- Not quite says ODPS
Iain McDonald, from the Office of the Data Protection Supervisor (ODPS), posed this rhetorical question at this week’s Positive Action Group’s (PAG) open meeting and came up with the conclusion there is still some hope the ‘Big Brother’ scenario can be avoided.
Mr McDonald presented a comprehensive overview of the current situation in the UK, and the IOM, and of some of the proposed developments. Informing the audience it is now 60 years since George Orwell’s famous book, 1984, was published, he said, on a positive note, at least we are not yet living in a totalitarian society; although he did concede that there are now at least 32 public CCTV cameras sited within 200 yards of George Orwell’s former residence in London.
However, he said, most of these are “passive” - i.e. they just watch and record - but the more recent developments, such as ANPR, or number plate recognition cameras, are linked to a database and can be used to identify people breaking the law.
He pointed out other technology is being used to track peoples’ movement, which can be achieved using mobile phones or RFID; and that in the USA people have even been ‘micro-chipped’.
The databases are the big issue, he explained, which are being compiled to form national identity registers, criminal record and DNA files etc.
For example the NIR will hold personal and identifying information (inc. all 10 finger prints), residential status, personal reference numbers, record history, registration and card history, security information and records of the provision of information (e.g. who has accessed the info and what for).
He wondered who the audience thought will have access to this database. Perhaps, he suggested, it will be banks, doctors and organizations of that ilk. But no, he said, it will include DVD rental firms and internet companies.
So, he queried if it is intended as an anti-terrorist measure, as claimed by the Government, why would DVD rental and internet companies etc need access to it?
Sure, he accepted that there is an argument it could be used to help prevent identity theft but otherwise he remains sceptical.
Moving on to the issue of ‘E-Borders’, Mr McDonald said he is quite confident that if the UK adopt this approach the IOM will follow. The upshot will be that 37 pieces of information will be collected and not only will the police, and immigration officials, be able to access the data but also HMRC who will be able to use it for any purpose; including tax purposes such as checking on travellers breaching the 90 day ‘residency’ rule.
To illustrate the ‘effectiveness’ of this measure, he pointed out, of the 100 million travelling movements in the period 2005 - 2008, 1700 people had been arrested, of which 8 were for murder; which seems a reasonable defence of the system until it is realised that the majority were for avoiding fines and traffic offences. Not exactly, he said, your normal terrorist activity.
Another contentious subject is the introduction of the ‘Every Child Matters’ scheme in England. It was proposed that all children, resident in England, would be included - until it was pointed out that, as 300,000 people would have access to the database, there would potentially be a big security risk to children of ‘high-profile’ personalities. The response was ‘exempt them’ so, Mr McDonald wondered, was it really a case of ‘Every Child’? He also pointed out that ‘child protection’ measures would fall outside the scheme, and the use of a ‘common framework assessment’, so again it questioned the rationale for it. He doubted it would meet the requirement of the information collected being relevant or necessary; and was further concerned at the thought of the three databases being linked together as proposed.
However, he said it gets worse than that and produced a quote from Sir David Ormond, a former security chief, and architect of the UK Government’s National Security Strategy.
He was reported, in the last week of February 2009, as saying that privacy will have to be given up in the fight against terror - which is worrying stuff indeed for proponents of civil liberties.
The type of ‘data mining’ and processing envisaged by the authorities in the UK, explained Mr McDonald, will lead to a lot of “false positives” and the investigation of innocent people.
He referred to the adage ‘Nothing to hide, nothing to fear’ - unless he stated, ‘jokingly’, it applies to Cabinet Minutes - and a quote from Lord Nicholls Campbell who said “I think I have nothing to hide but I am worried I have something to fear”; along with a letter, from an unnamed writer, sent to the Times which said, “I fear having to prove I have nothing to hide.”
As an example he recited the case of Simon Bunce who spent three years clearing his name after his credit card details were stolen and used to access a child porn website. Thousands of other people were also investigated, many of whom, like Mr Bunce, were innocent and victims of fraud; although, as Mr McDonald added, to be fair, many were also guilty.
So as credit card fraud is a known terrorist activity, chances are if your details crop in the wrong place you will get investigated, said Mr McDonald.
However, Mr McDonald was at pains to point out that the police, in the UK, say they have no confidence in the system; and so he inquired, if that is the case what is it worth?
The Manx Herald knows what it is worth - a lot of money to IT companies etc.
Turning his attention to the IOM, Mr McDonald listed some of the areas of ‘surveillance’ creeping into the Island, with talk in Keys of the Dept. of Transport introducing ANPR - so they can issue letters to motorists whose insurance is about to expire, or perhaps even issue FPN’s to ‘offenders’. In his opinion CCTV cameras do not improve safety on their own, but acknowledged, as part of a crime prevention package, they may have a benefit.
Then he mentioned the issue of schools fingerprinting kids for school libraries, Tesco using an off-island firm to monitor cars parked in their car park - and whether information collected by the state should be handed over to private companies - and the DHSS’s idea to introduce an ‘Integrated Children’s Service’ (ICS).
He raised the topical issue of work permits and whether every applicant should be checked for a criminal record. He suggested work permits are an employment matter and shouldn’t be used as a form of residency control; and in any case, he said, it may be easy to get the records from the UK or Eire but it is notoriously difficult to obtain them from further a field. He believes it will require the drawing up of international agreements, but also pointed out there will still be difficulties as what is illegal in some countries is legal in others.
