Overlooked - Liberty

More documents

Recommendations

Info

<strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain 119 There is also a power for the Secretary of State to appoint data protection supervisors to monitor data controllers’ compliance with the Act 230 . These provisions regulate the form of notification but, so long as the process is complied with, have no other impact. The only effective control on processing is contained in Section 22 DPA which deals with ‘assemble processing’. This is processing likely to cause damage or distress to data subjects or which might prejudice their rights and freedoms. The definition of what would constitute ‘processing likely to cause damage and distress…etc.’ is left to parliamentary order. Once a parliamentary order has been made, if the ICO believes assemble processing has occurred he can give notice of his opinion to the data controller and require compliance. While this might appear to provide some sort of regulatory mechanism, it has not done so. Primarily this is because no parliamentary order has ever been made, so the provisions have effectively failed to come into force. However, even if they had come into force, the way the legislation is structured means that the Commissioner has no power to forbid the processing or require it to be amended until after is has already been carried out. The ICO enforcement powers contained in Part V DPA are restricted to when breaches of the data protection principles have already taken place. By this time the damage may well have already been done. This rather limited regulatory role fits with the Government’s attitude towards notification essentially being a regulatory rather than enforcement tool. As Rosemary Jay and Angus Hamilton point out in Data Protection Law and Practice ‘Notification is not a control mechanism; the Commissioner cannot refuse a notification’ 231 . The policy driver behind the purpose of notification was set out in the 1998 Home Office Consultation Paper ‘Subordinate Legislation: Notification Regulations’ which stated ‘The Government considers that the primary purpose of notification under the new data protection scheme should be to promote transparency, that is providing to the public and the Commissioner a clear description in general terms of the processing of personal data’ 232 There is no mention of enforcement. As mentioned above data controllers must register with the ICO and processing without registration is a criminal offence. However once registration has occurred there is little the ICO can do by way of enforcement. It is this notification regime that will govern mass data matching and data mining processes. Application of several of the data protection principles: that data shall be processed lawfully and fairly (the first principle); that it shall be obtained and processed for one of more specified purposes (the second principle); that it shall be adequate, relevant and not excessive for purpose (the third principle); and that it be processed in accordance with the rights of data subjects (the sixth principle) demonstrate the shortcomings of this regime in relation to mass data processing methods. If multiple processing purposes are registered, the second principle will be adhered to. The third data protection principle tends to allow considerable leeway in terms of what constitutes adequate, relevant and non-excessive data in that data matching and mining processes operate on the basis that an extremely broad range of information will be of use in assessing whether or not someone might, for example, be involved in criminality. The sixth principle allows, for example, that processing can be prevented if it would cause substantial damage or distress and if it would be unwarranted 230 Section 23 231 Page 246 Rosemary Jay and Angus Hamilton: Data Protection Law and Practice. Second Edition. Published by Sweet and Maxwell 232 Home Office 1998 Subordinate legislation: Notification Regulations. No online citation available.
120 <strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain by virtue of S.10 DPA. While S.10 seems to provide further protection under the DPA, it also serves to again demonstrate how data sharing practices have outstripped protections. The Act caters for situations where the processing of a particular piece or pieces of information cause harm to an individual, where they are aware of that harm and are able to request that the processing not take place. This does not match up to the mass processing reality of 2007. At the heart of a response to these changes in data processing culture should be a significant strengthening of the power and ability of the ICO to regulate the notification process effectively. Notification needs to be more about regulation than about administration. The ICO needs to be able to determine in advance whether processing might be constitute ‘assemble’ processing and take action to prevent it. The ICO needs to be capable of limiting processing purposes, of making decisions on societal rather than individual impact of what might constitute damage or distress, and of strict interpretation of what constitutes excessive processing for purpose. In order to make any of these changes effective, the Information Commissioner needs to be given effective enforcement power to prevent any processing he considers to be incompatible with data protection principles. Concerns over the effectiveness of the DPA also arise from the definition of ‘personal data’. This definition impacts upon the scope of processing regulated by the DPA. The DPA defines ‘personal data’ as: ‘data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller’ 233 Meanwhile the definition set out in the EU Data Protection Directive states; ‘‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’ 234 The Articles in the directive are preceded by a series of explanatory ‘recitals’. Recital 26 states: ‘Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable’(emphasis added) 235 . The definition of personal data in the DPA is, therefore, more restrictive than that allowed for in the Directive. The DPA bases the definition of personal data as relating to a living individual identifiable from the data itself or from other information held by the data controller. The Directive is more expansive by allowing the definition to include data identifiable by the controller or any other person. 233 Section 1(1). 234 Ibid 87 at Article 2(a). 235 Ibid 87 Recital 26.
Page 1 and 2:
Overlooked: Surveillance and person
Page 3 and 4:
Acknowledgements I would like to th
Page 5 and 6:
II Overlooked: Surveillance and per
Page 7 and 8:
iv Overlooked: Surveillance and per
Page 9 and 10:
2 Overlooked: Surveillance and pers
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
10 Overlooked: Surveillance and per
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76: 68 Overlooked: Surveillance and per
Page 107 and 108: 100 Overlooked: Surveillance and pe
Page 125: 118 Overlooked: Surveillance and pe
show all

Overlooked - Liberty

Create successful ePaper yourself

Delete template?

Save as template?