Analysis of the Government's response
to Surveillance: Citizens and the State
1. On 6 February we published a report, Surveillance:
Citizens and the State.
The Government response was published as a Command Paper on 13
May (Cm 7616). In this report we analyse the Government's response.
2. Although we welcome the Government's acceptance
of a number of the recommendations of the Report of the House
of Lords Select Committee on the Constitution, Surveillance:
Citizens and the State, HL 18, Session 2008-09, we are disappointed
that the Government's response does not fully appreciate the danger
posed by surveillance to privacy and the relationship between
individuals and the state. We regret that the Government have
not agreed to a number of important recommendations which sought
to assist the executive in promoting the responsible and proper
use of data processing, including data sharing, together with
other modes of surveillance.
3. Whilst we acknowledge the Government's assurances
that consultations are now in train to improve Government practice
in this field, we believe that their response relies too heavily
upon the possible outcome of the consultations. While it is reasonable
for the Government to wait for the results of the consultations
before beginning the detailed process of reform, their response
fails to address many of the general concerns raised.
4. The Government have paid insufficient attention
to a number of fundamental points and criticisms made in the Report.
The response reiterates the need to balance privacy with security
and other objectives, and to ensure that the principles of necessity
and proportionality are adhered to, without sufficiently indicating
how this can be achieved. We believe that the Government have
underestimated the degree to which public concern about surveillance
and data processing is concerned with the propriety of collecting
personal information on a vast scale, as contrasted with whether
such data is subsequently handled safely and securely. In our
view, data security is only one issue to be considered when deciding
whether surveillance and data processing schemes should be developed
5. In their Introduction, the Government
equate 'rights' of different kinds (privacy, more effective delivery
of public services, and protection from crime and terrorism),
but do not pay sufficient attention to the relationship between
them, and how that relationship should impact upon policy formation.
6. The Government refer to Privacy Impact Assessment
(PIA) in their responses to the Committee's recommendations
at paragraphs 452, 453, 455, 460, 484, 485, 489, and 495.
While we firmly support PIA, we note that it is almost entirely
untried in the British public sector and is therefore not entrenched
in the policy process. Versions of PIA differ in terms of the
stringency of their requirements. In the light of this, any suggestion
that PIA is a panacea for the issues that we raise must be treated
with caution, in particular where further details of the nature
of the PIA to be undertaken in each case, and how and by whom
it will be evaluated, have not been provided.
7. Our recommendation involving PIA (at paragraph
460) called for mandating, through an amendment to the Data
Protection Act 1998, "independent, publicly available, full
and detailed" PIAs, with independent scrutiny undertaken
by the Information Commissioner and others. We are disappointed
that the Government do not support a legislative approach, preferring
a weaker approach under the auspices of the Data Handling Report.
Whilst the Government note that departments are encouraged to
publish their PIAs, they recite reasons why departments might
demur. We believe that departments should have to declare and
explain their refusal to publish, and that the Information Commissioner
should be empowered to require publication where he finds the
reasons for refusal unconvincing.
8. The Government's response does not recognise
how PIA implementation is designed to work. Whilst the Government
underline that the Data Handling Report now makes the conduct
of a PIA mandatory, their response to the recommendation at
paragraph 455 states that "Departments are encouraged
to consider undertaking a [PIA] in the early stages of policy
development" (our emphasis). PIA should be undertaken before
it is too late and expensive to build privacy safeguards into
the development of policy and the infrastructures and technologies
to execute it. The Data Handling Report, whose recommendations
on mandatory PIA the Government have accepted, makes this point.
We look to the Government to ensure that the necessary instructions
are given to Departments and those responsible for putting the
Data Handling Report into effect.
9. The Government's response to the recommendation
at paragraph 453, concerning ways to establish the likely
effect of new surveillance measures on public trust is inadequate.
The Information Commissioner's Office (ICO) and NGOs, among others
should have a useful role. The Government's statement that the
ICO raises questions on planned policies is covered in the recommendation
at paragraph 455.
