Tag: privacy

Google’s Streetview – ICO Responds

Posted on | by Anya Proops KC

The launch of Google’s Streetview service in March 2009 sparked considerable debate within the British media. Privacy campaigners criticised the intrusive nature of the service, which enables internet users to access 360 degree views of people, homes, cars and streets in 25 of Britain’s cities. It would appear that the Information Commissioner has now had his say on the matter. According to an article published in yesterday’s Observer newspaper, the Information Commissioner rejected a complaint brought by Privacy International which challenged the legality of the service. Notably, the Observer reports that the Commissioner dismissed the suggestion put forward by Privacy International that consent should have been sought from individuals whose image was captured in the pictures shown by Streetview. He apparently compared the Streetview service with images of individuals broadcast during televised football matches, where similarly consent would not be sought. Of course, Streetview is not the only part of Google’s operations which have given rise to privacy concerns. Not least in recent weeks, concerns have been raised about another Google innovation, which enables advertisers to target adverts on individual Google users by relying on  site-visit profiles developed by Google. The so-called behavioural targeting system enables Google to build up a profile of the internet sites visited by a particular user when using the Google search engine. The profile is then used as a basis for indicating what advertising the user may be interested in. Concerns expressed about the new system have included that individuals are not asked whether they wish to receive targeted advertising and, further, that the right to opt out of the system is not adequately advertised to users.

Guardian article on Streetview:

https://www.guardian.co.uk/technology/2009/apr/12/google-street-view-privacy

Channel 4 report on Behavioural Targetting System

https://www.channel4.com/news/articles/science_technology/how+google+adverts+got+personal/3076122

Recruiting the iPod generation

Posted on | by Timothy Pitt-Payne KC

In an article in today’s Financial Times, Benjamin Akande of Webster University talks about the “iPoders” – the generation born between 1982 and 2000.  He describes a generation of technology addicts, using the internet as its first resort for information-gathering, and nurturing personal relationships through social networking and twittering.  According to Akande, as it enters the workforce this cohort will be looking for organisations that share its appetite for technological innovation. 

One issue that Akande doesn’t discuss is how iPoders view their personal privacy.  How will they react if their technology-aware future employers treat Facebook and MySpace as a legitimate part of pre-recruitment due diligence?  It’s often suggested that today’s 20-somethings are deeply relaxed about information privacy.  A more realistic view may be that, as early adopters of social networking technology, they are learning the hard way about the implications of putting personal information online.  In 2007, Oxford University students were outraged when photographs on Facebook were used in order to crack down on post-exam celebrations. 

At the same time, employers need to be cautious about googling their job applicants.  For instance, interview panels know not to ask questions about any plans for starting a family.  But what if one of the interviewers finds out information of this kind, from his online researches into the candidates?  Unless the information is wholly disregarded, there is an obvious risk of a discrimination claim if the candidate is rejected.

Big Brother Takes to the Road

Posted on | by Anya Proops KC

Many of us are aware that, when in use, our mobile phones can be used by telecoms companies and security agencies to trace our whereabouts. However, few of us are likely to have been contemplating a scenario where our cars would contain built-in tracking devices enabling state authorities to have, in effect, a system of near total road surveillance. However, a new EU backed project, known as the Cooperative Vehicle-Infrastructure Systems (CVIS) project, may go a long way towards achieving that result. In particular, it is understood that the project, which is due to be unveiled later on this year,  envisages that, by 2013, such devices would commonly be built into newly manufactured cars and that a universal frequency will be made available so as to enable state authorities to monitor the location of all cars fitted with the device. As one might expect, privacy and civil liberties groups are said to be up in arms about this development. It is understood that the European Data Protection Supervisor will make a formal announcement on the privacy implications of CVIS technology soon.

Media article:

https://www.guardian.co.uk/uk/2009/mar/31/surveillance-transport-communication-box

BMA Expresses Concerns about New Data Sharing Powers

Posted on | by Anya Proops KC

The Coroners and Justice Bill was introduced in the House of Commons on 14 January 2009. Clause 152 of the Bill provides for the Data Protection Act 1998 to be amended to include a number of new provisions on data sharing. Those provisions include a section which creates a broad general power enabling any ‘designated authority’ to make an ‘information sharing order’, which is to say an order which enables ‘any person to share information which consists of or includes personal data’ (new section 50A(1)). The relevant designated authorities’ are ‘appropriate Ministers’ (i.e. Secretaries of State, the Treasury and Ministers in charge of government departments); Scottish Ministers; Welsh Ministers and a Northern Ireland Department (new section 50A(2)). Whilst these broad powers are subject to a number of limitations including those provided for under new sections 50C, 50A(4) and 50A(6), this has not prevented concerns being expressed as to the potential risks entailed upon these new provisions. Most recently, in an interview with the Guardian (14 February 2009), the British Medical Association’s Chairman, Hamish Meldrum, confirmed that he was ‘extremely concerned’ about these new data sharing powers, not least because they would potentially enable Ministers to allow patient data to be shared not merely within the NHS but also with other ministries and even private companies. Mr Meldrum said that the trust between doctors and patients would be destroyed if the Bill became law as it stands. The new powers embodied in clause 152 of the Coroners and Justice Bill follow in the wake of the development of another significant and controversial data sharing scheme under which the medical records of everyone in England are to be uploaded onto a national database, known as the Spine.

