The Home Secretary has announced the government's intention to consult on plans for a "super-database" for communications data. Few details were provided, but it has been reported that the database will be used to monitor the internet use, mobile phones and e-mails of every Briton to counter terrorism.
Over 600 governmental bodies already have powers to obtain access to communications data on an "ad hoc" basis under existing legislation. However, this legislation only allows access to data with the consent of a person designated by the Secretary of State (eg, under a judge's warrant) and, therefore, is used only in limited circumstances as part of specific counter-terrorist investigations. Whilst this new proposal raises a political question about whether a further layer of surveillance is justified, for lawyers it raises difficult questions about compliance with legislation, particularly the Data Protection Act 1998 (DPA).
Given its remit, the privacy watchdog- the Information Commissioner's Office (ICO)- will certainly review the proposals against the DPA, much as it has done in relation to the recent fingerprinting proposals at Terminal 5. The DPA requires any entity that processes personal data to comply with eight "principles". Confirmation that the proposals satisfy these principles would help the government, but we can envisage the following problems that they may face in achieving this:
- Fair and lawful processing - Under the DPA, personal data must be processed fairly and lawfully, meaning that individuals must not be deceived over the purpose for which their data is being processed and that they must have given consent or the processing must be justified under the DPA. For the government there are a number of existing justifications in the DPA, including that the database is necessary for the public interest. One obvious argument against this, of course, is that the security services already have access under existing legislation.
- Security - Appropriate measures must be taken under the DPA to protect against loss, destruction of or damage to personal data. Many would agree that this most recent proposal has come at a time when the government's ability to secure data is severely distrusted, given the high profile losses of data.
- Processing only for a specified and lawful purpose - This principle requires individuals to be informed of the purposes for which their data will be processed and the government to stick to it. However, many commentators fear "function creep". What if the government decided to expand the purposes - could it just notify people of a change without a right to object?
- Adequate relevant and not excessive - Personal data must not be used excessively. The government's argument is that the database will be in line with the government's "proportional and necessary" test. What is this test? A recently leaked memo written by dissenting senior Home Office officials has already questioned whether the database is "proportionate".
- Enforcement- How will the database be monitored? Will the ICO be allowed to enforce the DPA in relation to this database given its sensitive use? What will happen if there are lapses?
We will have to await the detailed proposals but it is clear that the consultation on this proposal scheduled for 2009 will stoke an important debate on this hot topic.