10. The response to the recommendation at
paragraph 454 does not specify how or whether the Government
will expand the ICO's remit in respect of monitoring the effects
of surveillance and data collection on Article 8 rights under
the ECHR. Nor does it comment on how the ICO's remit should be
realigned in light of the role played by other Commissioners and
watchdog bodies. Whilst the Government undertake to continue to
monitor the effectiveness of the various Commissioners in reflecting
public concerns and human rights, they do not say how this will
be done or whether they will publish their findings.
11. Our recommendation at paragraph 455
regretted that the ICO was often not consulted about policies
and legislation with privacy implications, a frequent omission
to which the ICO have often drawn attention. The Government's
responses to the recommendation at paragraph 453 and 461
do not address the issue. The Government's assertion that Departments
are best placed to initiate consultations with ICO about possible
data protection implications of legislation or policies is inadequate.
Factual information about consultations held with ICO should be
placed in an Annex to the Explanatory Notes.
12. We regret that the recommendation at paragraph
456, asking Government to reconsider giving ICO the power
to inspect private sector organisations without consent, has not
been immediately accepted. We believe that this leaves an anomalous
gap in the application of the Data Protection Act 1998 which will
become more apparent as changes occur in the ways in which the
government carries out public-service functions involving transfers
of personal data across organisational boundaries. The Government
state that it is possible for private and third-sector data controllers
to be inspected (with notice) if the Secretary of State considers
that they are exercising functions of a public nature or under
contract to a public authority. The Government should show when
this has occurred. The Secretary of State's powers of intercession
in the inspection process should be justified. We are encouraged
by the Government's willingness to listen to arguments for granting
the power which we recommended.
13. We welcome the Government's response to the
recommendation at paragraph 457, indicating that the ICO's
new power to levy fines will soon be brought into effect.
14. We welcome the Government's commitment to
encourage greater flexibility in the inspection work carried out
by the Interception of Communications Commissioner and the Chief
Surveillance Commissioner, as recommended at paragraph 458.
We would welcome further information as to how they will engage
with public authorities to ensure that they have appropriate guidance.
The Government point to the availability of the Investigatory
Powers Tribunal, anticipating our recommendation at paragraph
459, butgiven our criticism of the underuse and obscurity
of the Tribunalthis provides little reassurance. We look
for positive results from the Government's undertaking to urge
the Tribunal to raise its public profile.
15. The Government do not explain why they reject
our recommendation of a review of the law governing consent to
the use of personal data, in the recommendation at paragraph
462. The ICO's forthcoming code of practice does not meet
the need for a review of an area of concern in many parts of the
public and private sectors.
16. The Government's response to the recommendation
at paragraph 463, together with part of their response to
the recommendation at paragraph 487, does not specify
the tangible measures of support which they intend to give the
ICO in raising public awareness of information processing and
17. The recommendations at paragraphs 464
and 466, on the retention of DNA data, have now been opened
to public consultation in a document published on 7 May 2009.
We welcome the Government's moves in the direction of complying
with the European Court's decision in S & Marper, and
in particularly, their intention to destroy DNA samples, profiles
of children under the age of 10, and the DNA of volunteers, which
was the subject of our recommendation at paragraph 466.
We await further details on the question of retention. We note
the Government's response to the recommendation at paragraph
465, concerning a universal DNA database.
18. The Government have not accepted the recommendation
at paragraph 467 for a statutory basis for the National
DNA Database (NDNAD), although their proposal, in the public consultation
now being conducted, for changes in the NDNAD's regulatory structure
and accountability procedures could go some way towards overcoming
the problems that we thought a new statute would resolve. We hope
that these proposals will help promote a clearer, more rationalised,
and less disproportionate regime for DNA.
19. We note that the Government have already
commissioned an independent appraisal of the evidence about the
effectiveness of CCTV, which we called for in the recommendation
at paragraph 468. This review is soon to be distributed to
police forces, and is already available on the Internet. We urge
the Government to ensure that the review is made available more
widely so that it can inform a genuine debate on the subject.
