The Home Secretary has announced the government's intention to
consult on plans for a
"super-database" for communications data. Few details were
provided, but it has been reported that the database will be used
to monitor the internet use, mobile phones and e-mails of every
Briton to counter terrorism.
Over 600 governmental bodies already have powers to obtain
access to communications data on an "ad hoc" basis under existing
legislation. However, this legislation only allows access to data
with the consent of a person designated by the Secretary of State
(eg, under a judge's warrant) and, therefore, is used only in
limited circumstances as part of specific counter-terrorist
investigations. Whilst this new proposal raises a political
question about whether a further layer of surveillance is
justified, for lawyers it raises difficult questions about
compliance with legislation, particularly the Data Protection Act
1998 (DPA).
Given its remit, the privacy watchdog- the Information
Commissioner's Office (ICO)- will certainly review the proposals
against the DPA, much as it has done in relation to the recent
fingerprinting proposals at
Terminal 5. The DPA requires any entity that processes personal
data to comply with eight "principles". Confirmation that the
proposals satisfy these principles would help the government, but
we can envisage the following problems that they may face in
achieving this:
- Fair and lawful processing - Under the DPA, personal data must
be processed fairly and lawfully, meaning that individuals must not
be deceived over the purpose for which their data is being
processed and that they must have given consent or the processing
must be justified under the DPA. For the government there are a
number of existing justifications in the DPA, including that the
database is necessary for the public interest. One obvious argument
against this, of course, is that the security services already have
access under existing legislation.
- Security - Appropriate measures must be taken under the DPA to
protect against loss, destruction of or damage to personal data.
Many would agree that this most recent proposal has come at a time
when the government's ability to secure data is severely
distrusted, given the high profile losses of data.
- Processing only for a specified and lawful purpose - This
principle requires individuals to be informed of the purposes for
which their data will be processed and the government to stick to
it. However, many commentators fear "function creep". What if the
government decided to expand the purposes - could it just notify
people of a change without a right to object?
- Adequate relevant and not excessive - Personal data must not be
used excessively. The government's argument is that the database
will be in line with the government's "proportional and necessary"
test. What is this test? A recently leaked memo written by
dissenting senior Home Office officials has already questioned
whether the database is "proportionate".
- Enforcement- How will the database be monitored? Will the ICO
be allowed to enforce the DPA in relation to this database given
its sensitive use? What will happen if there are lapses?
We will have to await the detailed proposals but it is clear
that the consultation on this proposal scheduled for 2009 will
stoke an important debate on this hot topic.