The Home Secretary, Jacqui Smith, will this week unveil plans to remove from the police national database DNA information relating to up to one million innocent people. The proposals come in the wake of the ECtHR’s judgment in Marper in December 2008 that the practice of retaining the DNA profiles of innocent people on the database constituted an unjustified interference with the Article 8 right to privacy. Privacy campaigners have welcomed this development but continue to lobby for further limitations on the database, including removing the DNA profiles for minor offenders. See further Tim Pitt-Payne’s article on the Marper judgment in the New Law Journal.
Super Database – Not so Super After All
April 29th, 2009 by Anya ProopsThe Home Secretary has this week announced that proposals to create a State run super database, which would track everyone’s use of email, internet and text messages, have been scrapped. The announcement is hardly surprising. It was always going to be difficult to persuade the public that such a database could be kept secure, particularly in light of recent high profile controversies about large scale losses of electronic personal data by government agencies. Moreover, allowing the State to develop such a vast single repository of electronic communications data was always going to raise questions as to whether the resulting interference with private rights was proportionate and was otherwise consistent with the State’s obligations under the Data Protection Act 1998. The Government has now issued a consultation paper on new plans to allow telecommunications companies to retain the communications data for a period of 12 months. See further the Home Secretary’s Ministerial Statement.
California court says don’t cry before you’re hurt
April 27th, 2009 by Timothy Pitt-Payne QCIn November 2007 it was announced that HMRC had lost two CDs containing personal information about 25 million people. Since then there has been a steady stream of stories about data losses, mainly from the public sector.
The Data Protection Act 1998 requires appropriate measures to be taken against the accidental loss of personal data. Breach of this requirement can lead to enforcement action by the Information Commissioner. An individual whose data was lost could claim compensation from the data controller under section 13 of the Act, but only on proof of damage. If the individual had suffered identity fraud as a result of the breach then this would probably be sufficient. What if the individual argued that he was now at a higher risk of ID fraud, even though no fraud had yet taken place? Would this count as damage?
A US district court in California has recently considered a similar question. In Ruiz v Gap and Vangent a laptop was stolen containing unencrypted personal data of 750,000 Gap job applicants. In a class action, the plaintiff sued for negligence, contending that he and the other class members had suffered damage consisting of exposure to an increased risk of ID fraud. The Court granted summary judgment to the defendants and dismissed the claim. Speculative harm, or the threat of future harm, was not enough for a cause of action in negligence. The plaintiff relied on cases where recovery had been allowed for medical monitoring after negligent exposure to toxic substances; the court rejected the analogy. It also noted that Gap had informed those whose information was on the laptop, and had offered to provide them with 12 months of free credit monitoring. The plaintiff had not taken up this offer.
In policy terms it is questionable whether strengthening individual rights of action is the best way to deal with data loss. Of course, individuals who suffer direct financial loss – through ID fraud or otherwise – should be compensated. But in the Ruiz type of claim individual damages are likely to be modest. There is no great social benefit in spending a lot of time and money in order to provide a wide class of individuals with low-level compensation. Instead the focus should be on deterring breaches and avoiding recurrence. The Information Commissioner’s new power to fine for serious data protection breaches (DPA section 55A) is a step in the right direction, though not yet in force.
If the UK regulatory framework needs further strengthening then one option would be legislation requiring data controllers to notify affected individuals where information is lost or stolen. Last year the Thomas/Wolpert data sharing review recommended notification to the Information Commissioner as good practice, but not as a mandatory requirement. The Government agreed. Its response (see page 19) made clear that it had considered, and rejected, the possibility of a US-style law requiring notification of data breaches to the individuals affected.
Incidentally, I found the Ruiz case via the excellent blog maintained by InfoSecCompliance LLC, a US firm specialising in privacy, information law and data security. David Navetta is their founding member.
Rethinking RIPA
April 20th, 2009 by Anya ProopsOn 17 April 2009, the Home Office launched a consultation on plans to stop investigatory powers being used under the Regulation of Investigatory Powers Act (RIPA) for trivial purposes. It seeks views on questions including: which public authorities should be able to authorise key investigatory techniques, for example, the use of communications data or covert surveillance in public places under RIPA; the purposes for which these investigatory techniques should be used; the option of raising the rank of the local authority employee authorising the use of investigatory techniques to senior executive; and whether elected councillors should play a role in the authorisation. The consultation follows on from a spate of public outcrys about the use of surveillance powers by public authorities, including not least the use of covert cameras by local authorities to watch how residents use their rubbish bins and the use of covert surveillance techniques to track a family which the local authority suspected may be living outside the local school catchment area. The issue of how the investigatory powers available under RIPA should be used is particularly current in view of the recent controversy over techniques used by the police to photograph protesters, many of whom it is argued are merely peaceful demonstrators.
Bad Phorm?
April 16th, 2009 by Anya ProopsThe European Commission has announced that it is mounting a legal challenge in respect of the use of targeted online advertising in the UK. The challenge follows complaints which were made to the Commission in response to BT’s act of testing the technology on BT broadband users without their consent. The technology, which is the brainchild of a company called Phorm, enables internet service providers (ISPs) to profile what sites internet users visit so as to enable advertising companies more astutely to target their adverts on individual users. The Commission has taken the view that the UK has breached EU data protection laws by permitting the deployment of the technology in the absence of user consent. The Information Commissioner’s Office has previously stated that the use of the technology would be permissible if operated on the basis that users have opted in to the system. The Commission’s challenge raises real questions as to the legality of Google’s recently launched behavioural targeting system. See further my post on this system below.