20. We are disappointed that the Government have
not accepted our call for a statutory regime for CCTV, set out
in the recommendation at paragraph 469. Although we
acknowledge that some steps are being taken within the framework
of the National CCTV Strategy to improve the governance and operation
of CCTV, we remain convinced that accountability and responsiveness
to public concerns and complaints require a statutory regime for
governing the Strategy, oversight by Commissioners, and the establishment
of the promised national body.
21. The Government's reference to the Data Handling
Report is a welcome recognition of the problems addressed in the
recommendation at paragraph 470 concerning the encryption
of data. We wait to see whether stronger controls prove to be
necessary. The recommendation at paragraph 482 is also
about encryption, and we are encouraged by the Government's indication
of the measures to be taken under the aegis of the Data Handling
Report. However, it is not clear what, if any, sanctions might
be applied for failure to comply with the mandatory minimum measures
that are to be incumbent on departments. Nor is it clear what
will be the regime to ensure that suppliers comply with the stated
measures. We believe that the encryption standards described by
the Government are likely to be robust.
22. The response to the recommendation at
paragraph 471, which called for a review of administrative
procedures in the Regulation of Investigatory Powers Act 2000
(RIPA), refers to proposals in current legislation before Parliament.
We will comment upon these proposals in the course of our legislative
scrutiny. The Government have stated that there will be revised
codes of practice which will provide clearer statutory guidance.
This also forms part of their response to the recommendation
at paragraph 481. We believe that the way in which the codes
of practice are implemented, including more effective training
and understanding of the important principles of necessity and
proportionality, is an important consideration. We wait to see
whether forthcoming reports by the Commissioners concerned (and
in others from the field of law enforcement) show that the new
codes are effective.
23. The recommendation at paragraph 472 urged
that the Government consultation on RIPA powers should consider
the appropriateness of their use by local authorities, The Government
have not accepted our proposal that offences carrying custodial
sentences of less than two years should not involve the use of
investigatory powers under RIPA by local authorities, but have
emphasised the revised code of practice mentioned above, as well
as better guidance, training and accountability. We await the
results of the current consultation, and any subsequent Government
action, involving the question of the seniority of authorisation
24. Our recommendation at paragraph 473 called
for improvement in the co-ordination of the inspection regimes
of the different Commissioners empowered under RIPA. We are concerned
that the Government's response does not sufficiently addresses
the concerns to which we drew attention in our report. The Government's
suggestion of more resources for inspections, and for other benefits
should be made and adopted with firm intent
25. We are disappointed that the Government have
not accepted our recommendation at paragraph 474, for powers
of surveillance and data processing to be set out in primary legislation.
We do not believe that it is sufficient for 'basic principles'
to be stated in primary legislation, with important details left
to secondary legislation.
26. The Government have not accepted our recommendation
at paragraph 475 that a new Joint Committee on surveillance
and data powers be established for post-legislative scrutiny.
We believe that existing scrutiny arrangements are inadequate
in the light of the expansion of surveillance and data processing.
Whilst the Government have said that they 'expect' departments
to monitor the impact of their policies, we believe that this
should be a requirement placed upon departments.
27. The response to the recommendation at
paragraph 476, which called for the Government to exercise
better leadership over the implementation of ECHR Article 8, emphasises
their production of guidance texts. We are concerned that this
does not guarantee sufficient follow-up to ascertain whether the
guidance is understood and put into practice by relevant authorities.
We acknowledge that new codes of practice and other measures are
in hand, but reiterate our concern about their possible insufficiency.
