Tag: database

UK Parliamentary Committee rejects Government DNA proposals

The House of Commons Home Affairs Select Committee has rejected a key part of the UK government’s new plans for the National DNA Database (NDNAD). The plans came in response to the ruling by the European Court that the NDNAD was being operated contrary to human rights law by keeping the profiles of innocent people indefinitely. The database has been filled largely through the provisions of a very vague and wide-ranging provision that allowed the police to take DNA from anyone arrested for an indictable offence, and to keep it even if they were never even charged (let alone charged and not convicted). The result had been that long-standing prejudices within the police had meant a bias in the databases against young black men, and a rapidly expanding set of profiles of children and the entirely innocent.The NDNAD had also been attacked by the HUman Genetics Commission (the government’s own watchdog) which recommended multiple reforms.

One of the main parts of the government’s response to the European Court ruling was that DNA should be retained for 6 years – the committee has recommended that this be halved to 3 years (we are still talking about the DNA of innocent people here…), and that there should be some proper national system for deciding who gets deleted entirely (at the moment it is at the discretion of Chief Constables of local police forces!). Of course all of these leaves the wider question of fairness and rights undebated. There are only two properly just ways to run a database of this sort. One would be to include only the DNA of those convicted of a crime or suspected in an ongoing investigation. The other would be to include everyone (as the UAE has decided to do). At the moment, the NDNAD is, like most things in Britain, an unaccountable mess of law, customary practice and happenstance that pleases no-one and is also remarkably ineffective for the money and effort put into it. This will only improve slightly even if the select committee’s recommendations are accepted.

UK DNA Database Criticised by Report

The UK’s DNA database, already under fire by the European Court of Human Right for retaining samples and data from innocent people, has now been lambasted in a report by the government’s own genetics watchdog. The Human Genetics Commission.

The report, called Nothing to Hide, Nothing to Fear? contains a numbers of serious criticisms, most notably the finding that police forces around Britain are routinely arresting people simply in order to obtain their DNA. Almost a million innocent people, including many children, are now on the database, and the ECHR ruling has finally prompted the government to make some minor concessions, such as keeping the DNA of innocent people for 6 years as opposed to 12, but there appears to have been no fundamental change in police practice, nor any change in the instructions given to local forces on best practice.

It’s main recommendations are:

  1. that there should be a parliamentary debate about the recording of what it calls ‘unconvicted’ people;
  2. that because the purpose of the database has shifted over time, there should be constraints set out in new primary legislation;
  3. that “robust evidence of the ‘forensic utility’ of the database should be produced to justify the resource cost and interference with individual privacy it represents”; and,
  4. that there should be an independent oversight board and appeals board to consider removal of profiles; and transparency over data and other issues.

These are all laudable,  but I really start to question their judgement in using the term ‘unconvicted people’. British law has always worked on the principle of ‘innocent until proven guilty’. People are therefore ‘innocent’ until they have a conviction. The term ‘unconvicted’ seems to imply that innocence is no longer an assumption, and that the working hypothesis is that everyone is either guilty or not yet (therefore, potentially) guilty. This is what results from the normalisation of surveillance in everyday life, and it’s one thing we warned most strongly against in our own Report on the Surveillance Society back in 2006. When even critical reports start using language that reflects the worldview of the people they are criticising, you have to be concerned.

Calling people ‘unconvicted’ and not ‘innocent’ matters.

Everyday prejudices mean Canadians end up on watchlists

Another great audit report from the Office of the Privacy Commissioner here in Canada, investigating the Financial Transactions and Reports Analysis Centre of Canada (Fintrac) has just been released. Fintrac, created in 2001 in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and now with even more extended powers, operates a databases which is supposed to contain details of those suspected of supporting terrorism or money laundering (often on behalf of major criminal and terrorist groups).

However, there is a good story in The Globe and Mail today which leads on the most worrying aspect identified by the audit, which is that in many cases, the Fintrac database is massively overreliant on unsubstantiated suspicions from low-level functionaries in banks, insurance firms and credit agencies. Some of these ‘suspicions’ were clearly simple prejudice as they appeared to be based entirely on ethnicity. Part of the problem is that there are no clear guidelines as to what constitutes a reasonable suspicion in the legislation.

