Monday, April 30, 2007
Friday, April 27, 2007
What forms of surveillance and data collection might be considered constitutionally proper or improper? Is there a line that should not be crossed? How could it be identified?
How have surveillance and data collection altered the nature of citizenship in the 21st century, especially in terms of citizens’ relationship with the state?
Is the Data Protection Act sufficient to protect citizens? Is there a need for additional constitutional protection for citizens in relation to surveillance and the collection of data?
“The nature and extent of surveillance and data collection have changed dramatically in recent years. We now have close to 4.2 million CCTV cameras in the UK and with the introduction of the NHS Spine and the ID card database the government will hold more information about us than ever before.“The broad constitutional implications of these changes have not thus far been sufficiently closely scrutinised. As a Committee we hope to get to the bottom of how these changes are altering the relationship between individuals and the State, and to ascertain whether necessary protection is in place."
Perhaps, an interesting question to ask about the sufficiency of the DPA 1998 to protect citizens. The DPA 1998 provides safeguards for the collection of personal information. Whether the existing legislative data protection framework is sufficient to prevent the surveillance is questionable. Do we need toughter penalties? On the subject about additional constitutional protection for citizens in relation to surveillance and the collection of data, the first starting point would be to look at the Human Rights Act 1998, which incorporates the ECHR and includes the"'right to respect for private and family life." Although the right to privacy is not absolute, it would be a good starting point.
Thursday, April 26, 2007
The Government has drafted amended FOI fees regulations which will allow public authorities to take into account more comprehensively the work involved in dealing with an FOI request. This consultation asks for views on the draft Regulations. The initial consultation period closed on 8 March 2007. A supplementary paper opened a second period of consultation on 29 March 2007 inviting views on the principle of amending the 2004 Regulations and also any further views on the draft Regulations themselves as set out in the consultation paper of 14 December 2006.
Saturday, April 21, 2007
David Paul Johnson took a case against the Medical Defence Union (MDU), a non-profit body which provides indemnity policies for its members. The MDU had refused to renew Johnson's policy after it conducted a review of his case and Johnson argued that the organisation had not
processed his data fairly and had therefore breached the Data Protection Act. The MDU operates a scoring system of its own invention which allocates points to certain complaints or allegations made against a doctor, even if they are never proved or pursued. By 2002 Johnson, who had been an MDU member since 1986, had built up enough of these points to trigger a review of his policy by the MDU. He had built up points by consulting the MDU over professional issues, including complaints. He had never been the subject of a claim of professional negligence. His case had been judged after an MDU staff member had looked through his files and collated information from them into a new computer document. Most of the files were manual and fell outside the Data Protection Act's definition of a "relevant filing system". Three were computer based, though, and so their use was controlled by the Act. Johnson claimed that this task was processing, as defined and controlled by the Act's first principle, which says that processing of personal data must be fair and lawful. Johnson claimed that his data was unfairly processed, in breach of the Act. The High Court agreed that the activity carried out by the MDU was processing under the Act, but said that it was unfair only in a minor and inconsequential way, and that therefore there was no breach. Both parties appealed the judgment, Johnson arguing that the processing was unfair and the MDU arguing that the High Court was wrong to say that its actions counted as data processing. The Court of Appeal said that the actions were not data processing. "Mr Johnson, who agrees that he has no right in contract or in any other chapter of English law to challenge [MDU examiner] Dr Roberts's selection of the information contained in his personal data, asserts that he can nonetheless mount these proceedings because her act of analysis is covered by the First Data Protection Principle," said presiding judge Lord Justice Buxton in his ruling. "I would not be prepared to conclude that the 1998 Act has had that effect, and the other widespread effects suggested above, unless I was driven to it. Far from that being the case, neither the 1998 Act nor the Directive give any support to the appellant's case. I would therefore hold that the Judge was wrong to find that Dr Roberts's selection of the data amounted to processing of data in the terms of the Act," he said.
Friday, April 13, 2007
Wednesday, April 11, 2007
Tuesday, April 10, 2007
a more robust application of section 14 (exclusion of vexatious requests) would, to a very significant extent, address the mischief at which the new cost proposals purport to be directed;
• there are grave doubts about the extent to which the aggregation of non-similar requests would be workable in practice, particularly if determined applicants took steps to circumvent the new provisions;
• the proposed concepts of reading, consultation and consideration time, will present very real difficulties for challenge and adjudication;
• the proposals will introduce new layers of procedural and bureaucratic complexity. There is likely - as feared by Frontier Economics - to be “a substantial increase in
requests for internal review and appeals to the ICO, with a substantial increase in costs”.
• there will certainly be a surge of difficult procedural complaints to ICO which can be predicted to start no less than two months after the new Regulations have been implemented. Unless further resources are made available, regrettably, the net effect – at least for the forthcoming year - has to be the prospect of more time taken to resolve difficult cases, an increase rather than a reduction in the backlog of complaints and the diversion of resources onto complaints about costs rather than substantive issues of disclosure of official information in the public interest....
5. The ICO believes that a more robust application of section 14, in line with the published guidance and decision notices, would, to a very significant extent, address the mischief at which the new cost proposals purport to be directed.
Monday, April 09, 2007
Saturday, April 07, 2007
The Data Protection Directive 95/46/EC (hereinafter the “Directive”) was passed in 1995 to harmonise the national data protection laws within the European Community with the aim of protecting the fundamental rights and freedoms of individuals including their privacy as set out under Art. 1 of the Data Protection Directive. The rules governing the processing of personal data are deemed to be inapplicable in the two instances outlined by Art.3(2). Processing of personal data taking place as part of activities falling outside of Community law are excluded from the DPD. The Directive is also deemed to be inapplicable if the processing of personal data is undertaken by a natural person in the course of a purely personal or household activity. It is the second part of Art. 3(2) which is examined in more detail. The ruling by the European Court of Justice in Lindqvist provides us with a fresh opportunity to re-examine whether the policy justifications for the exclusion under Art 3(2) continue to remain relevant in the light of widespread use of new technologies such as blogs, podcasts and web pages for processing and distributing information. Greater clarity regarding the implication of new communication technologies for DPD policy is necessary if the laws on data protection are to evolve in a coherent and principled manner.
Keywords: Data Protection Directive 95/46/EC; internet, private purposes, blogs, podcasts
Although this is still a work in progress, we hope to have this published by the end of the year. Any thoughts or views are welcome.