Overlooked - Liberty
Overlooked - Liberty
Overlooked - Liberty
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain 109<br />
8. Personal data shall not be transferred to a country or territory outside the European Economic<br />
Area unless that country or territory ensures an adequate level of protection for the rights and<br />
freedoms of data subjects.<br />
The Schedules set out the circumstances in which data processing is permitted in relation to data<br />
and sensitive personal data 214 . These circumstances include the giving of consent, processing to<br />
protect vital interests of the data subject, and processing by public bodies in relation to their work.<br />
The DPA also contains exemptions to the data protection principles for purposes such as crime<br />
detection and collection, tax collection, national security and health, education or social work.<br />
The DPA has historically proven to be a partially effective mechanism for regulating and controlling<br />
the processing of personal data. However, in recent times, further shortcomings are perhaps<br />
becoming apparent. The decision in Durant, referred to in the section on CCTV, has shown the<br />
limitation of scope of DPA in relation to CCTV, although the new draft guidance from the Information<br />
Commissioners Office (ICO) does seem to lessen the negative impact. It is also now arguable that<br />
technological developments, particularly in relation to the scale of automated data processing<br />
possible when data matching and data mining, are outstripping the DPA. To take the second data<br />
protection principle as an example: ‘data shall only be processed for one or more specified<br />
purpose’. The section on Identity Cards mentioned that this principle was being seen as an<br />
obstruction to effective information sharing by government departments. Whether or not this is the<br />
case, the second principle does not seem well-equipped to deal with mass data processing. At the<br />
time of the Data Protection Directive and of the passing of the DPA in the mid and late 1990s, the<br />
processing of data was still largely that of single pieces of data for single purposes. There is nothing<br />
within the DPA or inherent to the second principle to limit this other than that the purposes for which<br />
data are processed need to be specified. This is done by registering the purposes with the ICO. This<br />
obligation will not place any significant limitation on data matching practices. Data matching will<br />
usually be done for the purposes of crime detection and prevention. If this or any other purpose is<br />
notified to ICO, there is no other express limit within the DPA of the scale on which the processing<br />
takes place. The Commissioner is given no specific power to refuse an application for notification so<br />
long as it is made in the prescribed form. The third data protection principle, that ‘personal data shall<br />
be adequate, relevant and not excessive in relation to the purpose or purposes for which they are<br />
processed’ would appear to place some limitation on scale. However, the requirement that data be<br />
not excessive would appear to apply to the amount of data relating to a particular individual rather<br />
than the number of people who have had their data processed though data matching.<br />
Coupled with concerns over the adequacy of the DPA when applied to modern processing<br />
techniques, are the more practical considerations over the ability of the ICO to limit excessive data<br />
sharing. There is an inherent limitation upon the effectiveness of a publicly funded body in regulating<br />
the public sector. This is no reflection on the work of the ICO, which has frequently drawn attention<br />
to privacy issues and highlighted the dangers of the ‘surveillance society’. The current Information<br />
Commissioner, Richard Thomas, has often demonstrated a willingness to comment on Government<br />
214<br />
Sensitive personal data is defined by S.2 DPA and relates to data concerning the racial or ethnic origin of the<br />
data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a<br />
member of a trade union, his physical or mental health or condition, his sexual life, the commission or alleged<br />
commission by him of any offence or any proceedings for any offence committed or alleged to have been<br />
committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.