Conservatives seek to reverse rise of Surveillance State

29 Sep 09

“We are not looking to throw the baby out with the bathwater here, but we do want to recalibrate the relationship between the citizen and the State. This Government has undermined public trust in that relationship. A Conservative Government is committed to restoring it.”

So said Dominic Grieve QC, the Conservative MP for Beaconsfield since 1997 – and, of course, presently the Shadow Secretary of State for Justice – when launching a new 16-page Tory missive on personal privacy and security entitled ‘Reversing The Rise of The Surveillance State’. These and subsequent words were uttered alongside fellow ‘blue’ Eleanor Laing (the MP for Epping Forest and shadow justice minister) just a few days ago.

As a former local councillor and lay visitor to numerous police stations, Grieve has long cared about the impact of crime on local communities. He’s a strong believer that members of the public are absolutely key when it comes to “tackling crime from the bottom up”. Indeed, Grieve himself has stepped in to apprehend criminals on more than one occasion by way of a citizen’s arrest.

Speaking at the report’s launch, Grieve was swift to pick up on the recent missive issued by the Metropolitan Police Service concerning monitoring in the Capital.

“We have the most CCTV cameras in the world, yet for every 1,000 cameras in London it appears that just one crime is solved every year,” said Grieve. “We have a DNA database containing swabs from a million-plus citizens, but not all of the convicted criminals’ details are there. We have ID cards that do nothing to stop the terrorists, illegal immigration or benefit fraud.”

In fine form and by now firmly into his stride, Grieve continued: “On top of that, we have a series of IT systems that hoard personal data on us, but the ‘butter fingers’ of the Database State lost the entire nation’s child benefit records in the post. Now, we have intrusive surveillance powers being used to monitor children walking home from school, check the permits of paper boys and even to follow dog walkers in a bid to determine where their animals complete their ablutions.”

Are we any safer than before?

The question to be asked is whether or not all of us mere citizens are any safer because of these Government-backed ‘security’ initiatives? Being perfectly frank I don’t think so and, not surprisingly perhaps, neither does Grieve.

“Violent crime has almost doubled in recent years, while the terrorist threat has risen to an all-time high. Anti-social behaviour remains the scourge of so many of our towns and cities. The vulnerability of public sector databases, coupled with incompetent management, has completely undermined public confidences. It’s little wonder that nine out of every ten people don’t trust this Government with their personal data.”

It’s all-too-easy to criticise the current incumbents who have power over us. After all, Brown and Co have given the electorate of this nation enough rope to ensure that every Government front-bencher could be hung out to dry 20 times over, but it’s no good just being a touchline judge. It’s up to the Tories – and, of course, the Liberal Democrats, who’ve been very impressive of late and just finished conference in Bournemouth – to propose a credible alternative in advance of the next General Election.

The Conservative’s response on this issue? In essence, this latest policy paper proposes 11 clearly defined measures that will “protect personal privacy and hold Government to account”. Those measures include:

• scrapping the National Identity Register and ContactPoint database

• establishing clear principles for the use and retention of DNA on the National DNA Database, including a cessation of the permanent or prolonged retention of innocent peoples’ DNA

• restricting and restraining local Council access to personal communications data

• reviewing the protection of personal privacy from the Surveillance State as part of a British Bill of Rights

• strengthening the audit powers and independence of the Information Commissioner

• requiring privacy impact assessments on any proposals for new legislation or other measures that involve data collection or sharing at the earliest opportunity (there will be a requirement for Government to consult the Information Commissioner on the Privacy Impact Assessment and then publish the findings)

• immediately submitting the Home Office’s plans for the retention of – and access to – communications data to the Information Commissioner for pre-legislative scrutiny

• requiring new powers of data sharing to be introduced into law by primary legislation, not by order

• appointing a minister and senior civil servant (at director general level) in each Government ministry with responsibility for departmental operational data security

• tasking the Information Commissioner to publish guidelines on Best Practice in data security in the public sector

• tasking the Information Commissioner to carry out a consultation in the private sector with a view to establishing guidance on data security (including an examination of the viability of introducing an industry-wide kite mark system related to Best Practice)

An approach based on five key principles

According to Grieve, the Conservative response to this Government’s “intrusive, ineffective and enormously expensive” approach to personal privacy and security issues is based on five central principles:

• fewer “mammoth databases” that are better run

• fewer personal details being held by the State – those that are would be stored accurately and be made available on a need-to-know basis only

• greater checks and personal control over the sharing of our data by Government

• stronger duties placed on Government to keep private data safe

Grieve doesn’t stop there, though. “Following the Government’s announcement of the details concerning its Vetting and Barring scheme that will require millions of parents and volunteers to prove their innocence, on pain of paying a £5,000 fine, maybe we need to make it 12 measures.”