He made the point that one of the failings of the system (and probably more so humans) is that people tend to believe what the computer tells them - so if the computer is wrong, or data is ‘missing’, the person also gets it wrong. He illustrated this with the example of Manx people getting stopped in their cars in the UK as the car registration doesn’t appear on the DVLA database. So be warned, if you want to avoid any delays and inconvenience, make sure you have your log book and insurance with you.
And mistakes are made he said, referring to the Dept of Education sending emails out with hundreds of student email addresses visible; and a local authority that had forwarded sensitive information - in emails, about alleged drug dealing and informants - to an ever widening audience and which ended up raising an almost completely different subject matter to the start of the string.
In other words, he said, you have to be careful to get it right; and only what is needed should be gathered, stored, processed and disclosed.
So bringing his presentation to an end, he returned to his original proposition. He suggested that with all the losses of information, such as the 25million records in one go in the UK, and the lack of confidence in the government to look after data - which he said is leading to a change in the law to introduce criminal offences and allow the DPS in the UK to issue large fines - and the need for ‘data protection risk assessments, which will be open to public scrutiny - that is why he remains optimistic for the future. However, he added the caveat that we will still need to remain on our guard.
PAG Chairman, Roger Tomlinson thanked Mr McDonald and inquired if any of the Island’s 40 school parent governors, who he had invited to attend, were present. He was less than impressed that only one had made the effort, especially in light of the potential implications of the ICS, and he urged all parents to become involved in the consultation process.
Questions were then invited from the audience, with Paul Chambers being first. He invited Mr McDonald to comment on the accessing of IOM residents’ bank details, by the UKauthorities, in the last year. Mr McDonald replied that he couldn’t give a full answer as certain issues are still being pursued as it could be considered that the UK Customs and Revenue went on a ‘phishing’ exercise. Unfortunately, he said the IOM ODPS was limited in what action it could take as most of the records, of even IOM residents, were held in the UK, and obtained by a court order, so it comes under some one else’s jurisdiction and laws.
Stephen Holmes, only partially tongue in check, wondered if the ODPS had the power to fine, say the General Registry, for unlawfully releasing data; and, on being told it did not, announced it was “a shame”.
A comment was made to the effect that little confidence was held in the financial sector’s ‘Quality Assurance’ procedures to protect customers’ data.
Mr McDonald agreed that if the fine for breaching a regulation is only £5k then the finance director may considered it a small ‘risk’ and not worth worrying about. However, if the fine is £1m then it is surprising how quickly the ‘culture’ changes from the director downwards.
He pointed out that banks etc are now the ones making the first move and ‘fessing-up’ to mistakes and asking for advice and help.
Tristan Llewellyn-Jones reminded the audience of the Damien Green ‘affair’ in the UK - when he got raided by the police looking for the source of ‘leaks’ from the Home Office - and as a result his children got ‘subjected’ to the CAT form process; in case they had traumatized by the experience of having their home ripped apart by the police. He fears a similar “intrusive and invidious” piece of legislation will be adopted in the IOM, despite the Scots, Welch and Irish running a mile from it and looking at much better systems; and wondered why the IOM is trotting off down to London to get theirs and not looking for their own or elsewhere.
Mr McDonald pointed out that the Scottish system is up for a ‘data protection award’ and acknowledged that by contrast there has been huge criticism of the English version.
He said that the Information Commissioner had commissioned a report which reported that he should have been ‘kicking-off’ from the start about the proposals.
Mr Jones inquired if an IOM official turned up with a form could he turn them away, to which Mr McDonald said the system was based on “consent”.
Mike Coleman suggested that perhaps ‘personal liability’, rather than being able to ‘hide’ behind the indemnity of a company and an insurance policy, is required to help protect people’s data.
Mr McDonald responded by suggesting he ask the politician sitting behind him - DLGE Minister, John Shimmin - to take the idea to the Keys.
Roger Gimbert returned to the issue of the schools who had taken thumb prints of children, to enable them to access the school library, and inquired how it could be proved that the prints had been destroyed or not lost.
Mr McDonald replied that if Mr Gimbert made a request to him he would make further inquiries at the Dept. of Education; but added that he had been previously informed they had been deleted. However, he said it wouldn’t ever be possible to give a 100% assurance to Mr Gimbert.
PAG committee member, Joe Duffy put it to Mr McDonald that it should be a ‘citizen’s right’ to withhold certain information - as in his view too much of the information requested seems to be for ‘marketing’ purposes - and that by doing so shouldn’t mean they are denied access to a service.
Mr McDonald agreed that someone requesting information only needs what is essential and that this should be clearly identified from what is not essential.
Mr Duffy countered by saying that many institutions do not appear to ‘work’ like that; to which Mr McDonald said that as the law stands at the moment he can only give advice or investigate complaints. He explained that currently he can not go to a bank and tell them what to do; but added as the law is changing in the UK it may be the IOM will follow suit in due course.
The final exchanges related to the use of covert CCTV, and whether the police are utilising this technology; especially as it is suggested that, in such a small place like the IOM, the police already know who is guilty before they get to court.
Mr McDonald didn’t think, other than perhaps for a specific purpose, it is; but did concede an exemption exists which allows the police to operate mobile cameras in unmarked police cars. Its use is allowed, he said, for the detection or prevention of crime.
Iain’s complete slideshow (except for copyrighted cartoons) and the English model for child protection through ‘Every Child Matters’ Common Assessment (CAF) form , and the Project Semaphore statistics he presented are attached.
From the discussion on the night it appeared that the Scottish model - ‘Getting it right for every child’ - may be more appropriate for the Island. More information on this is available here:
Finally, the privacy-themed cartoons that Iain used may be viewed from this website: