CyberLaw Blog

Archive for the ‘Database Nation’ Category

Burglary and theft account for a third of data security breaches, reports ICO: “The biggest security risks for organisations that process people’s personal details are burglary and theft, according to figures just published by the Information Commissioner’s Office (ICO).”

(Via OUT-LAW News.)

£500,000 maximum fine for data protection breaches: Government consults: “The Information Commissioner’s Office (ICO) would have the power to fine organisations up to £500,000 for serious breaches of data protection principles under plans announced this week by the Ministry of Justice.”

(Via OUT-LAW News.)

Telcos’ data breach notification amendment is passed: “The European Council has approved a data breach notification rule for Europe’s telecoms firms. The amendment to an EU Directive will force telcos to tell customers if they lose their data.”

(Via OUT-LAW News.)

Police log ‘domestic extremists’:

Thousands of activists monitored on network of overlapping databases

Police are gathering the personal details of thousands of activists who attend political meetings and protests, and storing their data on a network of nationwide intelligence databases.

The hidden apparatus has been constructed to monitor ‘domestic extremists’, the Guardian can reveal in the first of a three-day series into the policing of protests. Detailed information about the political activities of campaigners is being stored on a number of overlapping IT systems, even if they have not committed a crime.

Senior officers say domestic extremism, a term coined by police that has no legal basis, can include activists suspected of minor public order offences such as peaceful direct action and civil disobedience.

Three national police units responsible for combating domestic extremism are run by the ‘terrorism and allied matters’ committee of the Association of Chief Police Officers (Acpo). In total, it receives £9m in public funding, from police forces and the Home Office, and employs a staff of 100.

An investigation by the Guardian can reveal:

• The main unit, the National Public Order Intelligence Unit (NPOIU), runs a central database which lists thousands of so-called domestic extremists. It filters intelligence supplied by police forces across England and Wales, which routinely deploy surveillance teams at protests, rallies and public meetings. The NPOIU contains detailed files on individual protesters who are searchable by name.

• Vehicles associated with protesters are being tracked via a nationwide system of automatic number plate recognition (ANPR) cameras. One man, who has no criminal record, was stopped more than 25 times in less than three years after a ‘protest’ marker was placed against his car after he attended a small protest against duck and pheasant shooting. ANPR ‘interceptor teams’ are being deployed on roads leading to protests to monitor attendance.

• Police surveillance units, known as Forward Intelligence Teams (FIT) and Evidence Gatherers, record footage and take photographs of campaigners as they enter and leave openly advertised public meetings. These images are entered on force-wide databases so that police can chronicle the campaigners’ political activities. The information is added to the central NPOIU.

• Surveillance officers are provided with ’spotter cards’ used to identify the faces of target individuals who police believe are at risk of becoming involved in domestic extremism. Targets include high-profile activists regularly seen taking part in protests. One spotter card, produced by the Met to monitor campaigners against an arms fair, includes a mugshot of the comedian Mark Thomas.

• NPOIU works in tandem with two other little-known Acpo branches, the National Extremism Tactical Coordination Unit (Netcu), which advises thousands of companies on how to manage political campaigns, and the National Domestic Extremism Team, which pools intelligence gathered by investigations into protesters across the country.

Denis O’Connor, the chief inspector of constabulary, will next month release the findings of his national review of policing of protests. He has already signalled he anticipates wide scale change. His inspectors, who were asked to review tactics in the wake of the Metropolitan police’s controversial handling of the G20 protests, are considering a complete overhaul of the three Acpo units, which they have been told lack statutory accountability.

Acpo’s national infrastructure for dealing with domestic extremism was set up with the backing of the Home Office in an attempt to combat animal rights activists who were committing serious crimes. Senior officers concede the criminal activity associated with these groups has receded, but the units dealing with domestic extremism have expanded their remit to incorporate campaign groups across the political spectrum, including anti-war and environmental groups that have only ever engaged in peaceful direct action.

All three units divide their work into four categories of domestic extremism: animal rights campaigns; far-right groups such as the English Defence League; ‘extreme leftwing’ protest groups, including anti-war campaigners; and ‘environmental extremism’ such as Climate Camp and Plane Stupid campaigns.

Anton Setchell, who is in overall command of Acpo’s domestic extremism remit, said people who find themselves on the databases ’should not worry at all’. But he refused to disclose how many names were on the NPOIU’s national database, claiming it was ‘not easy’ to count. He estimated they had files on thousands of people. As well as photographs, he said FIT surveillance officers noted down what he claimed was harmless information about people’s attendance at demonstrations and this information was fed into the national database.

