I previously commented on the Government's response to the HAC surveillance society report here. The Information Commissioner (ICO) has now produced a response.
In my analysis of the Government's response I pointed out that the Government's suggestion that the ICO present an annual report on surveillance would require a broadening of the ICO's remit beyond the Data Protection Act (DPA). The ICO makes a similar point:
The ICO is able to present this report using our powers under section 52(2) of the Data Protection Act 1998. However, without a widening of these powers any report will have to focus on our statutory remit relating to personal information handling. It would be difficult for a report produced by the ICO to cover other areas, for example RIPA authorisations, particularly as other bodies are responsible for their statutory oversight. We have already had some preliminary discussions with the Ministry of Justice on the practicalities and resource implications of providing an annual report. We have agreed to submit proposals to them outlining the basis on which this work can be taken forward.
In a similar vein the ICO makes it clear that recommendations are not enough: additional resources are required if those recommendations are to be implemented:
The Committee has recommended that the resources of the ICO are expanded to accommodate sufficient technical expertise to work with the Chief Information Officer to provide advice on deployment of privacy enhancing technologies to Government (paragraph 159 of the report).
While we are already in the process of securing increased technical security expertise, the extent to which we can bring this expertise in-house is limited by the resources available to the ICO.
and, furthermore, that the ICO must be involved sufficiently early in the process to have an effect on enhancing privacy
The Commissioner, quite rightly in my opinion, shares the concern of the HAC that Privacy Impact Assessments could become a tick-in-the-box exercise:
we share the Committee’s concern that PIAs might come to be regarded as simply a bureaucratic exercise. We would therefore want to examine the practical detail of a sign off procedure for such preliminary assessments, particularly as the ICO PIA Handbook recommends early consultation with the Commissioner. It may be that this is sufficient and that any further requirement to obtain sign off from the ICO might involve a disproportionate effort on the part of both the ICO and the organisation conducting the PIA.
The ICO can't be particularly chuffed with the Government's response, which as I pointed out, questions whether PIAs are needed at all and that, if they are, it is only probably the case that the ICO will be consulted.
Having discussed some of the broader issues, the ICO then considers particularly technologies.
The ICO makes it clear that the Home Office can't absolve itself of responsibility when it comes to CCTV footage:
As such, the recommendation that the Home Office take steps to facilitate an individual’s access to certain footage which relates to them (paragraph 224 of the report) is not only good practice, but necessary for compliance with section 7 of the Data Protection Act 1998, which makes provision for an individual to access their own personal information...
The ICO is disappointed that the Government reply seems to indicate that the Committee’s recommendations to the Home Office in relation to CCTV systems are addressed by the CCTV Code of Practice published by the ICO. The Committee report states that the Home Office must take responsibility for guarding against constraints on individual liberty which may be caused by the use of cameras with microphones and other forms of directed and intrusive surveillance. As the lead policymaker promoting the use and development of CCTV systems for public sector crime prevention and detection purposes it is important that the Home Office also assume its own responsibility for ensuring that unacceptable uses of CCTV are not permitted and that safeguards are in place.
The Government’s response also refers to the ICO’s powers to conduct inspections of CCTV systems as a form of safeguard. The Committee is already aware from its own recommendations of the limitation of these powers and the need to improve these.
As with CCTV, there is a need for greater involvement with the National Identity Scheme, particularly if there is any broadening of the scope and there are clearly concerns about the audit trail that is proposed for the NIR:
The Committee has recommended that any initiative to broaden the scope of the National Identity Scheme will only be proposed after consultation with ICO (paragraph 236 of the report). We would welcome such a commitment from Government as, although we already have a constructive dialogue with Identity and Passport Service (IPS) on continued developments, it is vital to ensure we are consulted at an early stage on any new iterations of the National Identity Scheme.
In relation to the Committee’s recommendation that the Home Office submits detailed plans for securing NIR databases and contingency plans for the loss of biometric information to ICO for comment (paragraph 246 of the report), we are happy to look at the Home Office and IPS plans and provide comments on the data protection implications of such plans.
The Committee have recommended that the Home Office should address the ICO’s concerns on administrative information collected as part of National Identity Register (paragraph 248 of the report). This is welcome. We remain concerned that the amount of information is kept to the minimum with administrative information deleted as soon as it has served its purpose. We are particularly concerned about the ‘audit trail’ data and want this minimised, access restricted and early deletion.
Information sharing also requires ICO involvement (note the rather appropriate typo!)
The ICO welcomes the Committee’s recommendation that where the sharing or matching of information held by the Home Office or its agencies is proposed the ICO should act as a consultee and mediator on the same basis as Ministry of Justice (paragraph 307 of the report). This is in particular because we want to provide advice at an early stage of any proposals to ensure that they proceed in a manner which is complaint with the provision of data protection law. As mentioned above it has been a concern to us that sometimes we are consulted too late in the process to make a real difference.
In summary, then, the ICO shares many of the concerns raised by the HAC. Reading between the lines, it seems to me that the ICO is a tad annoyed that the Government uses the DPA as a bit of a get-out-of-jail-free card, without acknowledging that the use of that card requires that the ICO has teeth and is actively involved in relevant initiatives.