The Bill:

https://www.publications.parliament.uk/pa/cm200809/cmbills/009/2009009.pdf

Guardian Articles:

https://www.guardian.co.uk/technology/2009/feb/14/medical-records-nhs-privacy

https://www.guardian.co.uk/society/2008/sep/18/health.nhs

Lords’ Report on Surveillance Society

Posted on | by Anya Proops KC

The House of Lords Constitutional Committee has today published an important report on the use of surveillance within society. The report, entitled ‘Surveillance: Citizen and State’, considers the constitutional implications that changes in the use of government surveillance and data collection have upon the privacy of citizens and their relationship with the State. The introduction to the Report states as follows:

’13.  We regard a commitment to the freedom of the individual as paramount. It is a precondition of the functioning of our existing constitutional framework. We also believe that privacy and the principle of restraint in the use of surveillance and data collection powers are central to individual freedom, and should be taken into account and adhered to at all times by the executive, government agencies, and public bodies. There is a danger that the growing use of surveillance by government and private organisations in the UK could constitute a serious threat to these principles and commitments. 14.  Mass surveillance has the potential to erode privacy. As privacy is an essential pre-requisite to the exercise of individual freedom, its erosion weakens the constitutional foundations on which democracy and good governance have traditionally been based in this country. Central to this inquiry is the question of whether surveillance, which has substantially increased over recent years, represents a threat to these foundations, and to what extent surveillance should be permissible within the current constitutional framework of the UK.’

Chapter 5 of the Report considers the role of surveillance regulators. With respect to the Information Commissioner, the Report stated that ‘given the impressive work that is currently being done by the Commissioner’s Office, there is a pressing need to strengthen his regulatory hand’.  The Report focusses on recent innovations to strengthen the Commissioner’s regulatory role, including: (a) Government approval for the Commissioner to be placed under a statutory duty to produce a data-sharing code of practice which would be approved by Parliament; (b) the Government’s decision to provide a statutory basis for the Information Commissioner to carry out inspections without consent of public sector organisations which process personal information systems; and (c) the introduction of the Criminal Justice and Immigration Act 2008, which will, when it comes into force, empower the Commissioner to impose monetary penalties on data controllers (in the public or private sector) for breaching the data protection principles knowingly or recklessly in ways that are serious and likely to cause substantial damage or distress. However, the Committee also made a number of recommendations aimed at enhancing the Commissioner’s powers still further (see chapters 5 and 9). Thus, it recommended:

  • that the Government instruct departments to consult the Information Commissioner at the earliest stages of policy development, so as to ensure that his views on privacy and data protection are properly taken into account;
  • that the Government reconsider the question whether the Commissioner should be given powers to carry out inspections of private sector bodies without consent (his powers being limited under the Criminal Justice and Immigration Act 2008 to public sector bodies);
  • that the Government consider expanding the remit of the Information Commissioner to include responsibility for monitoring the effects of government and private surveillance practices on the rights of the public at large under Article 8 of the European Convention on Human Rights;
  • that the Government should be required, by statute, to consult the Information Commissioner on bills or statutory instruments which involve surveillance or processing powers;
  • that, in conjunction with the Information Commissioner, the Goverment should undertake a review of the law governing the consent of individuals to the use of their personal data;
  • that the Government should commit to a plan of action, agreed with the Commissioner, to raise public awareness of the issues surrounding the use of surveillance.

