Site iconSite icon IFSEC Insider | Security and Fire News and Resources

The Surveillance Society report: Privacy and safeguards

The report rejects “crude characterisations of our society as a surveillance society in which all collections and means of collecting information about citizens are networked and centralised in the service of the state”.

Yet, it says, “the potential for surveillance of citizens in public spaces and private communications has increased to the extent that ours could be described as a surveillance society unless trust in the Government’s intentions in relation to data and data sharing is preserved. The Home Office in particular and Government in general must take every possible step to maintain and build on this trust: our Report provides a starting point.”

The report recommends that the Information Commissioner presents an annual report on surveillance to Parliament, and that the Government produces a response to the report, also to be presented to Parliament. It also recommends “that Parliament have the opportunity to hold an annual debate on this issue”.

It notes that technology has advanced so that private and public sector service providers can target and facilitate access to service and products, but believes “the elimination of technological barriers to the collection, storage and sharing of large volumes of information, however, has significant implications for individual privacy and potentially for society at large”.

“The Government should be open about its intentions in relation to collecting personal information, and should make sufficient time for public and Parliamentary debate on its proposals. In general the Government should move to curb the drive to collect more personal information and establish larger databases.”

Increased risks
The report says the “the risks associated with surveillance increase with the range and volume of information collected. The Government has a crucial role to play in maintaining the trust of the public: any evaluation of the use of surveillance must take into account the potential risk to this relationship with the public.”

It says the drive to make the most of technological capabilities should be tempered by an evaluation of the risks involved in collecting more information.

“Particular consideration should be given to situations in which individuals might suffer as a result of their lack of awareness or ability to take advantage of opportunities to exercise choice over how information about them is used, or to check that it is accurate,” the report says.

The report recommends that the Government “track and make full use of new developments in encryption and other privacy-enhancing technologies and in particular those which limit the disclosure and of collection of information which could identify individuals. We further recommend that the resources of the Information Commissioner’s Office be expanded to accommodate sufficient technical expertise to be able to work with the Chief Information Officer to provide advice on the deployment of privacy-enhancing technologies in Government.”

Raising public awareness
The report says the Home Office should work with the Information Commissioner to raise public awareness of “how the Home Office collects, stores, shares and uses personal information. The Home Office should highlight the distinction between those areas in which individuals can exercise choice by giving or withholding their consent, and those areas in which seeking informed consent is not feasible and transparency is particularly important”.

It recommends that the Government “adopt a principle of data minimisation in its policy and in the design of its systems. We further recommend that the Government acknowledge the distinction between identification and authentication as one which is valuable in its efforts to adhere to this principle”.

It also says information should only be held for as long as is necessary to fulfil the purpose for which it was collected – if needed for a secondary purpose it should be “anonymised” and retained only for a specified period.

It welcomes reviews commissioned by the Government to improve data security, expects it to reassess “the adequacy of the definitions and principles set out in the Data Protection Act. Such a reassessment should be carried out not only in light of recent data loss incidents but also against the challenges presented by increases in the collection, storage and sharing capability of information systems and intensification in criminal activity associated with the misuse of personal information. The Home Office must act as a matter of urgency to tackle these challenges”.

“Any increase in the collection and storage of information increases the risk that security will be breached and that information will be used for purposes other than those for which it was collected,” the report says.

“In keeping with a principle of data minimisation, more rigorous risk analysis of systems already in place must be carried out before new techniques for collecting information are deployed or new databases planned. The decision to create a major new database, share information on databases, or implement proposals for increased surveillance should be based on a proven need.”

Desiging it in
The report places an emphasis on ‘designing in’ security and privacy in every system for collecting and storing personal information and data. It also says that “for existing and proposed systems the Government should specify what it considers to be an acceptable level of failure and develop contingency plans to mitigate the damage caused by leaks or theft of data.”

“The weakest aspect of a system may be the establishment and enforcement of protocols for access and use rather than any technological safeguard,” the report says. “Organisations which manage such systems must take full responsibility for limiting access to databases and the information they contain and for enforcing procedures for sharing and transferring data.

“We support the Information Commissioner’s call for an extension of his inspection and audit powers to facilitate the strengthening of these procedures across Government and the private sector. Tougher penalties for negligent information-handling should be introduced in order to make clear where the burden of responsibility lies.

“A privacy officer or director of data security should be assigned by departments to take responsibility for risk analysis and to report to the Permanent Secretary on the privacy implications and safeguards of each project which involves the collection or sharing of personal information.

“The Home Office should publish a report on an audit of the data collections managed by the Department and its agencies, outlining as far as possible without compromising security the technological and procedural safeguards currently in place.”

Exit mobile version