A change of pace

Whether it is in relation to data sharing, covert surveillance or vetting and barring, the world of data protection is changing fast. Ibrahim Hasan reviews recent developments.

Data sharing

On 8 October 2010, the Information Commissioner's Office (ICO) launched a formal consultation exercise on the Code of Practice on Data Sharing. This code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It is aimed at both the public and private sectors.

Organisations are encouraged to use the code to help them to understand how to adopt good data sharing practice. It is not legally binding, though it must be taken into account by the Information Commissioner and the courts when determining any issue before them.

Scenarios where data sharing might occur include a school passing information about a child to a social services department, a group of insurance companies pooling data about people making claims, GPs sending patient records to a hospital and a retailer passing customer details to a debt collection agency.

The code covers a number of areas including:

• what factors an organisation must take into account when coming to a decision about whether to share personal data
• the point at which individuals should be told about their data being shared
• the security and staff training measures that must be put in place
• the rights of the individual to access their personal data, and
• when it is not acceptable to share personal data.

The document also includes suggested contents for an information sharing protocol, a template information request form and a template record of disclosure form. There is a set of case studies at the end on different information sharing scenarios and the factors which should be considered when deciding whether or not to share information. The code can be downloaded from the ICO website (www.ico.gov.uk). The consultation will run for twelve weeks until 12th January 2011.

Covert Surveillance

Covert surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) is a topic which has attracted many critical media headlines recently. In July the Investigatory Powers Tribunal found that Poole Council, in investigating a potentially fraudulent school application by doing covert surveillance, had violated a family’s human rights (See Jenny Paton and others v Poole Borough Council (2010) IPT/09/01/C) and here).

In the same month the Home Secretary announced a review of local authority RIPA powers to be conducted by Lord McDonald QC. He will report his findings in the Autumn.

Lack of understanding of the law around surveillance and monitoring is not just the preserve of local authorities. More worryingly perhaps, it seems that the police also have some issues in this area. In June a controversial CCTV project in Birmingham was put on hold after a string of complaints. Project Champion – a network of automatic number plate recognition (ANPR) and closed circuit television – involved the setting-up of 169 ANPR and 49 CCTV cameras predominantly in the Sparkbrook and Washwood Heath areas of the city. Both areas have large Muslim populations.

Residents and community groups claimed they had been misled as the cameras were initially justified on the basis of tackling anti social behaviour when they were actually being used for anti terrorism operations. Recent media reports suggest that the cameras will soon be dismantled.

In September a review was published about the actions of West Midland Police in setting and running Project Champion. It concluded that there was little evidence of compliance with the legal or regulatory framework. The review identified that the Data Protection Act and the CCTV Code of Practice as well as RIPA had been disregarded when setting up the project.

Of course these issues would have come to light if the police had carried out a Privacy Impact Assessment of the project at its inception. This is recommended by the ICO when public authorities undertake major projects that may have an impact on peoples’ privacy. There is a detailed guidance note on how to do a PIA on the ICO website. The coalition agreement also contains a proposal to further regulate CCTV although as yet there is no detail as to how this will be done.

Storage of internet and email records

The coalition agreement states that the government “will end the storage of internet and e mail records without good reason”. However a recent announcement of its intention to introduce the Interception Modernisation Programme, at a cost of £2bn pounds, suggests that the government may have abandoned this commitment.

Details of the scheme will be published within weeks and will build on Labour's abandoned proposal (which was heavily criticised by the coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use.

The problem for CSPs here is that, while they keep a limited amount of such data already for their own subscribers for billing and other commercial purposes, the programme will also require them to store a much bigger volume of third party data such as from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.

The Home Office stresses that the scheme would not give the police and security services access to the content of emails or text messages but case-by-case access to the traffic details of who contacted whom at what time and from what location. The Information Commissioner has expressed concerns about privacy and is to meet the Home Office to discuss them.

Vetting and barring

The vetting system for those working with children is to undergo a radical re-examination, the Home Office has announced. The Vetting and Barring Scheme (VBS) was launched in October last year in response to the murder of Holly Wells and Jessica Chapman by school caretaker Ian Huntley in 2002. Set up by the Independent Safeguarding Authority, it was designed to prevent unsuitable people working with children and vulnerable adults, with employers facing prosecution for breaches.

Last month the think tank Civitas called for the scheme to be axed altogether.  It said the VBS risked combining with a broader culture of fear to "poison the relationship between the generations". The organisation said problems included more than 12,000 innocent people erroneously being labelled as paedophiles, violent or criminals, councils banning parents from playgrounds and parents running into difficulties when trying to share the responsibilities of the school run.

The Home Office Review will examine whether the VBS is the best way to protect children and vulnerable people and, if so, how many roles it should cover. The final recommendations will be announced early in 2011. A separate review will consider changes to criminal record checks including limits on what information can be passed to employers and when they can or cannot ask for background checks.

Google Street View

Finally the ICO is to look again at what personal information internet giant Google gathered from private wi-fi networks when its vehicles roamed the country taking pictures for its Street View project. The ICO had carried out an investigation earlier this year and concluded there was no breach of the DPA at the time as very little personal data had been gathered.

It will be interesting to see what he concludes this time in the light of Google’s admission that it collected much more extensive data including whole e mails. Since 6 April this year, the Information Commissioner has had the power to fine organisations for gross breaches of the Act. Fortunately for Google it cannot be fined on this occasion because the offence, if it is proved, took place before the power came into force.

Ibrahim Hasan is a solicitor and director of Act Now Training. He runs regular free webcasts on all aspects of information law (www.actnow.org.uk)