The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning
“… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”
The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.
As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.
What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing:
- a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
- an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
- a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.
If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.
The report can be found here, with the accompanying press release from the ICO here.
The Home Office has published a summary of responses to its April 2009 consultation paper on ‘communications data’, i.e. information about a communication that does not include the content of the communication itself. At present, such data is owned by communications service providers and accessed by certain public authorities under disparate statutory powers for the purposes of combating, for example, fraud, terrorism and other serious crime. The government is considering an overhaul so as to bring all communication types (such as web chat) and all relevant service providers (some of whose contractual positions place them beyond the current statutory arrangements) within the system.
The attendant tension between individual liberty and public protection is reflected in the 221 responses to this consultation.
A substantial minority of respondents objected in principle to any ‘surveillance’ of communications. A majority (albeit a fairly narrow one) agreed that communications data served an important public purpose and that the government should therefore act to maintain the capability of public authorities to make use of this type of information.
As to what form this action should take, only one element of the government’s proposed approach was widely welcomed, namely its rejection of a central database for holding all data of this type. Reservations were otherwise expressed about technological feasibility, data security and the proportionality of public authorities’ use of communications data.
Nonetheless, such reservations were not deemed forceful or widespread enough to deter the government from its proposed course. A number of respondents’ suggestions have been rejected, including the specifying of categories of data which should not be retained, and the requirement for a magistrate’s authorisation before communications data can be accessed.
The government is also satisfied that the DPA 1998 and RIPA 2000 provide sufficient safeguards against abuse of such data. A legislative review is, however, proposed, to see if a single means of authorised access (through RIPA 2000) would be practicable. Fresh or consolidating legislation appears likely.
The importance of ensuring the security of personal data has been highlighted in a recent press release from the ICO dated 4 June 2009. The ICO has found Salford Royal NHS Foundation Trust in breach of the Data Protection Act, after a desktop computer containing sensitive personal information relating to around 3,500 patients was stolen. Although the computer was password protected, it was not encrypted or secured to a desk.
A formal undertaking has been signed by the Trust. It will ensure that: appropriate security measures are in place to restrict access to areas where personal information is stored; desktop computers are secured to desks to prevent easy removal; any personal data required to be held on a portable device is suitably encrypted; and personal details are not retained on any computer for longer than is required.
Mick Gorrill, Assistant Information Commissioner at the ICO, emphasised that the worrying trend of personal data losses must be rectified. He said:
“I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.”
Many thanks to Andrew Smith, currently a pupil at 11KBW, for preparing a first draft of this post.
In November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people. Since then there has been a steady stream of stories about data losses, mainly from the public sector.
The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data. Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage. If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient. What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place? Would this count as damage?
A US district court in California has recently considered a similar question. In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants. In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud. The Court granted summary judgment to the defendants and dismissed the claim. Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence. The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy. It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring. The plaintiff had not taken up this offer.
In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss. Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated. But in the Ruiz type of claim individual damages are likely to be modest. There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation. Instead the focus should be on deterring breaches and avoiding recurrence. The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.
If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen. Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement. The Government agreed. Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.
Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.