Other notable recommendations in the report include:

  • Privacy Impact Assessments – The Government should amend the provisions of the DPA 1998 to make it mandatory for Government departments to produce and make available an independent, publicly available, full and detailed Privacy Impact Assessment (PIA) prior to the adoption of any new surveillance, data collection or processing scheme, including new arrangements for data sharing. That the Information Commissioner or other independent authorities should have a role in scrutinising and approving any PIA;
  • DNA Profiles – DNA profiles should only be retained on the National DNA Database (NDNAD) where it can be shown that such retention is justified or deserved. The Committee confirmed that it expected the Government to comply fully, and as soon as possible, with the judgment of the European Court of Human Rights in the case of S. and Marper v. the United Kingdom, and to ensure that the DNA profiles of people arrested for, or charged with, a recordable offence but not subsequently convicted are not retained on the NDNAD for an unlimited period of time.
  • CCTV – The Home Office should commission an independent appraisal of the existing research evidence on the effectiveness of CCTV in preventing, detecting and investigating crime. The Government should propose a statutory regime for the use of CCTV by both the public and private sectors, introduce codes of practice that are legally binding on all CCTV schemes and establish a system of complaints and remedies. This system should be overseen by the Office of Surveillance Commissioners in conjunction with the Information Commissioner’s Office.
  • Controlling Access to Personal Data – The Government should introduce regulations aimed at: (a) requiring the encryption of personal data to be mandatory in some circumstances and (b) ensuring that organisations avoid connecting to the internet computers which contain large amounts of personal information.
  • RIPA – The current administrative procedures contained in RIPA should be reviewed, including the system of authorisations. Government consultations on proposed changes to the Regulation of Investigatory Powers Act 2000 should include consideration of consider whether local authorities, rather than the police, are the appropriate bodies to exercise powers under RIPA. If it is concluded that they are the appropriate bodies, such powers should only be available for the investigation of serious criminal offences which would attract a custodial sentence of at least two years. The Government should take steps to ensure that these powers are only exercised where strictly necessary, and in an appropriate and proportionate manner. The Government should also examine the feasibility of rationalising the inspection system and the activities of the three RIPA Commissioners. (This recommendation was made in light of concerns expressed by the Committee that the current arrangement whereby three different offices oversee the operation of RIPA may result in inefficiencies and disjointed inspection).
  • Legislative Scrutiny – The Government should give high priority to post-legislative scrutiny of key statutes involving surveillance and data processing powers, including those passed more than three years ago. The statutes should be considered as part of a whole, rather than in isolation. This post-legislative role could be carried out effectively by a new Joint Committee on surveillance and data powers.
  • Article 8 – Instructions for Surveillance Bodies – The Government should instruct government agencies and private organisations involved in surveillance and data use on how the rights contained in Article 8 of the European Convention on Human Rights are to be implemented. The Government should provide clear and publicly available guidance as to the legal meanings of necessity and proportionality. A complaints procedure should be established by the Government and , where appropriate, legal aid should be made available for Article 8 claims.
  • Judicial Oversight – The Government should consider introducing a system of judicial oversight for surveillance carried out by public authorities, and that individuals who have been made the subject of surveillance be informed of that surveillance, when completed, where no investigation might be prejudiced as a result. Compensation should be available to those subject to unlawful surveillance by the police, intelligence services, or other public bodies acting under the powers conferred by RIPA.
  • ID Systems – The Government’s development of identification systems should give priority to ‘citizen-oriented considerations’.
  • More Effective Leadership – The role of data protection minister should be enhanced and its profile elevated because of the need for more effective central leadership.
  • Culture Change – The Committee supported the recommendations made in the Thomas-Walport Data Sharing Review Report for changes in organisational cultures, leadership, accountability, transparency, training and awareness, and it welcomed the Government’s acceptance of them.
  • Public Procurement – The Government should review its procurement processes so as to incorporate design solutions that include privacy-enhancing technologies in new or planned data gathering and processing systems.

The Report:

https://www.publications.parliament.uk/pa/ld200809/ldselect/ldconst/18/1802.htm

Media Coverage:

https://news.bbc.co.uk/1/hi/uk_politics/7872425.stm

https://www.guardian.co.uk/uk/2009/feb/06/surveillance-freedom-peers

Government Superdatabase

Posted on | by Anya Proops KC

Over the last few months, there has been considerable media coverage of Government plans to introduce a new ‘superdatabase’ designed to track all internet and telephone use. The stated purpose of the database is to assist law enforcement agencies by facilitating access to information currently held by individual Telecoms companies. It is expected that the Government will publish its detailed proposals later on this month. However, the new Director of Public Prosecutions, Kier Starmer QC has already expressed the view that, provided that proper safeguards are put in place, the database would be legitimate. Mr Starmer’s assessment contrasts starkly with that of his predecessor, Sir Ken MacDonald, who expressed the view that the database would create a ‘hell-house’ of personal privae information. The Information Commissioner has previously warned that the creation of such a database would raise serious data protection concerns (see his 15 July 2008 Press Release).

Draft Communications Data Bill:

https://www.commonsleader.gov.uk/output/Page2461.asp

Information Commissioner’s Press Release

https://www.ico.gov.uk/upload/documents/pressreleases/2008/annual_report_web_version.pdf