But being put on the database can have serious consequences, firstly because of the potential penalties involved (up to $2m CAN fines and 5-years imprisonment) and secondly, because the information in the Fintrac database can be accessed by Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police  (the RCMP – Canada’s FBI) or shared with overseas police and intelligence services. In the latter case, as we already know, mounting errors can result in innocent people being subject to ever more harsh treatment including being excluded from countries, placed on no-fly lists or even the UN1267 ‘known terrorists and affiliates’ list, as well as, in the worst cases, opening them up to extraordinary rendition, imprisonment and torture.

Jennifer Stoddart, the current Privacy Commissioner, has a well-deserved reputation getting positive changes made, so let’s hope she can persuade Fintrac to get this sorted out pretty soon.

UAE plans DNA database of entire population

Police in the United Kingdom have recently been forced by the European Court of Human Rights to scale back their increasingly large National DNA Database (NDNAD), which previously potentially included DNA profiles of anyone arrested by the police, whether charged with any offence or not. This at least shows that there is some recourse to law and and a higher authority that will protect the rights of citizens against the extension of state power… in reasonably democratic Europe at least.

However authoritarian regimes need have no such concerns. The Persian Gulf state of the United Arab Emirates (UAE) has decided that it is to create a national DNA database of the entire resident population. According to The National newspaper, this will not even need any kind of debate or  even new legislation. They estimate that this will take up to 10 years if population growth is factored in.The paper claims this will be the world’s first such comprehensive database, but this is only partly true. Iceland, Sweden and Estonia have all set up comprehensive DNA databases run by their health services. But the UAE’s certainly appears to be the first attempts at a comprehensive law enforcement DNA database.

DNA pioneer, Sir Alec Jeffrys, has his doubts of course. But learned critique, or opposition or overt resistance are probably all largely irrelevant to the UAE government. However, if there is to be a roadblock,  it may be the economy: the UAE’s population is made up to a great extent of temporary foreign workers of all skill levels and occupation types, and the economy depends largely on the willingness of such workers to continue to come to the UAE. Whilst those at the bottom may feel they have little choice, those at the top may decide that such a policy would make the difference between them coming to and investing in the UAE, or not. The second article claims that ‘visitors’ will be exempt, but not ‘residents’. How this plays out remains to be seen. I have no doubt that the UAE will give in to the pressure of global wealth and find some way of exempting rich foreign residents, whilst making absolutely sure that poor immigrant workers are the first to be sampled.

UK opposition plans to roll back ‘the surveillance state’

The Conservative Party Shadow Justice Minister, Dominic Grieve has launched a brief report outlining the opposition’s plans to introduce a new attitude to surveillance in the UK, and reverse many of the current Labour government’s policies. And it is mostly good, insofar as it goes. But, it is where it doesn’t go that is the problem.

The main measures include things we already knew, like a pledge to scrap the National Identity Register (NIR) and ID card scheme, and proposals to limit the proliferation of central databases and control the National DNA Database (NDNAD). However the Tories also want to abolish the Contact Point children’s database, restrict Local Government’s rights under the Regulation of Investigatory Powers Act (RIPA), strengthen the powers and functions of the Information Commissioner’s Office (ICO) and require mandatory Privacy Impact Assessment (PIA) for all new legislation or other state proposals.

So far so good – and these are all things I have proposed myself at various times – but there are also some very weak or pointless elements. First of all, the attitude to the private sector is predictably laissez-faire. Though the report includes a long list of the data losses that plagued the Labour government over the last few years, they fail to note how many of them involved private sector contractors or partners. And their only real mention of the private sector is to suggest that the ICO consults with industry on ‘guidelines’ and the possibility of introducing a ‘kitemark’ (a kind of stamp of approval). These are both pretty much worthless and tokenistic efforts. The Tories, as much as Labour, fail to appreciate that contemporary threats to privacy come as much from the private sector as the public. Unfortunately recognising and dealing with this would require a rather more robust attitude to private business than either of the UK’s two main parties are prepared to muster right now. This, I guess, is the reason why the Tories talk about ‘the surveillance state’ as opposed to ‘the surveillance society’ (the term used by ourselves and the ICO).

Secondly, there is no proposal to do anything to control or roll-back the most obvious and intrusive aspect of the UK’s surveillance society, the vast number of CCTV cameras and systems operated by everyone from the police down to housing associations and schools. In fact there is not a single mention of CCTV or public space surveillance in the report. Rather than missing an elephant in the room, this is more like failing to notice a whale in your bathtub…

Finally, there is the suggestion to introduce a right to privacy as part of a ‘British Bill of Rights’. Certainly what privacy means in British law needs to be clarified and strengthened, but actually this could be done through amending the existing Human Rights Act to make it better reflect the European Court’s already published views on the interpretation of Article 8 of the European Directive. Unfortunately, the Tories are stupidly ideologically opposed to doing anything to strengthen the HRA, and in fact their proposed ‘British Bill of Rights’ is a rag-bag collection of populist proposals that will instead replace the most progressive change to British law for some decades.

