An article in Document Management News reports on the legal action being taken by the European Commission against the UK for gaps in the legislation required to comply with EU data protection laws. The investigation leading to the action was initiated because of failure to control a specific activity – BT’s trial of PHORM, which tracks web user habits and sends targeted advertising based on what the user is apparently interested in.

The UK usually complies slavishly with EU regulations, with civil servants accused of “gold-plating” the Commission’s requirements, adding refinements and extra burdens mainly as cynical job-creation exercises to keep them and their cohorts (and their cohorts’ descendants) in work. Take the dull little men at DEFRA (the Department for Environment, Food and Rural Affairs, historically a kind of dustbin for those not employable in any other government department) and give them a short EU regulation on, say, horse exports or slaughterhouses and they will (after much generously-rewarded labour), produce a law ten times as long and detailed, guaranteed to increase costs, close down businesses and put people out of work. Their own salaries and pensions, of course, are safe (if you search for “gold-plated” in Google, the results are divided between articles about British civil servants amplifying EU directives and articles about the pensions of those same civil servants).

So what has stopped the pen-pushers of the Ministry of Justice from doing the same with the EU data protection rules? Why do we not have a gold-plated version of ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC? We do, of course, have the Data Protection Act 1998 and an Information Commissioner, so we have complied with our primary obligations under the EU rules. But why no gold-plate?

One answer, perhaps, is that the worst offender when it comes to private data is the government itself, either as a policy or through incompetence. No government since that of Erich Honecker’s East Germany has had greater ambitions to collect information about its citizens; no government has made such an incompetent mess of it politically or technically. Billions have been spent on databases to capture and share personal data,  much of it wasted through inadequate specification. The fact that the government has consistently bogged up the implementation of its databases makes it no less a threat to personal privacy and freedom.

Even such few safeguards as the systems contain in principle are rendered nugatory when, as Simon Carr put it in The Independent, “The Government’s most common way of data sharing is leaving 25 million of our records in the car park while they slip in for a pint” – this followed the accidental release of huge volumes of personal data by HMRC in November 2007, just one of several incidents which have caused deep concern even amongst those who support (or, at least, do not object to) the collection itself.

Wasted money and data loss are not the only concerns.  Until an outcry forced the government to limit the categories of people able to make use of investigatory powers under RIPA (The Regulation of Investigatory Powers Act 2000), low-grade staff in the bottom tiers of government (even down to local authorities where the lowest forms of bureaucratic life fester) were able to access personal information with the minimum of formality.

The UK Government’s attitude to personal information is best illustrated by a section slipped in at the end of the Coroners and Justice Bill 2008-09. The bill itself is a rag-bag of measures, extending from death certification and inquests, to simplification of the language in the offence of assisting suicide, to provisions for helping vulnerable witnesses. Tucked away at the bottom was Section 152 (later 154) which began thus:

152 Information sharing

(1) After section 50 of the Data Protection Act 1998 (c. 29) insert—

“Part 5A Information Sharing
50A Power to enable information sharing

(1) Subject to the following provisions of this Part, a designated authority may by order (an “information sharing order”) enable any person to share information which consists of or includes personal data.

This section was described by No2ID (an organisation established primarily to oppose the introduction of ID cards) thus in its Parliamentary Briefing on the Bill:

Buried among the numerous complicated and controversial provisions of this legislation is a single clause, clause 152 in the first draft of the Bill, which is a profound threat to privacy, liberty and the rule of law. It is enabling legislation that converts the Data Protection Act into a machine for massively increasing the dealing by government in information of all kinds. It is designed to allow ministers to use a fast-track regulatory procedure to sweep away data protection, human-rights considerations, confidentiality, legal privilege, and ultra vires when they would stand in the way of any use, acquisition or dissemination of information in pursuit of departmental policy.

Shortly after the Bill was published, the then Home Secretary, Jacqui Smith, announced a consultation on government proposals to:

allow all data that public authorities might need, to be collected and retained by Communications Service Providers [and] having CSPs process the data to enable specific requests by public authorities – such as the police and Security Service – to be processed quickly and comprehensively.

Although the government expressly denied that it was setting up a “single store of all communications data”, the effect of these proposals, especially when coupled with the data-sharing provisions slipped into the Coroners and Justice Bill, would be to allow a virtual collection of data of every aspect of an individual’s personal life by the sort of people who leave data in car parks, including data collected and held by private sector data controllers over whom the Information Commissioner has no effective power.

Section 152 has been withdrawn after the public outcry. I am not sure what has happened to the consultation on communications data. Jacqui Smith discovered the hard way what happens when private information falls into the wrong hands when her misuse of the MPs’ expenses system was uncovered. She has resigned, and any remission from public opprobrium which that might have won her was thrown away by her ungracious and perfunctory apology to the Commons.

If the government has failed to institute the unchecked use of private data, it is not for want of trying. We have been protected from some of it by poor management, and some will wither for want of funds or loss of Parliamentary time. The nature of the Section 152 power was that no further Parliamentary intervention would have been possible and the so-called “super-database” could have been created by government fiat; as No2ID put it, the purported safeguards in the bill  “merely preserves the bureaucratic hierarchy by ensuring mandarins get each other’s permission for working in each other’s areas of responsibility”.

If we can, to some extent, console ourselves with the thought that the government is not competent to implement much of what it aspires to, that is balanced by the fear that tomorrow will bring us another tale of data lost by inadvertence or incompetence, and through the lack of effective systems and procedures to safeguard it. Meanwhile, no new legislation is required for the recent proposal that anyone having contact with a child (including its parents’ friends) would have to be registered as safe to do so.

It is in this context – of surreptitious extensions of powers, of incompetence of specification and implementation, of ever-closer scrutiny by ministers whose own conduct does not stand scrutiny, and ever-increasing accumulation of personal information by public servants whose powers are disproportionate to their abilities – that the European Commission is initiating its proceedings against the UK. The real issue here, perhaps, is that if you seek examples of unwarranted extensions of powers, of incompetence, of conduct which defies close examination, and of civil servants whose authority outstrips their capacity to use it, the European Commission is the place to look.

Home