What is in the 'in tray' for the next government? Keynote address to Cityforum's Information Intensive Society Roundtable - 'Balancing security with privacy'.
Many in this audience will be aware of the Conservative Party's policy paper, 'Reversing the rise of the surveillance state', which was published in September. This paper took as its premise two things.
First, that under Labour government has become ever more intrusive and relied to a significant extent on large databases. And secondly, that at the same time government has neglected its responsibility for protecting the right of the individual to privacy.
The Shadow Secretary of State for Justice said at the launch: 'As we have seen time and time again, over-reliance on the database state is a poor substitute for the human judgment and care essential to the delivery of frontline public services. Labour's surveillance state has exposed the public to greater - not less - risk'.
Lest anyone ask for evidence to prove this, we need only look at the number of data handling errors and scandals that have occurred over recent years to see that there is a problem. A direct outcome of these errors and scandals has been an erosion of public trust and confidence in government. Perhaps worse still from the point of view of this country's security, all of this has had some very specific implications for those working in the national security environment.
The national security aspects of this debate are something I will come onto. But let me start by looking at some very basic concepts that should underpin the overall approach of government to balancing the need for efficient services on the one hand and the need to maintain the right to personal privacy on the other.
<h2>Principles underpinning the Conservative Party's approach</h2>
In February I decided to look at the philosophical and historical basis for the idea of a right to privacy. I found that the idea is commonly thought to have been developed in America in a seminal article by Louis Brandeis and Samuel Warren in the 1890 Harvard Law Review. It is instructive that, at the time it was written, the context was recent technological developments such as photography and mass journalism which, the author's argued, meant that previously hidden information was now 'shouted from the rooftops'. In response to this, they argued that privacy was the right to be 'let alone'.
More importantly, however, they said the following: 'that the individual should have full protection in person and in property is a principle as old as common law; but it has been found necessary from time to time to define anew the exact nature and extent of such protection. Political, social and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the new demands of society'.
I suggest that we are at one of those points when it is necessary to define anew the nature and extent of such protection. In other words, what should privacy mean in the internet age?
We all know that technology has changed things. It has allowed the provision of many services to become automated and thus more cheaply delivered. It has also permitted new threats to our national security to develop and to be pursued. We cannot now put the clock back on the capacity to generate, collect and process information on vastly greater scales. And we can be sure that the pace of change of technological change will continue to quicken. In practice, therefore, the right to privacy cannot any longer be defined simply as the right of the individual to be let alone. We all want too much from the state for this to be a helpful guideline by itself.
What technology has not however changed is the fundamental point that the individual is the rightful owner of personal information, and that the state is merely possessor and should behave as a responsible custodian. And that is the first and fundamental principle that the Conservative Party has put forward.
It is also one of the principles that has emerged from many of the investigations and reviews into recent data loss scandals. For example, following the loss of 25 million individual records by HMRC in November 2007 the various reviews recommended what has been called a 'trust based model' of data handling, whereby organisations recognise that the individual is the owner of personal information and that they just the possessor that should behave responsibly.
If public trust is recognised as the key factor that underpins the collection and use of data, what then are the implications for existing systems?
The majority of this audience will no doubt be aware of several of the Conservative Party's commitments in this area. These include scrapping ID cards and the ContactPoint database, the Party's clear articulation of principles for the use and retention of samples on the National DNA Database which will end the permanent or prolonged retention of innocent people's DNA, and the Party's commitment to review the Regulation of Investigatory Powers Act to restrict the access local authorities have to communications data.
Each of these commitments has their own merits and I will not go through an analysis of them today. What I want to do instead is outline a more general framework for approaching the collection and use of personal information. In other words, to look at the question: are there more detailed guiding principles that we can use or develop?
The Party has certainly attempted this task, outlining a number of things like:
Many of these are already contained in existing data directives and legislation, so the problem must lie in how they have been interpreted and implemented. Indeed, the European Commission has begun formally investigating the UK over its implementation of relevant data Directives which it has found to be inadequate, commenting that there are 'structural problems in the way the UK has implemented EU rules'.
How then, should these be applied - particularly in the context of the rapid pace of technological change? I would suggest three things.
First, that the Party recognises there can be no hard and fast rules that apply equally to all systems.