Finally, there is no mention of any changes to the pernicious Terrorism Act or Counter-Terrorism Act, that have further undermined the presumption of innocence and other longstanding foundations of British citizenship. There’s no mention of previous legislation that restricted traditional freedoms like the Criminal Justice and Public Order Act. In fact, there’s every reason to believe that the Conservative Party will be just as willing to clamp down on such freedoms in the name of the war on terror, or crime, or anti-social behaviour as the Labour Party, and no reason to suppose that they deal honestly with the underlying issues – which would mean, of course, telling people things that they don’t want to hear.

The full report can be found here.

We are all libertarians now?

A rather telling little piece on The Guardian‘s ‘Comment is Free’ site today by UK Labour MP, Diane Abbot. First she takes a cheap shot at the Conservative shadow-cabinet minister, Damien Green, for having been successful in getting his details removed from the UK police National DNA Database (NDNAD). She then says that, well, she is doing much more to help by holding clinics for her young, black, constituents to help them with their complaints against the NDNAD. This is excellent, of course.

However two things spring to mind immediately. Firstly, is this Diane Abbot the same New Labour loyalist who voted in favour of the original bill to set up the NDNAD and made no attempt to amend it to prevent the kind of racially-biased abuses of which she is no complaining? I think it is. And now, why is she not also condemning the former Home Secretary, Jacqui Smith’s rather pathetic and weaselly response the judgement of the European Court that condemned the NDNAD, which was essentially to try to avoid doing anything fundamental at all?

This is not an issue on which anyone in New Labour can really make any political capital unless they take a rather stronger moral stance. Basically, and in addition to the stance that there should be no state retention of DNA data at all, there are only two ‘fair’ ways to maintain a police DNA database, and those are to keep the DNA of the guilty, or to keep the DNA of everyone. Which you prefer depends largely on your attitude to surveillance and your trust in the accountability of the state, but politicians like Abbot are hedging and avoiding making any serious attempt to put pressure on their own government to reform the law we have.

At the IT Strategic Headquarters

Yesterday we visited the Prime Minister’s IT Senryaku Honbu (IT Strategic Headquarters). (This has actually been the only national-level government agency that has agreed to speak to us, and some of the reasons for refusal have been rather telling, not least that of Houmusho (the Ministry of Justice), which claimed that they had nothing to do with privacy and so on, which betrays a level of ignorance about the effects of their own policies that is probably more the result of bureaucratic sectionalism and literalism than anything else but is nevertheless interesting!). The IT Strategic HQ is responsible for developing the ‘i-Japan’ strategy, the latest incarnation of what has at various times been called ‘Information Society Japan’ and ‘e-Japan’ policy. They are also the agency that wrote the most recent Japanese data protection laws, which I wrote about a couple of weeks ago.

We were treated to a prepared presentation on the latest incarnation of the i-Japan strategy, in which the ‘i’ seems to stand for ‘inclusion’ and ‘innovation’ but not apparently for ‘interactive’, which one might expect from its use elsewhere in computing. However it was the brief interview we had afterwards that was more enlightening.

In short, the government has acknowledged that what they originally wanted out of juki-net has failed due to opposition, despite the supreme court victory that ruled that the current cut-down version was constitutional. However, as Kanshi-no! argued, they are not going to back down that easily. The movement towards the creation of centralised government databases will continue, and there most likely will eventually be a fully configured identification system (and card) and rather alarmingly, the new i-Japan strategy makes it quite clear that laws that currently prevent this from happening will simply be changed or removed. They do not want opposition groups, nor indeed the current global recession, to be able to hold up or change these plans.

However the main thrust of development of centralised databases has shifted away from juki-net and the jyuminhyo (residents’ registration) system, towards national insurance, health and pensions. This is, as the agency than runs juki-net, Lasdec, suggested to us – and I am now beginning to think that this suggestion was rather more of a loaded hint than I had first thought – by far the most data-rich area of government records and therefore in many ways more suitable for being the basis of an architecture of central registration and identification. The database that the government intends to create in this area will also have the possibility for citizens to add in (voluntarily, they say), information from private sources, such as bank account and other financial details. Of course this could be more ‘convenient’ in terms of benefits and taxes, but it also puts an enormous amount of previously private data in the government’s hands and presents a huge temptation to identity fraud and theft from both outside and, more importantly inside the state bureaucracy (and let’s not forget, most identity fraud is an inside job).

