Virtual conference on Negotiating Identities

There is a virtual conference on negotiating identities: E-Congress on Negotiating Identities, which is taking place online on the 15th and 16th of May:

Registration is free and focus is to bring together people who study and explore social identities in a variety of contexts. In particular, we aim to support people in thinking and moving beyond their and others’ social categorisation. Registration also allows you access to the weblinks in the library and the forum (cafe).

More details can be found at http://identityresearch.org/.

House of Lords Committee: Surveillance and Data Collection

The House of Lords Committee has launched a new inquiry into the impact that government surveillance and data collection have upon the privacy of citizens and their relationship with the State. See extract at:

The inquiry, which is set against a backdrop of increased use of CCTV, the creation of the national DNA database, the new NHS Spine and the proposals for ID cards, will seek to find out if increased surveillance and data collection by the state have fundamentally altered the way it relates to its citizens. Some of the questions the Committee will be seeking answers to include:

What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?

What effect do public and private sector surveillance and data collection have on a citizen’s liberty and privacy?

How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?

Is the Data Protection Act sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?

Commenting ahead of the publication of the Committee’s call for evidence, Lord Holme of Cheltenham, Chairman of the Constitution Committee, said:

“The nature and extent of surveillance and data collection have changed dramatically in recent years. We now have close to 4.2 million CCTV cameras in the UK and with the introduction of the NHS Spine and the ID card database the government will hold more information about us than ever before. “The broad constitutional implications of these changes have not thus far been sufficiently closely scrutinised. As a Committee we hope to get to the bottom of how these changes are altering the relationship between individuals and the State, and to ascertain whether necessary protection is in place."

Perhaps, an interesting question to ask about the sufficiency of the DPA 1998 to protect citizens. The DPA 1998 provides safeguards for the collection of personal information. Whether the existing legislative data protection framework is sufficient to prevent the surveillance is questionable. Do we need toughter penalties? On the subject about additional constitutional protection for citizens in relation to surveillance and the collection of data, the first starting point would be to look at the Human Rights Act 1998, which incorporates the ECHR and includes the"'right to respect for private and family life." Although the right to privacy is not absolute, it would be a good starting point.

See also:

• HL Press Notice
• Royal Academy of Engineers Report on Privacy (pdf)
• Surveillance Studies Network Report on Surveillance Society (pdf)

DCA Consultation on Freedom of Information Regulations

The DCA has issued its consultation on the draft regulations for the Freedom of Infomation Regulations. The first consultation period has ended, so this is a consultation for a subsequent paper. See extract below:

The Government has drafted amended FOI fees regulations which will allow public authorities to take into account more comprehensively the work involved in dealing with an FOI request. This consultation asks for views on the draft Regulations. The initial consultation period closed on 8 March 2007. A supplementary paper opened a second period of consultation on 29 March 2007 inviting views on the principle of amending the 2004 Regulations and also any further views on the draft Regulations themselves as set out in the consultation paper of 14 December 2006.

• DCA Draft Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2007

Interpretation of "Processing"

Another important case has reached the UK Court of Appeals, Johnson v MDU and examines the notion of "processing" personal data. Here is a short extract from Out-Law.com.