The former Shadow Home Secretary continued: “A Conservative Government will review this arbitrary scheme to ensure a better, common sense balance between privacy and the presumption of innocence on the one hand, and basic child protection on the other. This new Safeguarding Authority being proposed is symptomatic of a much broader sea change in recent times in the relationship between the State and the citizen.”

The Shadow Secretary of State for Justice was quick to point out: “Let me be clear from the outset that no-one is suggesting we should not harness the power of IT or surveillance technology to strengthen public protection. Far from it, in fact. I’m not among those who nostalgically yearn for some Luddite return to a pre-technological age. However, this Government’s approach to surveillance powers is the worst of all worlds.”

Record that speaks for itself

One swift glance at the Government’s record during the last three years would seem to add great credence to that particular assertion. Cast your mind back to May 2006. The Home Office admitted that 2,700 people were wrongly labelled criminals as a result of checks conducted through the Criminal Records Bureau since its launch in 2002.

In July of that year, former Home Secretary Dr John Reid admitted that as many as 450,000 failed asylum seekers are now resident in the UK. The Borders and Immigration Agency was apparently working on reports “riddled with duplicaton and errors” (a direct quote from Hansard).

Then there was the overseas conviction scandal. In January 2007, it emerged that “hundreds of criminals” convicted of serious criminality when abroad could have been cleared to work with vulnerable people following a failure by the Home Office to enter their details on to the Police National Computer.

Information on convictions in 27,500 cases was left sitting in desk files within the Home Office rather than being properly examined – or so says ACPO, and I’ve no reason to doubt that.

Come November 2007 and already-beleaguered Chancellor Alastair Darling was forced into admitting that the personal records of 25 million individuals – including their dates of birth, addresses, bank account details and National Insurance numbers – had been lost by Her Majesty’s Revenue and Customs (HMRC). Paul Gray, then chairman of HMRC, had little choice but to resign.

Barely a month later and 18,000 personal records from the Department of Work and Pensions were ‘unearthed’ at a former contractor’s home. The contractor in question still held unencrypted CDs containing the details of thousands of benefit claimants despite the fact he’d not worked in the Department for well over 12 months. Staggering, to say the very least.

Risk to the public compounded

Arguably, the risk to the public has been compounded by the apparently cavalier attitude of ministers. Amid rising concerns, the Prime Minister has brushed aside all of these data losses, merely stating that: “We cannot promise that every single item of information will be safe.”

That’s mighty reassuring, isn’t it?

The Tory report opines: “Yet neither this belated acknowledgement of the Government’s poor track record, nor the impact on public confidences has inhibited the scale of its database ambitions. If anything, we face worse to come.”

There’s a page in the report all about the national ID card, but we’ve waxed lyrical about that on SMT Online of late so I’ll not rake over old coals – even if they are still burning. Instead, let’s look at the plans for a Communications Data Bill that first saw light of day when IFSEC was running in the summer of 2008.

You may recall it was reported that proposals were being developed to allow every telephone, e-mail, Internet and mobile phone record in Britain to be stored on a lone, Government-run database. That database would be made available to a range of public bodies. A backlash of public opinion has now seen the Government rethink its ideas.

Earlier this year, the Labour Party introduced further proposals – by way of the Coroners and Justice Bill – to enable data sharing to be expanded by order of the Secretary of State, facilitating data ‘swapping’ between Government, public bodies, local authorities, overseas Governments and businesses. That measure was eventually withdrawn following pressure not just from the Tories but also other opposition parties.

Last March, a report published by the Joseph Rowntree Reform Trust found that a quarter of public sector databases “are almost certainly illegal”. Fewer than 15% are “effective and secure”. The report’s co-author, Professor Ross Anderson, went as far as to describe Britain’s database situation to be “a financial, ethical and administrative disaster.”

Even David Blunkett, the former Home Secretary, was moved to suggest that: “If we tolerate the intolerable, the intolerable gradually becomes the norm.” Indeed so.

Protecting personal privacy in the 21st Century

Grieve and Laing’s missive states quite categorically that the Conservatives would do things differently, but how so? To find out, we need to drill down into the five guiding principles and 11 measures outlined in the report’s Executive Summary.

Having scrapped the National ID Register and ContactPoint databases (described as “costly” and “seriously flawed”), the Conservatives would deploy IT and databases “when this can be done securely” and without “exposing the taxpayer to unacceptable contingent liabilities, and members of the public to unnecessary risk.”