It gets more worrying still as despite the advanced stage of these plans, the government has apparently still not decided exactly who will have access to this database, and the police in particular, as well as private insurance companies, are still considered as potential users. It seems that although the IT Strategic HQ might have developed data protection in Japan but they do not appear to understand its principles of necessity, proportionality and consent – indeed I asked them about these principles and they really had no serious reply. Instead they claimed that people in Japan wanted to have these central databases because the current fragmented system had led to poor security and data losses, and in any case, ageing society and the pensions crisis meant this had to be done. I have noticed that in Japan, ‘ageing society’ like ‘terrorism’ in the UK, seems to have become the spectre evoked to silence potential criticism.

There are many other issues too: the government is also trying to introduce a voluntary system of Electronic Health Records (EHR), but this is not as developed as the Connecting for Health centralised database that is still experiencing significant problems in its introduction in the UK; and there are some rather less controversial social inclusion measures included the provision of computers for schools and so on. However my overall impression after leaving the IT Strategic HQ was of a government that was determined to press ahead with centralised collection and control of personal information regardless of the views of citizens or of whether it is really necessary even to achieve the policy aims they have. And this won’t change as the result of a change in government either. If, as seems likely, the Liberal Democratic Party (LDP or Jyuminshuto) are voted out, the Democratic Party of Japan (DPJ or Minshuto) which will succeed them, has already said that it will create a central database.

(Thank-you to the officials of the IT Strategic Headquarters for their time).

Contact Point goes live

The controversial new central database of all children in the UK has gone live today for the North-west of England, and will gradually be rolled out across the UK. The £224M ‘Contact Point’, one of the main planks of the ‘Every Child Matters’ initiative, will be accessible to around 390, 000 police, social workers and other relevant professionals. It is mainly being promoted as a time-saving initiative, allowing quicker and more informed intervention in the case of vulnerable children, which we all hope it does, although this of course depends on the correct information being on the database in the first place. In addition, as the Joseph Rowntree Reform Trust review, Database State, rated the system as ‘red’ for danger in terms of privacy:

“because of the privacy concerns and the legal issues with maintaining sensitive data with no effective opt-out, and because the security is inadequate (having been designed as an afterthought), and because it provides a mechanism for registering all children that complements the National Identity Register.”

A quarter of UK databases break privacy laws

This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…

A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.

The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.

There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.

It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…

Britain is a surveillance society and it must change: detailed anaysis of the Lords Constitution Committee report

This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place.

It’s 3.00am here in Brazil, and I have just spent the last four hours reading, analyzing and writing about the House of Lords Constitution Committee Report Surveillance: Citizens and the State. My expectations of the work of the committee have generally not been disappointed. This is probably the best parliamentary report on surveillance I have ever read, and if only half of the recommendations are given any attention by the government, then Britain will be a much better place. However it is not only relevant to Britain. The UK seems to have come to be regarded as some kind of model for other democracies to follow in terms of surveillance and security – at least by governments. Reading this report should serve to disabuse others of any notion that Britain is a good example.

Here’s the detailed analysis. It is long and there are no pictures! But this is serious stuff. I have gone through the whole report and thought about all the recommendations. It is worth remembering first of all what the Committee was asked to do. Here are the questions they started out with:

  • Have increased surveillance and data collection by the state fundamentally altered the way it relates to its citizens?
  • What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?
  • What effect do public and private sector surveillance and data collection have on a citizen’s liberty and privacy?
  • How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?
  • Is the Data Protection Act 1998 sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?

The answers to the first and last questions are, in short ‘yes’ and ‘no’ respectively. Their basic conclusion is that increasing surveillance by the state is the greatest change to the nature of the relationship between state and individual in Britain since the end of the second world war. In opposition to the House of Commons Home Affairs Committee report from last year, and largely in support of our Report on the Surveillance Society form 2006 and that of the Royal Academy of Engineers from 2007, they show that Britain is a surveillance society, and that this must change. They do not go so far as to recommend an Information Act to bring all legislation in this area together, as I have been arguing, but they do advocate significant new legal / constitutional measures to rebalance the state-individual relationship in favour of the individual.

