UK Liberty

Published today on the Parliament website.

Some highlights (my emphasis in bold), but do read the whole document:

In the Committee’s view, recent lapses in data protection are not unfortunate “one-off” events but are symptomatic of the Government’s failure to take safeguards sufficiently seriously. There is insufficient respect in the public sector for the right to respect for personal data. Human rights are far from being a mainstream consideration in Government departments. The Committee has seen no evidence that departmental human rights champions have made any impact. It recommends that, in its responses to the reviews under way, the Government should state how it proposes to ensure that a culture of respect for personal data is fostered throughout Government (paragraphs 27-35).

…

The Committee has expressed concern before about treatment of personal information as part of the National Identity Register. Recent breaches in data protection do not encourage confidence about the security of data collected for it (paragraphs 41-46).

The Committee regrets that it has taken the loss of personal data affecting 25 million people for the Government to take data protection seriously. Once reviews of data protection legislation and practice have been completed, it expects the Government to take action to foster a positive culture for the protection of personal data by public sector bodies (paragraphs 41-46)….

We have repeatedly expressed concerns, from a human rights standpoint, about the adequacy of the safeguards accompanying such wide powers to share personal information, but these have, for the most part, been rejected by the Government.

…

In its written memorandum, the Information Commissioner’s Office said that “the unnecessary or disproportionate sharing of personal information can undoubtedly have a significant negative impact on individuals”. It drew attention to public concern about the mismanagement of sensitive personal information, particularly in relation to health records, tax returns, police records and adoption papers. It went on to say, however, that: It is wrong to see the sharing of personal information as necessarily a bad thing, one that can necessarily be opposed on data protection or human rights grounds … The issue … isn’t whether there should be more or less information sharing, but rather what information is being shared, why it’s being shared, who has access to it and what the effect of this is.

…

In our legislative scrutiny work, we have often raised concerns relating to the arrangements for sharing data and recommended that, where relevant, bills should include specific data protection safeguards. In our view, appropriate safeguards include clearly defining who should be allowed to access information; to whom information may be disclosed; and the purposes for which information may be shared.

The Government’s response has generally been to resist our recommendations. It points to the fact that public authorities must comply with the provisions of the Data Protection and Human Rights Acts and argues that, as a result, it is not necessary to put specific safeguards in primary legislation. [well worth reading the table of legislation and concerns]

…

We fundamentally disagree with the Government’s approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government’s intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government’s proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account.

…

The Identity Cards Bill was an enabling provision and the details of the scheme will be set out in secondary legislation. Our predecessors expressed their concern that the opportunity for parliamentary scrutiny of the human rights compatibility of the identity cards scheme will therefore be limited. They also drew attention to the scale of the personal information which may be held on the National Identity Register.

The Information Commissioner told us he had been “consistently sceptical” about the database aspects of the project and that he still sought “absolute clarity as to the rationale and purpose for the identity card scheme”. He went on to add that: it is one thing to collect basic identity information – name, address, date of birth and so on; but if one is going to record details of every time that card is used or every time that card is passed through a reader of some sort, one then begins to build up a very detailed picture of the daily lives of citizens … That does go to the heart of the relationship between state and citizens.

In addition, he said he was concerned with issues such as who had access to the data on the database, and under what circumstances, and the purposes for which data was collected and used.

We share the concerns expressed by the Information Commissioner about the National Identity Register, which also mirror the views of our predecessors in their work on the Identity Cards Bill. Identity cards do not in themselves raise issues of human rights compatibility. The creation and maintenance of a national identity database, however, must involve safeguards, both to ensure that the information which is collected is proportionate to the purposes for which it is required and to limit access to data to those who need it.

We received a letter from a number of academics specialising in IT security who claimed that the Government’s confidence in biometric security was “based on a fairy-tale view of the capabilities of the technology”. In this inquiry, we have not tested their view of the effectiveness of biometric technology in limiting the impact of human error. In the light of recent events, however, they argued that the use of the most advanced technology available would not necessarily prevent human error causing lapses in data protection: Biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

…

We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act.