The argument is often made that the collection and retention of personal data is necessary for the efficient running of public services, and to aid our security services and police in the fight against terrorism and serious organised crime.
The argument that then flows from this widely accepted thesis is that for the transactional relationship between the state and the individual to work efficiently and effectively, there has to be certainty about claimed identity.
(The same is of course true of transactions in the private sector, but this morning I shall focus on public sector retention of personal information). Few would dispute that reliable means of authenticating identity are required. But the battle lines are joined when the government asserts that its plans for identity cards are the indispensable and cost effective way of achieving this.
Before I go into the practical implications of data collection, retention and identity, I want to step back for a moment to establish what exactly it is that we are dealing with. Who has the right of control over personal information? Control should also carry with it the attribute of privacy which the individual may or may not seek. The question therefore of whom or what has control over personal information goes to the heart of whether information about me is really mine.
<h2>The Individual and the State- the Right to Privacy</h2>
The modern idea of a right to privacy is commonly thought to have developed in America, from a seminal article in the 1890 Harvard Law Review by Louis Brandeis and Samuel Warren. They asserted that privacy was the 'right to be let alone'. It is instructive that the context was then recent technological developments such as photography and mass journalism which, it was argued, meant that previously hidden information was now 'shouted from the rooftops'. Drawing on the common law, which includes the rulings of our own famous seventeenth century judge, Sir Edward Coke, as well as theories of natural rights, they said and I quote 'that the individual should have full protection in person and in property is a principle as old as common law; but it has been found necessary from time to time to define anew the exact nature and extent of such protection. Political, social and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the new demands of society'. I suggest, Ladies and Gentlemen, that we are at one of those points. What should the right to full protection cited by Brandeis mean in today's conditions?
Technology has of course changed things. Even as compared with a decade ago, technology has allowed the provision of many services to become automated and thus more cheaply delivered. It has also permitted new threats to our national security to develop and to be pursued. We cannot now put the clock back on the capacity to generate, collect and process information on vastly greater scales. And we can be sure that the pace of change of technological change will continue to quicken. In practice therefore the right to privacy cannot any longer be defined simply as the right of the individual to be let alone. We all want too much from the state for this to be a helpful guideline by itself. What technology has not however changed, it seems to me, is the fundamental point that the individual is the rightful owner of personal information and that the state is merely possessor and should behave as a responsible custodian. So what, in today's conditions, can the 'full protection' to which Warren referred in his article, mean?
<h2>The Issues </h2>
Today, privacy must mean a clear statement on the part of those who have custody of personal information of their purpose in retaining it and of their commitment to its proper management. I suggest that in practice, with certain exceptions for reasons of national security and crime, this means that
Lest you think I have made up these criteria and that they might be thought unreasonably demanding, I should add that what I have just cited are the provisions of the EU Data Protection Directive of 1995 to which the UK is signed up and which it claims to have implemented. But has it?
<h2>The Data Protection Act </h2>
Let us look at the implementing legislation and practice. First there is the Data Protection Act of 1998. This has transposed into UK law most but not all of the provisions of the Directive. Thus, crucially, the requirement that the individual be automatically informed when his data is processed is not met nor is the right of access to it. The individual may request access in writing but must go to the courts to get enforcement if the request is refused. I would like to know how the individual can even be aware that data is being collected if there is no obligation on the collector to inform. It follows that the ability to ensure that it is correct and up to date - another provision of the Directive, is substantially curtailed by the state of ignorance in which the owner of the information is kept and the obstacles put in the way of access to it. The state, it seems to me, is behaving as if it owned our information- not you and me. So much for Warren's right of full protection.
The UK has also put in place put in place the Regulation of Investigatory Powers Act (RIPA). I think an examination of its provisions reveal that it does anything but regulate. Rather, it represents a stark example of function creep and would be better termed the Investigatory Free for All Act. The Government will sometimes claim that one should not confuse retention and access. But data is retained for the purpose of being accessed and the distinction is meaningless. First, this audience will recall that RIPA was originally introduced on grounds of national security, but over time its scope has been extended significantly so that information may be retained and accessed or surveillance undertaken for a wide range vaguely defined matters as 'economic well-being', 'protecting public health' and 'tax collection'.
The Home Secretary even maintains the right by Ministerial Order to create additional reasons as to why communications data can be obtained. So much for a meaningful interpretation of the Directive's requirement for a 'stated purpose' for collection. Secondly who can get at the stored information? The range of bodies allowed to access data or to undertake surveillance has been extended over time and now includes all 474 local councils in England, every NHS trust and fire service, 139 prisons, the Environment Agency and the Royal Mail. Among others. Which is how we find it being used in relation to dustbins, dog fouling, traffic offences and so on. Yet, under the Data Protection Act, you and I, owners of the information, have our right of access to it restricted.