Of course, the Conservative Party supports the use of DNA in a proportionate manner to detect crimes and prosecute offenders. That said, ‘Reversing The Rise of The Surveillance State’ contains the sentence: “However, the indefinite retention of DNA on the database of people who have never been convicted of a crime is unacceptable in a society founded on the basis that someone is innocent until proven guilty.”

The Conservatives have taken a lead here by announcing the principles that any Tory Government would apply to the retention of DNA. These are as follows:

• DNA ought to be retained only while a person remains subject to investigation, or until criminal proceedings have concluded, and should only be used for the purposes of investigating and detecting crime

• DNA from adults convicted of a recordable offence must be retained indefinitely

• No DNA samples or profiles should be retained from adults not convicted of any crime (although a limited exception should be made for those charged with certain crimes of violence and serious sexual offences)

• No DNA samples or profiles should be retained on children under the age of ten (ie the age of criminal responsibility)

• When a child under the age of 18 is convicted of serious violence or a serious sexual offence, DNA ought to be retained indefinitely

• Operation of DNA databases should be subject to independent oversight

Local Council access to personal data

In terms of restricting and restraining local Council access to personal communications data, the Tories would amend the Regulation of Investigatory Powers Act 2000 such that Councils will only be allowed access to communications data for the purposes of assisting investigations into serious crimes (in other words, those subject to custodial sentences).

Second, any request to access communications data will require the approval of the given Council’s leader. In turn, that would ensure a measure of democratic accountability.

Third, Council access to such communications data would require the prior approval of a warrant by the Magistrates Courts, thereby engendering some form of judicial safeguard.

As far as the Tories are concerned, the role of the Information Commissioner is “limited” and “could be strengthened”.

Several reforms are proposed. For example, under the Conservatives the Information Commissioner would be appointed by Parliament rather than the Ministry of Justice on the basis that, if the Commissioner is to be an effective guardian of the public interest against privacy intrusions by Government, he or she cannot be appointed by the Government.

Also, the Information Commissioner would be required to audit Government departments as well as other public bodies on a rotating annual basis. Powers would be granted to discharge these functions, including ad hoc powers of inspection. There would be scope for the introduction of “financial penalties for the deliberate, reckless or grossly negligent management of data”.

The Tories state: “In order to improve standards of data security, and inhibit the introduction of unwieldy and unmanageable data systems, ministers, Government departments and officials must be properly held to account. We believe that, rather than burdening the public sector with onerous new regulation and red tape, a more effective means would be to ensure greater audit and sanctions for the worst abuses of data security.”

Greater scrutiny of data legislation

A key problem in the UK in recent times is that databases have been built and then issues of data security subsequently addressed as little more than bolt-on considerations.

The Tories would make it compulsory for all Government departments to undertake a Privacy Impact Assessment (PIA) before developing a new data collection scheme. Such a system would ensure that Government departments properly consider the impact of any data collection or sharing scheme on individual privacy, and require them to consider the proportionality of any scheme at the outset.

Current Home Office plans for the aforementioned Communications Data Bill should be subjected immediately to a PIA. Grieves’ report comments: “The Home Office should conduct the PIA in consultation with the Information Commissioner, with the outcome of the review published and reported to Parliament.”

The Tories feel that expanding the powers of the Surveillance State through secondary legislation vests excessive power in ministers, not to mention constraining the scope for effective Parliamentary debate and scrutiny.

On that basis, a Conservative Government would amend the Data Protection Act 1998 to ensure that any future scheme or proposals to extend the powers of data collection, sharing or retention must be enacted by primary legislation. This would “ensure maximum transparency and debate”.

Greater responsibility on the part of Government

In order to strengthen compliance with Best Practice, Grieve and the Conservatives are proposing that a minister assume responsibility for data security in each and every Government department. Day-to-day operational matters could be delegated to a senior civil servant, employed at the level of director general.

Necessarily, the focus of the Tory report has been squarely on data security in the public sector, but the relationship between the individual and the private sector is very different.

More often than not, data is shared on a voluntary as opposed to a coercive basis. Businesses are generally much better at safeguarding personal data. That said, high profile breaches of late have led to some concern. Who can forget the hacking of online recruitment operation Monster last January?

The Data Protection Act informs organisations of their duties to manage personal data securely and responsibly, but offers little in the way of guidance on how to secure that data. For smaller businesses in particular that’s not much of a help.

A consultation with private sector organisations on this matter is both just and necessary. Most notably, the Tories would task the Information Commissioner to consult with businesses on the viability of establishing an industry-wide data security kite mark. This would be voluntary, and serve as a mark of Best Practice.

Get the latest stories first with info4security's newsletters: Click to signup

Post and bookmark this story at the following sites:

What is this?

del.icio.us	Digg	Reddit	Google	Newsvine