David Paul Johnson took a case against the Medical Defence Union (MDU), a non-profit body which provides indemnity policies for its members. The MDU had refused to renew Johnson's policy after it conducted a review of his case and Johnson argued that the organisation had not
processed his data fairly and had therefore breached the Data Protection Act. The MDU operates a scoring system of its own invention which allocates points to certain complaints or allegations made against a doctor, even if they are never proved or pursued. By 2002 Johnson, who had been an MDU member since 1986, had built up enough of these points to trigger a review of his policy by the MDU. He had built up points by consulting the MDU over professional issues, including complaints. He had never been the subject of a claim of professional negligence. His case had been judged after an MDU staff member had looked through his files and collated information from them into a new computer document. Most of the files were manual and fell outside the Data Protection Act's definition of a "relevant filing system". Three were computer based, though, and so their use was controlled by the Act. Johnson claimed that this task was processing, as defined and controlled by the Act's first principle, which says that processing of personal data must be fair and lawful. Johnson claimed that his data was unfairly processed, in breach of the Act. The High Court agreed that the activity carried out by the MDU was processing under the Act, but said that it was unfair only in a minor and inconsequential way, and that therefore there was no breach. Both parties appealed the judgment, Johnson arguing that the processing was unfair and the MDU arguing that the High Court was wrong to say that its actions counted as data processing. The Court of Appeal said that the actions were not data processing. "Mr Johnson, who agrees that he has no right in contract or in any other chapter of English law to challenge [MDU examiner] Dr Roberts's selection of the information contained in his personal data, asserts that he can nonetheless mount these proceedings because her act of analysis is covered by the First Data Protection Principle," said presiding judge Lord Justice Buxton in his ruling. "I would not be prepared to conclude that the 1998 Act has had that effect, and the other widespread effects suggested above, unless I was driven to it. Far from that being the case, neither the 1998 Act nor the Directive give any support to the appellant's case. I would therefore hold that the Judge was wrong to find that Dr Roberts's selection of the data amounted to processing of data in the terms of the Act," he said.

Monitoring of Electronic Communications

A colleague had sent me some information about a recent case (Copland v UK) that has reached the European Court of Human Rights, which concerned an individual's personal communications (including e-mails) that were being monitored without her consent. The Court unanimously held that this was an infringement of her violation to her right to respect for private and family life under Art. 8(1) of the European Convention of Human Rights. Clearly, the monitoring of employees emails have important privacy and data protection implications.

Whilst the privacy of communications is not absolute (sufficient warning by the employer), it would be useful to consult the UK's ICO's employment practice code as a starting point. Plus, the ICO's recently commissioned report on surveillance (pdf).

DNA database

There is a case pending before the European Court of Human Rights concerning the storage of DNA. This is an interesting case as it concerns an individual who has not been charged with an offence. No doubt DNA of an individual is "personal data" within the meaning of the Data Protection Directive 95/46/EC ("sensitive data" if it relates to the health of the individual). See the extract below from Out-Law News:

The Government's DNA retention policy combined with increasingly sophisticated statistical techniques means that eventually most citizens in the UK will be linked to data stored on the police's DNA database, according to a privacy law expert. The outcome of an appeal to the European Court of Human Rights (ECHR) that challenges the UK's DNA retention policy will not limit the ultimate reach of the DNA database, only the speed of its compilation, says Dr Chris Pounder of Pinsent Masons. Under last year's Police and Justice Act, the police are allowed to retain DNA data on those arrested even if those arrested are not convicted of or even charged with any crime. Data derived from these samples are then added to the National DNA Database. Michael Marper's case before the ECHR could change this law. Marper was accused of harassment by his partner. He was arrested and DNA samples were taken. The charges were dropped when he reconciled with his partner, but police refused to destroy his DNA samples and related data. Marper exhausted his appeals through the English courts and then complained to the ECHR that the retention of his DNA is a breach of his rights to privacy under the European Convention on Human Rights. Earlier this year the ECHR decided that there was enough of importance in the case that it will hear it. "The Court finds that serious questions of fact and law arise, the determination of which should depend on an examination of the merits," said the ECHR in January. "The application cannot be regarded as manifestly ill-founded within the meaning of the Convention. No other grounds for declaring it inadmissible have been established." The ECHR has previously ruled in favour of the police's right to retain DNA, but that case involved a man who had been convicted of a crime. A Dutch bank robber, Mr Van der Velden, argued that police had failed to respect his private life by storing his DNA profile. The ECHR said that this interference with his privacy was proportionate.