DPA/FOIA overlap
April 14th, 2009 by Timothy Pitt-Payne QCThe overlap between FOIA and the DPA gives rise to a number of difficult problems.
In a paper just posted on 11KBW’s website (and originally delivered to a JUSTICE/Sweet & Maxwell conference in December 2008) I discuss some of these issues. In particular, I deal with the practical problems that arise when an individual makes a request for information to a public authority and some (but not all) of the information constitutes his own personal data. Because the request falls under both the DPA and FOIA, the Information Commissioner will need to deal with any complaint under two different legal regimes; if the requester subsequently appeals, the Information Tribunal will not have jurisdiction to deal with all the issues raised by the request. The article suggests that the present position is unsatisfactory and discusses options for reform.
The Age of Internet Surveillance
April 6th, 2009 by Anya ProopsWith effect from today, all UK internet service providers (“ISP”) will be required to retain data relating to every email which is sent and every online telephone call which is made using their services. The data, which must be stored by ISPs for 12 months, will not include the content of the email or the call. It will however include the date, time, duration and routing of the online communication as well as information as to the internet subscriber or user. The obligation to retain this data is imposed under the Data Retention (EC Directive) Regulations 2009 (“the Regulations”). The regulations were enacted in order to bring into effect the provisions of the Data Retention EU Directive 2006/24/EC. The Directive was itself enacted in response to concerns that a lack of consistency of approach to data collection across Europe, particularly in the field of internet communications, was hampering the fight against crime, including international terrorism. The effect of the Regulations, which come into force today, is that the data retention principles which already apply to telecoms providers under the Data Retention (EC Directive) Regulations 2007 will now also apply to internet providers. As well as retaining the communications data, the internet service provider must afford access to particular data where they are required to do so by law (regulation 7). They must also abide by certain principles relating to the protection and security of the data (regulation 6).
Rowntree Report on Database State
March 23rd, 2009 by Anya ProopsThe Joseph Rowntree Reform Trust has today published its report ‘The Database State’. The report purports to amount to the most comprehensive map of central government databases yet created. In total 46 databases across the major government departments were considered in the report, including, for example, the national DNA database, the national pupil database, the NHS detailed care record system and the automatic number-plate recognition system. In summary, the report concluded that:
- a quarter of the 46 databases reviewed were ‘almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned’ (including, for example, the Contactpoint index of all children in England and the national DNA database – on the latter database, see further the January 2009 post on the Marper case);
- ‘more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge’ (including, for example, the NHS Summary Care Record and the National Pupil Database);
- fewer than 15% were ‘effective, proportionate and necessary with a proper legal basis for any privacy instrusions’;
- Britain was generally out of line with other developed countries as a result of its comparably greater tendancy to centralise and share records on sensitive matters like healthcare and social services; that ‘the benefits claimed for data sharing are often illusory’.
Along with the House of Lords Report on the Surveillance Society published in February 2009 (see further the February 2009 post on the Lords Report), this report is likely to increase pressure on the Government to reexamine a raft of policies on data collection, management and storage.
http://www.jrrt.org.uk/uploads/Database%20State.pdf
Executive Summary:
http://www.jrrt.org.uk/uploads/Database%20State%20-%20Executive%20Summary.pdf
Links and resources
March 21st, 2009 by Timothy Pitt-Payne QCOn the left hand side of this page you will see a list of links. The first link is to a collection of information law resources on 11KBW’s main website. There are conference papers and other materials written by members of chambers; in particular there is an 80 page practical guide to the Environmental Information Regulations, written by Anya Proops. In discussions of FOI, we find that the EIR tend to be unduly neglected; Anya’s guide is a contribution to redressing the balance.
You will also find links to online resources maintained by a wide range of organisations and individuals: Government departments, regulators (both in the UK and overseas), academic institutions, legal practitioners, campaigners and bloggers. If you think that there is anything that we should add, please email me on Timothy.Pitt-Payne@11kbw.com . Needless to say, we don’t take responsibility for the information or opinions posted on any of these external sites.
Many thanks to all those who have provided feedback and encouragement following our launch last week. Particular thanks to Delia Venables for the speed with which she added us to her comprehensive listing of online legal resources in the UK and Ireland.
Welcome to Panopticon
March 16th, 2009 by Panopticon BlogWelcome to “Panopticon”, a new blog about Information Law maintained by members of 11KBW’s Information Law Practice Group. We opened our doors to the public on 18th March (you will see some earlier posts, below, created while the blog was still under development).
Information law is about the right to know, and the right to keep private – and it is also about the ever-shifting boundary between those rights. It encompasses areas such as data protection, freedom of information, the protection of private information under article 8 of the European Convention on Human Rights, breach of confidence, and the regulation of surveillance. It is a fascinating and fast-moving area of the law, and is directly relevant to contemporary debates about open government, the “database state” and the “surveillance society”. For a more detailed explanation, click on the link at the top of the page (“What is Information Law?”).
A word about our title. The Panopticon was Jeremy Bentham’s proposed new model prison, in which constant surveillance would be a tool for moral regeneration (see here for details and illustrations). It has become an enduring metaphor in debates about the benefits and the dangers of systematic information-gathering. The title has a secondary meaning: this site is our own “Panopticon”, in which we try to keep an overview of developments in this area and to share them with our readers.
We hope you will find the blog interesting and informative. You may also be interested to explore 11KBW’s main website: this includes a wide range of conference papers and other materials about information law.
We don’t have a facility to post comments on individual posts, but please feel free to provide feedback by emailing Claire Halas: Claire.Halas@11kbw.com