1.  On 6 February we published a report, Surveillance: Citizens and the State[1]. The Government response was published as a Command Paper on 13 May (Cm 7616). In this report we analyse the Government's response.

2.  Although we welcome the Government's acceptance of a number of the recommendations of the Report of the House of Lords Select Committee on the Constitution, Surveillance: Citizens and the State, HL 18, Session 2008-09, we are disappointed that the Government's response does not fully appreciate the danger posed by surveillance to privacy and the relationship between individuals and the state. We regret that the Government have not agreed to a number of important recommendations which sought to assist the executive in promoting the responsible and proper use of data processing, including data sharing, together with other modes of surveillance.

3.  Whilst we acknowledge the Government's assurances that consultations are now in train to improve Government practice in this field, we believe that their response relies too heavily upon the possible outcome of the consultations. While it is reasonable for the Government to wait for the results of the consultations before beginning the detailed process of reform, their response fails to address many of the general concerns raised.

4.  The Government have paid insufficient attention to a number of fundamental points and criticisms made in the Report. The response reiterates the need to balance privacy with security and other objectives, and to ensure that the principles of necessity and proportionality are adhered to, without sufficiently indicating how this can be achieved. We believe that the Government have underestimated the degree to which public concern about surveillance and data processing is concerned with the propriety of collecting personal information on a vast scale, as contrasted with whether such data is subsequently handled safely and securely. In our view, data security is only one issue to be considered when deciding whether surveillance and data processing schemes should be developed or expanded.

5.  In their Introduction, the Government equate 'rights' of different kinds (privacy, more effective delivery of public services, and protection from crime and terrorism), but do not pay sufficient attention to the relationship between them, and how that relationship should impact upon policy formation.

6.  The Government refer to Privacy Impact Assessment (PIA) in their responses to the Committee's recommendations at paragraphs 452, 453, 455, 460, 484, 485, 489, and 495. While we firmly support PIA, we note that it is almost entirely untried in the British public sector and is therefore not entrenched in the policy process. Versions of PIA differ in terms of the stringency of their requirements. In the light of this, any suggestion that PIA is a panacea for the issues that we raise must be treated with caution, in particular where further details of the nature of the PIA to be undertaken in each case, and how and by whom it will be evaluated, have not been provided.

7.  Our recommendation involving PIA (at paragraph 460) called for mandating, through an amendment to the Data Protection Act 1998, "independent, publicly available, full and detailed" PIAs, with independent scrutiny undertaken by the Information Commissioner and others. We are disappointed that the Government do not support a legislative approach, preferring a weaker approach under the auspices of the Data Handling Report. Whilst the Government note that departments are encouraged to publish their PIAs, they recite reasons why departments might demur. We believe that departments should have to declare and explain their refusal to publish, and that the Information Commissioner should be empowered to require publication where he finds the reasons for refusal unconvincing.

8.  The Government's response does not recognise how PIA implementation is designed to work. Whilst the Government underline that the Data Handling Report now makes the conduct of a PIA mandatory, their response to the recommendation at paragraph 455 states that "Departments are encouraged to consider undertaking a [PIA] in the early stages of policy development" (our emphasis). PIA should be undertaken before it is too late and expensive to build privacy safeguards into the development of policy and the infrastructures and technologies to execute it. The Data Handling Report, whose recommendations on mandatory PIA the Government have accepted, makes this point. We look to the Government to ensure that the necessary instructions are given to Departments and those responsible for putting the Data Handling Report into effect.

9.  The Government's response to the recommendation at paragraph 453, concerning ways to establish the likely effect of new surveillance measures on public trust is inadequate. The Information Commissioner's Office (ICO) and NGOs, among others should have a useful role. The Government's statement that the ICO raises questions on planned policies is covered in the recommendation at paragraph 455.

10.  The response to the recommendation at paragraph 454 does not specify how or whether the Government will expand the ICO's remit in respect of monitoring the effects of surveillance and data collection on Article 8 rights under the ECHR. Nor does it comment on how the ICO's remit should be realigned in light of the role played by other Commissioners and watchdog bodies. Whilst the Government undertake to continue to monitor the effectiveness of the various Commissioners in reflecting public concerns and human rights, they do not say how this will be done or whether they will publish their findings.

11.  Our recommendation at paragraph 455 regretted that the ICO was often not consulted about policies and legislation with privacy implications, a frequent omission to which the ICO have often drawn attention. The Government's responses to the recommendation at paragraph 453 and 461 do not address the issue. The Government's assertion that Departments are best placed to initiate consultations with ICO about possible data protection implications of legislation or policies is inadequate. Factual information about consultations held with ICO should be placed in an Annex to the Explanatory Notes.