There are 8 chapters of consideration of all of the evidence given, which is treated in a very careful and even-handed way. The Home Office, the police and the Surveillance Commissioners for example, all come in for a telling-off at various points, but at the same time, some of the current government’s initiatives on openness are quite rightly praised (although of course they don’t go far enough in tackling the culture of secrecy that has plagued British government for far too long).

Who comes out of it well? First of all, the Information Commissioner, Richard Thomas and his office (the ICO). This is entirely right. None of this debate would have happened without him and he continues to push the agenda forward in an activist manner that many campaigners should look to as an example. Secondly, the media. The Lords seem to be very aware of the role of investigative journalists in holding the government to account. People are too willing these days to make blanket generalisations about the media as if they were all superficial and obsessed with celebrity. In the case of surveillance, the BBC and The Guardian in particular have done a great job. Thirdly academics and campaigners alike come across as far more informed and sensible about this than the state, which leads the Lords to recommend that the government pay us far more attention. On a personal note, it is a bit disconcerting to see myself, Surveillance Studies Network and other people and organizations with whom I work mentioned (approvingly) quite so much in such an important document…

The Committee place the two values of privacy and freedom as the foundations of its recommendations. The Lords argue that privacy and the restraint of state powers are at the heart of liberty, and that they should be taken into account at all times. There is, I am very pleased to see no mention of ‘trade-offs’ between freedom and security and it seems that they accepted my argument (they do quote me on this) that when claims to protect fundamental freedoms by increasing security are actually eroding those freedoms, the tacit agreement that binds people and state is broken. They stress that all organisations involved in surveillance and date handling need to give far more attention to privacy at all stage, indeed that it should be built in.

There are many individual recommendations.The first concern the Information Commissioner. Basically, the Lords argue that he should be given more extensive powers and more resources, specifically:

  • to have a role in assessing the effect on any new surveillance measure on public trust;
  • to be able to monitor the human rights (Article 8, ECHR) effects of government and private surveillance practices on the public;
  • to be consulted by the government at the earliest stages of policy development – they specifically attack the government for not doing thus far; to extend the ICO’s power of inspection to private companies (again something I am quoted on) – they don’t note that the power of inspection over government departments was only granted in a rush by Gordon Brown following the revelations of disastrous losses of data by various state bodies;
  • to speed up the implementation of the ICO’s new power to fine bodies that break the rule on data protection and freedom of information;
  • to be a statutory consultee on all surveillance and data processing laws and for the ICO to report to Parliament on this;
  • for the government and the ICO to undertake a review of the law governing citizens’ consent to use of their personal data – there is quite a lot of interesting discussion in the body of the report on how consent might operate, and I am very pleased that they haven’t, unlike the government, given up on the importance of consent;
  • for the government to work with the ICO on raising public awareness as it should already be doing but has failed to do;
  • and finally, and this is really important – for the Data Protection Act to be amended to mandate a Privacy Impact Assessments (PIA) “prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing” with a role for the ICO in overseeing these. The government will probably try to ignore this, but this is the most crucial recommendation for future policy.

On the various other commissions – of which there are too many in my opinion – they merely recommend that the Surveillance and Communications Commissioner work together better and seek the advice of the ICO, especially with regard to the misuse of powers under the Regulations of Investigatory Powers Act (RIPA), and that the Investigatory Powers Tribunal stops hiding from the public. These are weak recommendations. Later they are rather more robust about the problems of having too many ineffectual regulators of RIPA, but despite a brief mention, any recommendations regarding the regulation of the Intelligence Services get quietly dropped along the way (not surprisingly). I would have thought that recommending at the very least that the offices of the Surveillance and Communications Commissioners are brought under the control of the ICO, if not completely absorbed into the ICO, would have been a much better long-term move.

They also have a number of other recommendations on the egregious RIPA, firstly that the (inadequate) administrative procedures are reviewed and secondly that the government should think again about the whole business of allowing Local Authorities police powers, and that in any case, these powers” should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years.” In my opinion, this effectively amounts to saying ‘repeal RIPA’ without saying so directly. The use of intense targeted surveillance powers to deal with minor infractions is what a lot of RIPA is all about whether that was the intention or not. It is an ill-thought out and badly worded law, like so many in this area.

The Lords recognize this deficiency in detail and specificity and argue as a general point, following the Human Rights Committee, that “the Government’s powers should be set out in primary legislation.” Crucially they also note that the government has not seemed very concerned with what happens after legislation is passed or how it works. They recommend the formation of a new Joint Committee in parliament on surveillance and data powers that would have post-legislative scrutiny as one of its key functions.