See also:

• 
  
  PRIVIREAL Project

ICO's response to proposed changes to the FOIA by the Government

The UK ICO has issued its response to the Government's proposals to introduce changes to the FOIA in reducing the number of FOI requests. The ICO is of the view that existing rules would enable the government to achieve its objectives without having to introduce further changes. The main points are:

a more robust application of section 14 (exclusion of vexatious requests) would, to a very significant extent, address the mischief at which the new cost proposals purport to be directed;
• there are grave doubts about the extent to which the aggregation of non-similar requests would be workable in practice, particularly if determined applicants took steps to circumvent the new provisions;
• the proposed concepts of reading, consultation and consideration time, will present very real difficulties for challenge and adjudication;
• the proposals will introduce new layers of procedural and bureaucratic complexity. There is likely - as feared by Frontier Economics - to be “a substantial increase in
requests for internal review and appeals to the ICO, with a substantial increase in costs”.
• there will certainly be a surge of difficult procedural complaints to ICO which can be predicted to start no less than two months after the new Regulations have been implemented. Unless further resources are made available, regrettably, the net effect – at least for the forthcoming year - has to be the prospect of more time taken to resolve difficult cases, an increase rather than a reduction in the backlog of complaints and the diversion of resources onto complaints about costs rather than substantive issues of disclosure of official information in the public interest....

5. The ICO believes that a more robust application of section 14, in line with the published guidance and decision notices, would, to a very significant extent, address the mischief at which the new cost proposals purport to be directed.

See also:

• ICO's response to consultation on draft FOI and DP (appropriate limits and fees) regulations 2007

Telemedia Act 2007

The German Telemedia Act 2007 (Telemediengesetz) replaces the German Teleservices Act, the Teleservices Data Protection Act and the Federal Media Services Treaty. It takes effect on March 2007 and regulates all electronic information and communication services except pure telecommunication and broadcasting (so-called "Telemedia Services"). It covers webshops, mobile commerce, newsgroups, music download platforms, video on demand (VOD), internet search engines, emails and even simple company websites, but not to live-streaming of video, web-casting, IPTV (Internet Protocol TV) or VoIP (Voice Over Internet Protocol - internet telephony). The new Act has been criticised for not going far enough to protect the privacy of the user on the internet. There is no English translation available, but Wikipedia has an entry on this (in German). See also:

• Telemediengesetz: 13 Fragen zum neuen Telemediengesetz
• German Telemedia Act introduces new rules for new Media
• CeBIT - German organisations critical of new law against spam

Another paper

I have been away for the last few days attending the SLSA Conference 2007, hence the lack of blog posts. This is a jointly written paper, but may be of interest to those who have experience with this aspect of work. Here is the abstract:

Title: "All or nothing: this is the question?: the application of Art. 3(2) Data Protection Directive 95/46/EC to the internet"

The Data Protection Directive 95/46/EC (hereinafter the “Directive”) was passed in 1995 to harmonise the national data protection laws within the European Community with the aim of protecting the fundamental rights and freedoms of individuals including their privacy as set out under Art. 1 of the Data Protection Directive. The rules governing the processing of personal data are deemed to be inapplicable in the two instances outlined by Art.3(2). Processing of personal data taking place as part of activities falling outside of Community law are excluded from the DPD. The Directive is also deemed to be inapplicable if the processing of personal data is undertaken by a natural person in the course of a purely personal or household activity. It is the second part of Art. 3(2) which is examined in more detail. The ruling by the European Court of Justice in Lindqvist provides us with a fresh opportunity to re-examine whether the policy justifications for the exclusion under Art 3(2) continue to remain relevant in the light of widespread use of new technologies such as blogs, podcasts and web pages for processing and distributing information. Greater clarity regarding the implication of new communication technologies for DPD policy is necessary if the laws on data protection are to evolve in a coherent and principled manner.

Keywords: Data Protection Directive 95/46/EC; internet, private purposes, blogs, podcasts

Although this is still a work in progress, we hope to have this published by the end of the year. Any thoughts or views are welcome.

Data Protection - a new website

Here is another website on data protection in the EU - Set up by Dr Jóri, Data protection.eu aims to 'carry out a comparative analysis of European data protection legislations, that can help the data protection community of Europe to answer them.'

Information on data protection laws is certainly needed and trying to find up-to-date sources can be difficult, so the website will indeed be useful to those who work in the data protection field. Other websites worth visiting include:

• Privacy, Laws and Business
• Compliance and Privacy
• Data Protection Forum
• Data Protection Resources