Enforcement and Sanction Act, passed last year.

Basically, there are more and more people who, on a whim and with little or no evidence, can make life extremely difficult if you don’t conform to increasingly tight behavioural norms based on pre-established categories – ‘acting like a terrorist‘ being just one. Some of these norms we may even agree with – no-one likes rudeness – but what is happening is a process of desocialization and the replacement of what used to be matters of civility by narrow protocols.

Civil liberties in Britain

In February, the Convention on Modern Liberty will be taking place in cities across the UK and online. Unfortunately I will still be in Brazil and there are no listed events in Newcastle, which is a great shame – I would certainly have been organising some. This is an issue that tends to cross party lines and unite people of all political persuasions, so I hope as many people as possible in the UK get involved…

The Guardian newspaper´s Comment is Free site also has a special section set up for the event called Liberty Central. Surveillance Studies Network and Surveillance & Society were supposed to be listed there (they contacted us), but they aren´t yet…

New UK government attack on information rights

… a blatant attempt to gut the already inadequate safeguards in the Data Protection Act…

Time for some news from back home in Airstrip One… I’ve argued since our Report on the Surveillance Society came out back in 2006, that two of the biggest problems with information rights in Britain are:

  1. the lack of any constitutional protection for personal information and the consequent contingency of any laws on data protection; and
  2. the apparent belief on the part of the state that it has information rights over the personal information of citizens (or subjects, in reality).

Thus the state can demand information for the ID card scheme under threat of fines or even imprisonment, yet it is entirely the individual’s fault if information is incorrect.

Now, the ever-vigilant NO2ID campaign has noticed something that few others have, that hidden in a new criminal justice bill, the Coroners and Justice Bill is a measure to amend the Data Protection Act to enable government ministers to issue so-called ‘Information Sharing Orders’.

The clause (152, in Part 8, if you’re interested) reads as follows:

152 Information sharing

(1) After section 50 of the Data Protection Act 1998 (c. 29) insert—

“Part 5A Information Sharing

50A Power to enable information sharing

(1) Subject to the following provisions of this Part, a designated authority may by order (an “information-sharing order”) enable any person to share information which consists of or includes personal data.

(2) For the purposes of this Part—

“designated authority” means—

(a) an appropriate Minister,

(b) the Scottish Ministers,

(c) the Welsh Ministers, or

(d) a Northern Ireland department;

“appropriate Minister” means—

(a) the Secretary of State,

(b) the Treasury, or

(c) any other Minister in charge of a government department.

(3) For the purposes of this Part a person shares information if the person—

(a) discloses the information by transmission, dissemination or otherwise making it available, or

(b) consults or uses the information for a purpose other than the purpose for which the information was obtained.

(4) A designated authority may make an information-sharing order only if it is entitled to make the order by virtue of section 50C and it is satisfied—

(a) that the sharing of information enabled by the order is necessary to secure a relevant policy objective,

(b) that the effect of the provision made by the order is proportionate to that policy objective, and

(c) that the provision made by the order strikes a fair balance between the public interest and the interests of any person affected by it.

(5) An information-sharing order must—

(a) specify the person, or class of persons, enabled to share the information;

(b) specify the purposes for which the information may be shared;

(c) specify the information, or describe the class of information, that may be shared.

(6) An information-sharing order may not enable any sharing of information which (in the absence of any provision made by the order)”

Whilst this is not necessarily “as grave a threat to privacy as the entire ID Scheme” as NO2ID claim, the clause is written so broadly (a characteristic of New Labour’s approach to legislating) that it could mean that a Minister with the will could authorise any kind of personal information from any source to be used for as yet unspecified purposes for which it was never intended to be used. It is a blatant attempt to gut the already inadequate safeguards in the Data Protection Act, albeit in particular (ill-defined) instances and at Ministerial level, rather than a blanket provision applying to almost all public authorities (like say, the Regulation of Investigatory Powers Act(RIPA) which enabled local authorities to spy on people for tiny suspected infractions).

However, we shouldn’t allow the precedent to be set at any level…

Check the No2ID site for what you can do to stop this clause.