I should add that the Government has launched a consultation on RIPA, but a careful examination of the consultation document reveals that the government does not really propose to restrict the scope of RIPA. In fact there are suggestions in places of handing out extra access.
Against this background can one be surprised at the unruliness which prevails over the police DNA data base in England. This is much prized by the police and its defenders as a tool for crime detection. I would be the last to dispute this though we should remember that DNA cannot be the only relevant evidence. But it does not follow from the utility of DNA that its retention should be discretionary, that there should be no rules and no governance over its retention.
As things stand, not only is the DNA of convicted persons on the data base, but that of people not convicted and indeed of bystander witnesses who may have had their DNA taken purely for the purposes of elimination. But they have no right to have their data removed. This is at the discretion of Chief Constables, who rarely exercise it. Not surprisingly this DNA data base is the largest of its type in the world. Scotland and other countries manage things with less prejudice to the reputation of the innocent. The absurdity of the present situation is very clearly shown in a current rape case where the police have appealed for men in a particular area to volunteer DNA samples. Even under the new proposals for DNA storage, responding in act of good citizenship will carry with it the penalty of having one's DNA stored for six years. One is entitled to wonder is this is not counterproductive.
<h2>European Legal Proceedings </h2>
You will not be surprised to hear that in April this year, the European Commission began formally investigating the UK over its implementation of relevant data Directives and found it to be inadequate, commenting that there were 'structural problems in the way the UK has implemented EU rules ensuring confidentiality of communications'. It criticised UK law for being limited in scope, for not covering all communications or forms of interception, and for the absence of a truly independent supervisory authority. The deadline for the UK's reply expired a few days ago. If the reply is not satisfactory, and it is difficult to see how it can be, the Commission will proceed to the next stage. If the matter goes to Court, the UK could find itself fined. That is to say you and me as taxpayers. Talk about adding injury to insult!
Let me turn for a few moments to another proposal over which the government is at present consulting, which concerns the Intercept Modernisation Programme. What this deals with is the ability in law of the government to catch up with the development of communications technology in the digital age to intercept voice over internet protocol (VOIP) messaging for national security purposes. We are all of us increasingly going over to internet telephony. The amount of data that is generated on a second-by-second basis, for instance by people using phones or the internet, is difficult to comprehend. Take just one example. Last year 57 billion text messages were sent in the UK, which works out as 1,800 text messages sent every second. The government wishes, it seems, for the purposes of pursuing organised crime and terrorism, to enforce the storage of a vast proportion of all the traffic generated and processed by service providers in the UK. In an effort to reassure it makes a distinction between the access it wants to the message's envelope rather than to the letter inside - a distinction which is less than real in the internet world.
We know - and I certainly accept- that communications are an important means of tracking criminality. We need to be able to do this. But as global digital communications grow exponentially, and putting aside the moral question, can the government's ambition to collect so much be a sensible one? How many government or service provider information haystacks is government going to insist on creating? At what cost to the taxpayer or telephone user? If we do think this a sensible use of significant resources - and I have severe doubts that it is- what should be the rules governing its exploitation? How will these be enforced and how will the enforcement be supervised? The proposals are sketchy and not reassuring on this point. No warranting is envisaged. And since the amount of information being stored will be so vast, it would appear impossible to use it effectively without employing data mining techniques. Is this an acceptable consequence? Lastly, why on earth should all the bodies which have access to government stored information under RIPA now have access to this material as well? This is what the government proposes. One has to ask, will there be any private parts Big Brother cannot reach?
It is instructive in this regard to look at the experience of the United States in trying to collect all communications data - something the British Government is trying to emulate now. The National Security Agency had a massive project called Trailblazer which started in 1999 and was abandoned in 2005 following delays and cost overruns. General Hayden admitted to the US Senate Select Committee on Intelligence, 'We learned that we don't profit by trying to do moon shots'.
Another moonshot is the government's plan for ID cards. At one time I thought they were a good way of meeting the increasing need for reliable identity authentication. But not when I discovered what the government really intended to do. At a cost which has variously been estimated at £5 billion by the Government but between £10.6 and £19.2 billion by the London School of Economics - in all ways very big sums at a time of financial stringency- the new Home Secretary has nevertheless regrettably said he will still go ahead with this serious error. When up and running it is proposed that a central national data base will contain 50 (yes, 50) separate items of information on all individuals. The government has sought to give assurances about privacy protection, safeguards and limits while opening the door wide to the Home Secretary to extend by simple Order the scope and remit of the ID cards scheme. Mission creep again. The Information Commissioner has expressed alarm that the ID cards are 'beginning to represent a very significant sea change in the relationship between the state and every individual in this country.'