12.  We regret that the recommendation at paragraph 456, asking Government to reconsider giving ICO the power to inspect private sector organisations without consent, has not been immediately accepted. We believe that this leaves an anomalous gap in the application of the Data Protection Act 1998 which will become more apparent as changes occur in the ways in which the government carries out public-service functions involving transfers of personal data across organisational boundaries. The Government state that it is possible for private and third-sector data controllers to be inspected (with notice) if the Secretary of State considers that they are exercising functions of a public nature or under contract to a public authority. The Government should show when this has occurred. The Secretary of State's powers of intercession in the inspection process should be justified. We are encouraged by the Government's willingness to listen to arguments for granting the power which we recommended.

13.  We welcome the Government's response to the recommendation at paragraph 457, indicating that the ICO's new power to levy fines will soon be brought into effect.

14.  We welcome the Government's commitment to encourage greater flexibility in the inspection work carried out by the Interception of Communications Commissioner and the Chief Surveillance Commissioner, as recommended at paragraph 458. We would welcome further information as to how they will engage with public authorities to ensure that they have appropriate guidance. The Government point to the availability of the Investigatory Powers Tribunal, anticipating our recommendation at paragraph 459, but—given our criticism of the underuse and obscurity of the Tribunal—this provides little reassurance. We look for positive results from the Government's undertaking to urge the Tribunal to raise its public profile.

15.  The Government do not explain why they reject our recommendation of a review of the law governing consent to the use of personal data, in the recommendation at paragraph 462. The ICO's forthcoming code of practice does not meet the need for a review of an area of concern in many parts of the public and private sectors.

16.  The Government's response to the recommendation at paragraph 463, together with part of their response to the recommendation at paragraph 487, does not specify the tangible measures of support which they intend to give the ICO in raising public awareness of information processing and surveillance.

17.  The recommendations at paragraphs 464 and 466, on the retention of DNA data, have now been opened to public consultation in a document published on 7 May 2009. We welcome the Government's moves in the direction of complying with the European Court's decision in S & Marper, and in particularly, their intention to destroy DNA samples, profiles of children under the age of 10, and the DNA of volunteers, which was the subject of our recommendation at paragraph 466. We await further details on the question of retention. We note the Government's response to the recommendation at paragraph 465, concerning a universal DNA database.

18.  The Government have not accepted the recommendation at paragraph 467 for a statutory basis for the National DNA Database (NDNAD), although their proposal, in the public consultation now being conducted, for changes in the NDNAD's regulatory structure and accountability procedures could go some way towards overcoming the problems that we thought a new statute would resolve. We hope that these proposals will help promote a clearer, more rationalised, and less disproportionate regime for DNA.

19.  We note that the Government have already commissioned an independent appraisal of the evidence about the effectiveness of CCTV, which we called for in the recommendation at paragraph 468. This review is soon to be distributed to police forces, and is already available on the Internet. We urge the Government to ensure that the review is made available more widely so that it can inform a genuine debate on the subject.

20.  We are disappointed that the Government have not accepted our call for a statutory regime for CCTV, set out in the recommendation at paragraph 469. Although we acknowledge that some steps are being taken within the framework of the National CCTV Strategy to improve the governance and operation of CCTV, we remain convinced that accountability and responsiveness to public concerns and complaints require a statutory regime for governing the Strategy, oversight by Commissioners, and the establishment of the promised national body.

21.  The Government's reference to the Data Handling Report is a welcome recognition of the problems addressed in the recommendation at paragraph 470 concerning the encryption of data. We wait to see whether stronger controls prove to be necessary. The recommendation at paragraph 482 is also about encryption, and we are encouraged by the Government's indication of the measures to be taken under the aegis of the Data Handling Report. However, it is not clear what, if any, sanctions might be applied for failure to comply with the mandatory minimum measures that are to be incumbent on departments. Nor is it clear what will be the regime to ensure that suppliers comply with the stated measures. We believe that the encryption standards described by the Government are likely to be robust.

22.  The response to the recommendation at paragraph 471, which called for a review of administrative procedures in the Regulation of Investigatory Powers Act 2000 (RIPA), refers to proposals in current legislation before Parliament. We will comment upon these proposals in the course of our legislative scrutiny. The Government have stated that there will be revised codes of practice which will provide clearer statutory guidance. This also forms part of their response to the recommendation at paragraph 481. We believe that the way in which the codes of practice are implemented, including more effective training and understanding of the important principles of necessity and proportionality, is an important consideration. We wait to see whether forthcoming reports by the Commissioners concerned (and in others from the field of law enforcement) show that the new codes are effective.

23.  The recommendation at paragraph 472 urged that the Government consultation on RIPA powers should consider the appropriateness of their use by local authorities, The Government have not accepted our proposal that offences carrying custodial sentences of less than two years should not involve the use of investigatory powers under RIPA by local authorities, but have emphasised the revised code of practice mentioned above, as well as better guidance, training and accountability. We await the results of the current consultation, and any subsequent Government action, involving the question of the seniority of authorisation officials.

24.  Our recommendation at paragraph 473 called for improvement in the co-ordination of the inspection regimes of the different Commissioners empowered under RIPA. We are concerned that the Government's response does not sufficiently addresses the concerns to which we drew attention in our report. The Government's suggestion of more resources for inspections, and for other benefits should be made and adopted with firm intent

25.  We are disappointed that the Government have not accepted our recommendation at paragraph 474, for powers of surveillance and data processing to be set out in primary legislation. We do not believe that it is sufficient for 'basic principles' to be stated in primary legislation, with important details left to secondary legislation.