We do not believe that the Government's response adequately addresses
our recommendation that legal aid should be available for Article
28. The Government's response to the recommendation
at paragraph 477, on judicial oversight for surveillance,
transparency and compensation, reiterates their satisfaction with
the current "balance" and refers complainants to the
IPT. We do not believe that this response goes far enough. We
agree that transparency may compromise investigations, but the
Government's wish for 'certainty' in this matter does not take
account of the possible benefits of greater transparency. We suggest
that the question of increasing transparency be subject to a proper
29. The recommendation at paragraph 478 on
citizen-oriented identification systems raises issues of individual
control over identification and authentication data, and of minimising
the collection and use of identifiable personal. These issues
are insufficiently addressed by the Government
30. We are disappointed that the Government have
not accepted our recommendation at paragraph 479, with
which the Joint Committee on Human Rights concurs, for more prominent
leadership to be exerted by the data protection minister.
31. Whilst the Government do not disagree with
our recommendation at paragraph 480 about the changes in
organisational culture and related changes urged by the Data Sharing
Review, we observe that the Government have not referred to our
recommendation regarding the reporting of progress to Parliament.
32. We welcome the publication of the Manual
of Protective security, as the Committee urged in the recommendation
at paragraph 483.
33. In relation to the response to our recommendation
at paragraph 484, it is too soon to judge how effective the
National Identity Scheme Commissioner will be, how rigorous the
regulation of the use of information from the National Identity
Register will be in practice, and whether the CCTV code of practice
will be an acceptable alternative to stronger regulatory measures.
We note that a statutory code of practice will cover the sharing
of personal data.
34. With regard to our recommendation at paragraph
485 for a review of procurement processes to include privacy-enhancing
technologies and privacy-design solutions in new systems, we welcome
the Government's general approach but think that they have not
fully understood our argument. The issue is only partially that
of information security in the strict sense, but also of more
comprehensive design features that the procurement process should
require to be built into systems in order to limit the collection
of data and provide other relevant privacy safeguards in keeping
with data protection principles. We again urge the Government
to take a broader approach to this matter.
35. We are disappointed with the Government's
response to our recommendation at paragraph 486 concerning
improvements in the investigation of public opinion about surveillance
and data processing. We urge the Government to go further to address
the concerns that we expressed.
36. We believe that the response to the recommendation
at paragraph 487 about the public understanding of surveillance
processes and their risks and benefits is inadequate. Publication
of guidance on websites and the work of the ICO are necessary
but not sufficient provisions. We note the discrepancy with the
response to the recommendation at paragraph 463 in terms
of the Government's commitment to "work with" the ICO,
albeit in ways that are not indicated. We call on the Government
to engage with the issues of surveillance and privacy in a proactive
37. We do not believe that the responses to the
recommendations at paragraphs 488 and 490 on public consultations
and new ways of engaging with the public sufficiently reflect
the Government's responsibilities. We urge the Government to explore
the Committee's recommendations further.
38. We have similar concerns about the response
to the recommendation at paragraph 489 concerning the Information
Charter, and are concerned at the lack of any reference to reporting
to Parliament on the workings of the scheme.
39. We are disappointed at the lack of detail
contained in the response to the recommendation at paragraph
491 for the involvement of NGOs. We do however note the Government's
commitment to keep the matter under review.
40. We are encouraged by the response to the
recommendation at paragraph 492, in which the Committee
recommended scrutiny by Parliamentary committees of the Government's
report on their progress with better data handling.
41. We agree that the work of the Merits of Statutory
Instruments Committee, which formed the substance of the recommendation
at paragraph 493, is a matter for Parliament.
42. We are disappointed that the Government have
not accepted our recommendation at paragraph 494 for a
Joint Committee on the surveillance and data powers of the state,
with the ability to draw upon research. Whilst we note the Government's
argument that existing Committees might work together on these
matters, we believe that a dedicated Joint Committee would be
a more effective instrument for bringing together expertise for
the purposes of scrutiny and investigation.
43. The response to our recommendation at
paragraph 495 for testing new policies against the criterion
of their effect on privacy refers to the new requirements for
PIA. We agree that these are appropriate.
1 2nd Report of 2008-09, HL Paper 18 Back