I should say so. The fact is that there are simpler, less intrusive and in the end more effective ways of carrying out identity authentication. And the former national technical officer of Microsoft, Jerry Fishenden has warned that the National Identity Register will create a 'honey pot' effect, attracting hackers, fraudsters and potential terrorists who will try to hack into it and that this could trigger a massive identity fraud on a scale beyond anything we have seen before.' Even without the UK's lamentable record in getting big IT projects up and running efficiently and securely, a view of this kind, which is widely shared in the IT community, should give the government pause. Frankly, Ladies and Gentlemen, there are many other objections to this project. But this is the most powerful: far from creating identity certainty and security, this project risks identity mayhem. And yet the government bats on oblivious.
So what should we do with this mess? I think it shameful that this country, which prides itself on being a progenitor of individual liberty and which is supposed to keep the powers of the state in check, should have allowed this situation to arise. I heard the outgoing Information Commissioner say on the radio the other day that he felt that the country had at last begun to wake up. Smelt the morning coffee perhaps. A Conservative government certainly does not propose to let the present situation lie.
I want to end by looking at what we should do in three key areas.
First, the governance and regulation of data. Secondly, how data is stored.
Thirdly, how citizens should be able to exercise their right, national security reasons apart, to discover
I have proposals in six areas.
First, we need a review of the Regulation of Investigatory Powers Act as soon as possible, substantially curtailing the current powers of access under it.
Secondly in relation to existing and new data bases, we need to ensure that each has a statement of purpose and clear criteria for the terms on which information stored on it can be held. Necessity, not convenience, should be the criterion. And security should be a priority.
Thirdly, we need to move away from the tendency to centralise data collection and instead have separate and disaggregated information systems and databases, with as necessary and justified, regulated transfer between them. More secure. Less open to abuse.
Fourth, while not forbidding information transfer between systems and users, there certainly needs to be greater regulation and oversight. Transfer must be based on clear and legitimate business need, and the information supplied must be limited: it should meet the requirements of request concerned and nothing more.
It has been argued that these points can be achieved, even in the context of centralised databases, by putting ethical guidelines for users in place. There is obviously no objection to such guidelines but as, by definition, they would not be binding or enforceable and a code would not by itself be enough. I fear we need penalties and therefore enforceability.
Finally, there needs to be greater transparency for, and accountability to, the public. With any necessary caveats for national security, mechanisms need to be developed to enable the public to exercise with reasonable ease the right to know the information held about them by public bodies. And correct it and, unless the law specifically provides otherwise, have it removed. They should know how the data is used and about its transfer to other organisations.
In all of this, I would like to see the role of the Information Commissioner enhanced. I welcome the recommendations of the report by the House of Lords Select Committee on the Constitution entitled Surveillance: Citizens and the State, which merit close scrutiny. In January 2009 it suggested that the Government instruct departments to consult the Information Commissioner at an early stage of policy development with privacy implications. It recommended that that the existing statutory basis on which the Information Commissioner carries out unconsented inspections of public sector organisations processing personal information systems be extended to the private sector. This is primarily because of the extensive outsourcing and information exchange by government that now takes place. It also said- very importantly- that in conjunction with the Information Commissioner, the government should undertake a review of the law governing citizens' consent to use of their personal data. The point I have just made. Regrettably, the government has given most of these recommendations short shrift.
We should take the opportunity of overhauling law and practice in the area of data collection actually to strengthen the office of Information Commissioner. The outgoing holder of the office, Richard Thomas, has said, and I quote, that his 'powers, sanctions and resources - fixed in another era - are now wholly inadequate. The ICO has made clear for some time that a stronger approach is required to help prevent unacceptable information handling'. He asserts that 'at last' the Commissioner will be able to impose substantial penalties for deliberate or reckless breaches and will have new powers to undertake inspections and audits of data controllers. And these powers have had to be wrenched out of a reluctant Executive as the result of major, embarrassing and damaging losses of sensitive personal information. In Richard Thomas's words 'it is unfortunate that it has taken calamity to convince the government that we need stronger powers, resources and sanctions'. This calamity was, of course, the loss of 25 million child benefit records by HMRC in 2007. There is a related point here, which is that the Office must be staffed adequately to meet current and future roles. Richard Thomas has said in terms that the ICO does not have the financial or staff resources to complete all its work. This must be remedied.
My colleague, Dominic Grieve, the Shadow Justice Secretary will be going into all of these issues in greater detail in the near future.
Let me conclude. As I made clear at the start, the individual is the rightful owner of personal information and the state is merely possessor and should behave as a responsible custodian. We need to roll back the advance of Big Brother and restore this fundamental right of our citizens. Restoring privacy today must mean a clear statement on the part of those who have custody of personal information of their purpose in retaining it and of their commitment to its proper management. This will necessarily involve a review of most of the government's centralised databases, their use and access to them regulated. It leads to the unavoidable conclusion that that the Information Commissioner should emerge as one of the important offices of state in the twenty first century.