There are several measures concerning particular technologies. Their coverage of technologies of surveillance and data-collections is not too bad. I gave a seminar to the Committee on the range of surveillance technologies before they started their hearings, and I was beginning to despair at the levels of knowledge – “can they really do that?” was a common cry – and yet here they consider everything from CCTV to ubiquitous computing / ambient intelligence. There are still major deficiencies however. Although they take my point that government needs to get ahead of the technological game in order to regulate effectively, they still have not. They don’t recommend anything specific about the use of scanners in public places, location tracking, about the increasing dependence on RFID, or about the new flexibility, mobility, decrease in size and bodily intrusiveness of surveillance technologies and what this means for regulation. Mind you that is all in our report to the ICO that inspired all this (see Paragraph 4!)

They recommend that:

  • the Government comply fully with the recent ruling from the European Court of Human Rights that DNA profiles of innocent people are no longer kept indefinitely on the National DNA Database (NDNAD) – they also rule out a complete national database on both liberty and cost grounds, and argue that there should be a single, clear law governing the NDNAD and better transparency all-round.
  • On CCTV, they recommend more research on “the effectiveness of CCTV in preventing, detecting and investigating crime”, and more importantly that the government finally put CCTV on a proper statutory basis, with clear regulations, and systems of complaint and redress.
  • The report is at its weakest on the proposed new National Identity Register (NIR) and ID card. No2ID will not be happy, as all that they say is that “the Government’s development of identification systems should give priority to citizen-oriented considerations.” This is practically meaningless.Considering that this is the Constitution Committee report, and that the NIR and ID card are at the heart of how the government sees the information relationship between state and individual, this is also an unacceptable and compromised omission. No doubt it is evidence of a key area of disagreement amongst members, but the Chair should have banged some heads together on this one!
  • Although it is treated as a legislative measure, the Lords recommend mandatory encryption of personal data “in some circumstances.” This should have been stronger – bear in mind that most of the data lost by the state over the last few years was not encrypted
  • They also recommend that the government incorporate ‘design solutions’ in particular Privacy-Enhancing Technologies (PETs) in all new schemes. This is good as a minimum – we have to make sure that the government doesn’t use PETs as a way of claiming to have dealt with the problem – ooh, look: technology!

In other general measures for the whole of government, the Lords return to their central themes, specifically:

  • that Government should instruct government agencies and private organisations involved in surveillance and data use on compliance with Article 8 ECHR and in particular the legal meanings of necessity and proportionality. They also recommend legal aid should be available for challenges under Article 8.
  • a system of judicial oversight for surveillance carried out by public authorities, with compensation “to those subject to unlawful surveillance by the police, intelligence services, or other public bodies” acting under RIPA. This would be a severe blow the ad-hoc and effectively extra-legal expansion of surveillance powers under the present government. It would be great if it happens, but I am not going to hold my breath until it does…
  • increasing the stature and power of the data protection minister
  • lots of general blah about improving safeguards and restrictions on data handling and implementing standards and training, and education, to improve public confidence. But the thing is, public confidence isn’t really the main issue. Public confidence is low because the government and its private sector contractors have been time and again demonstrated to be incompetent.
  • there are also several paragraphs of recommendations which basically amount to saying ‘listen to the public’ and particularly, pay attention to pressure groups and research in this area because they know what they are talking about. They are right, you know – we do! They also want more research to get better information on public opinion in this area. We can do that too!

Despite this slight degeneration into well-meaning generality at the end, and despite the glaring hole when it comes to the NIR and ID cards, the principles advocated by this report, if implemented, would transform the direction of government in Britain. Many of the individual recommendations are things that I and others have been arguing for, for some time.

So what was the government’s first response? Well, the thoroughly useless Home Secretary, Jacqui Smith, according to the BBC has “rejected claims of a surveillance society as “not for one moment” true and called for “common sense” guidelines on CCTV and DNA.” When she has read the report she will realize that such guidelines are right in front of her – indeed, she got ‘common sense’ from the European Court on the DNA database some time ago and her department still does not know what to do with it!

As I said, if even half of this reported is acted on, Britain’s ways of dealing with surveillance will be transformed. I am not paying much attention to the Conservatives – in opposition you can say anything and they will beat the government with the liberty stick one day and the security stick the next. The question is, are New Labour brave enough to admit that their approach to surveillance has been almost entirely wrong?

We will soon find out.