26.  The Government have not accepted our recommendation at paragraph 475 that a new Joint Committee on surveillance and data powers be established for post-legislative scrutiny. We believe that existing scrutiny arrangements are inadequate in the light of the expansion of surveillance and data processing. Whilst the Government have said that they 'expect' departments to monitor the impact of their policies, we believe that this should be a requirement placed upon departments.

27.  The response to the recommendation at paragraph 476, which called for the Government to exercise better leadership over the implementation of ECHR Article 8, emphasises their production of guidance texts. We are concerned that this does not guarantee sufficient follow-up to ascertain whether the guidance is understood and put into practice by relevant authorities. We acknowledge that new codes of practice and other measures are in hand, but reiterate our concern about their possible insufficiency. We do not believe that the Government's response adequately addresses our recommendation that legal aid should be available for Article 8 claims.

28.  The Government's response to the recommendation at paragraph 477, on judicial oversight for surveillance, transparency and compensation, reiterates their satisfaction with the current "balance" and refers complainants to the IPT. We do not believe that this response goes far enough. We agree that transparency may compromise investigations, but the Government's wish for 'certainty' in this matter does not take account of the possible benefits of greater transparency. We suggest that the question of increasing transparency be subject to a proper risk analysis.

29.  The recommendation at paragraph 478 on citizen-oriented identification systems raises issues of individual control over identification and authentication data, and of minimising the collection and use of identifiable personal. These issues are insufficiently addressed by the Government

30.  We are disappointed that the Government have not accepted our recommendation at paragraph 479, with which the Joint Committee on Human Rights concurs, for more prominent leadership to be exerted by the data protection minister.

31.  Whilst the Government do not disagree with our recommendation at paragraph 480 about the changes in organisational culture and related changes urged by the Data Sharing Review, we observe that the Government have not referred to our recommendation regarding the reporting of progress to Parliament.

32.  We welcome the publication of the Manual of Protective security, as the Committee urged in the recommendation at paragraph 483.

33.  In relation to the response to our recommendation at paragraph 484, it is too soon to judge how effective the National Identity Scheme Commissioner will be, how rigorous the regulation of the use of information from the National Identity Register will be in practice, and whether the CCTV code of practice will be an acceptable alternative to stronger regulatory measures. We note that a statutory code of practice will cover the sharing of personal data.

34.  With regard to our recommendation at paragraph 485 for a review of procurement processes to include privacy-enhancing technologies and privacy-design solutions in new systems, we welcome the Government's general approach but think that they have not fully understood our argument. The issue is only partially that of information security in the strict sense, but also of more comprehensive design features that the procurement process should require to be built into systems in order to limit the collection of data and provide other relevant privacy safeguards in keeping with data protection principles. We again urge the Government to take a broader approach to this matter.

35.  We are disappointed with the Government's response to our recommendation at paragraph 486 concerning improvements in the investigation of public opinion about surveillance and data processing. We urge the Government to go further to address the concerns that we expressed.

36.  We believe that the response to the recommendation at paragraph 487 about the public understanding of surveillance processes and their risks and benefits is inadequate. Publication of guidance on websites and the work of the ICO are necessary but not sufficient provisions. We note the discrepancy with the response to the recommendation at paragraph 463 in terms of the Government's commitment to "work with" the ICO, albeit in ways that are not indicated. We call on the Government to engage with the issues of surveillance and privacy in a proactive manner.

37.  We do not believe that the responses to the recommendations at paragraphs 488 and 490 on public consultations and new ways of engaging with the public sufficiently reflect the Government's responsibilities. We urge the Government to explore the Committee's recommendations further.

38.  We have similar concerns about the response to the recommendation at paragraph 489 concerning the Information Charter, and are concerned at the lack of any reference to reporting to Parliament on the workings of the scheme.

39.  We are disappointed at the lack of detail contained in the response to the recommendation at paragraph 491 for the involvement of NGOs. We do however note the Government's commitment to keep the matter under review.

40.  We are encouraged by the response to the recommendation at paragraph 492, in which the Committee recommended scrutiny by Parliamentary committees of the Government's report on their progress with better data handling.

41.  We agree that the work of the Merits of Statutory Instruments Committee, which formed the substance of the recommendation at paragraph 493, is a matter for Parliament.

42.  We are disappointed that the Government have not accepted our recommendation at paragraph 494 for a Joint Committee on the surveillance and data powers of the state, with the ability to draw upon research. Whilst we note the Government's argument that existing Committees might work together on these matters, we believe that a dedicated Joint Committee would be a more effective instrument for bringing together expertise for the purposes of scrutiny and investigation.

43.  The response to our recommendation at paragraph 495 for testing new policies against the criterion of their effect on privacy refers to the new requirements for PIA. We agree that these are appropriate.