Much of the narrative that surrounds the collection and use of personal information makes the assumption that all data systems and processes are the same. Perhaps this is true from a basic technical point of view. But what one needs to do is look at the output that is required and whether that output and the systems and processes that lead to it are necessary and proportionate.
Each system should be reviewed on its own merits and a clear statement of purpose developed. As part of this statement of purpose, justification should be provided for why and how information is collected, stored and used.
Secondly, that the legal framework for data collection and use needs to be reviewed and updated. I have already mentioned the Regulation of Investigatory Powers Act. The problem with this piece of legislation is not, of course, one just of mission creep. The pace of technological change and the shift to internet-based communications will actually void, if not overturn, many of the procedures contained in this Act.
The third point I want to touch on is the regulatory regime.
It is no secret that the previous Information Commissioner, Richard Thomas, thought his office under resourced for the task he had. That he also became so vocal on certain issues is, I think, a reflection of the fact that - even though he had the power to impose sanctions on the public and private sectors - the political climate in which he operated limited the extent to which he thought he could use these powers. What this points to is the danger of having - or allowing to develop - a substantial gap between the regulatory regime that the regulator itself considers is required and the one that the government of the day allows. I have said that the Conservative Party would want to see the office of the Information Commissioner emerge as one of the important offices of state in the twenty first century.
But given the pace of technological change, I want to focus on the regulatory regime in a bit more detail and in particular on how it should evolve.
What people have tended to focus on is strengthening top-down regulation and oversight. This focus is understandable, but a top-down sanctions regime will not solve the challenges posed by the 'human in the machine'. Sanctions do not positively incentivise people to change behaviour. At worst they can create a climate of fear or timidity and be debilitating.
That is certainly one of the main reasons why the Conservative Party and others are proposing that the Information Commissioner's Office partners with Departments and agencies - and indeed the private sector - rather than merely imposing standards and requirements from the "outside".
The Conservative Party, for example, has suggested that the Information Commissioner come in at the formative and conceptual stages of policy and system development to conduct Privacy Impact Assessments with Departments. The House of Lords Select Committee on the Constitution has made a similar suggestion.
But this activity should not be limited to privacy implications: it should encompass working practice, behaviour and culture, and how these relate to the systems that are used. In other words, it should cover all aspects of data handling. That is why championing and embedding the Information Assurance agenda across all Departments will continue to be a priority.
A challenge for any future government, however, will be to decide the balance to be struck between the interventionist and sanctions approach to regulation and the "partnership" approach or model. The partnership approach means accepting that at some point things will almost certainly go wrong. In such instances, there might be implications for the imposition of sanctions given that the regulator might have been working alongside. This is an issue that will need to be worked through.
<h2>National security aspects of the debate</h2>
Let me look now at the national security aspects of this debate.
National security issues will always have special handling and exemptions compared to other public information,. But you will have noticed that public outcry following various data loss scandals has encroached on the debate about maintaining the state's ability to intercept communications data.
Communications data is vital to the law enforcement and intelligence community in tackling a wide range of threats, including terrorism, organised crime and child exploitation. The shift of users to Voice over IP will result in a capability gap for the agencies. So the question is: how to maintain capability in a changed environment?
There are two related considerations in this respect. First, whether additional data needs to be collected and, if so, how much data and for how long, and the rules that should govern its exploitation. And, secondly, whether the law enforcement community needs to adapt its methods of operation to suit the internet age, recognising that complete coverage might not be possible.
All I will say for the moment, given the sketchy nature of current proposals, is that schemes involving collection of all forms of communications data are not the solution. Better, in my view, in an area that is so legally, morally and technologically complex, to adopt an incremental approach that gradually tests what is needed - and what is not needed - and how legal frameworks and oversight regimes might need to evolve.
This, then, is a pragmatic approach to a sensitive and complex area.
Today, given the rapid pace of technological change and the fact that data and computer systems underpin all aspects of daily life, the right to privacy cannot any longer be defined simply as the right of the individual to be let alone. But this does not alter the fact that the possessor of information should act as a responsible custodian.
What, then, is the task of any incoming government?
It is to restore public trust in the handling of information by respecting the rights of information owners.
It is to ensure that the legal framework for data collection and use keeps pace with changes in technology.
And to ensure that the regulatory regime likewise keeps pace with changes in technology.
But, perhaps most important, and underpinning all of these points, is the need to raise awareness and understanding and to develop a culture of safe, secure and responsible data handling, both within government and in the general public.