He said he could understand that peaceful activists objected to being monitored at open meetings when they had done nothing wrong. ‘What I would say where the police are doing that there would need to be the proper justifications,’ he said.

Data-losing companies may be forced to spill to public: “

European Commission mulls beef-up of law

The European Commission will consider passing new laws forcing organisations that lose personal data to go public with that loss. The Commission has until now been opposed to the creation of wide-ranging data breach notification requirements.…

“

(Via The Register – Public Sector.)

More than 5 million people now on DNA database: “

Still growing despite court ruling

The estimated number of people whose DNA profile is stored by the government has broken the five million mark for the first time.…

“

(Via The Register – Public Sector.)

DEFRA loses tapes – and plot: “

Situation normal – usual staggering government incompetence

It has been revealed that the UK’s Rural Payments Agency (RPA) lost tapes five months ago which contained the payment details of more than 100,000 farmers in the UK. It told DEFRA and DEFRA told nobody else, certainly not the farmers.…

“

(Via The Register – Public Sector.)

COURT OF APPEAL JUDGMENT ON POLICE DATABASE: “

On 19 October 2009, the Court of Appeal, in Chief Constable of Humberside Police v Information Commissioner (2009) EWCA Civ 1079, allowed police appeals against a decision of the IC, upheld by the IT, that data on old minor convictions (of which there are probably about 1 million) must be deleted from the Police National Computer (‘the PNC’).  The Court of Appeal held that retaining information for police operational needs in the fight against crime and for other purposes was justified and did not infringe the data protection principles (‘the DPP’) under the DPA 1998, especially principles 3 (personal data shall not be excessive in relation to the purpose for which they are procured) and 5 (personal data shall not be kept for longer than is necessary).

Waller LJ, applying the approach from the Bichard Inquiry, following the Soham murders, said, at paragraph 43: ‘If the police say rationally and reasonably that convictions, however old or minor, have a value in the work they do that should, in effect, be the end of the matter.’

Carnwath LJ referred to the importance in a case of this kind having the involvement of a Judge with direct and hands-on experience of the criminal system. Hughes LJ, with direct hands-on experience of both the criminal and family systems, summarised the position as being that it is for the data controller to determine the purpose(s) for which the data is processed;  it is not open to the IC to impose his own determination of those purposes; the imposition of a concept of ‘core police purposes’ was misconceived; and in any event the proper purposes of the police in managing the PNC plainly include the retention of information for provision to others who have a legitimate need for it.

 Hughes LJ emphasized practical considerations and in particular the value, in the public interest, of the existence of a single comprehensive record of convictions and of its being held by police forces acting collectively.  Hughes LJ said, at paragraph 107: ‘Like both Waller and Carnwath LJJ, I take the clear view that if senior police officers with considerable operational experience are satisfied that even very old and comparatively minor convictions may sometimes be of assistance in police investigations, then unless that view is perversely or unreasonably held, it is not open to the Commissioner to substitute his own view of their potential use. But I should also add that the opinion expressed by the police witnesses in this case entirely accords with what is seen to be true from time to time in major criminal investigations. As was in evidence in these proceedings, Dame Janet Smith also reached a similar conclusion when considering the investigation into Dr Shipman. Such old convictions, if never subsequently repeated, may very well not be the kind of material which it is proper to put before a jury, … but that does not begin to mean that they have not been of use in the investigation. Quite apart from propensity (or lack of it) to offend in a particular manner, they are likely to be useful for other reasons, of which location and associates are but two simple examples. Moreover, the critical consideration is not the use of the conviction standing by itself, but its potential value in conjunction with other information pieced together by a skilled detective.’

Hughes LJ further observed that many others depend heavily, and reasonably, on the maintenance by the police of these records. Those others include (but are not limited to) the criminal courts, the family courts and those concerned with the protection of children and the vulnerable.  He said that the criminal courts have a plain need for reliable and comprehensive information. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to criminal proceedings. There are at least two situations in which the need for such records arises daily. The first is in sentencing. The second relates to the credit of witnesses, especially those relied upon by the Crown. The Secretary of State for Justice expressed the view in this case that ‘providing anything less than full information to the courts would potentially undermine the criminal justice process’.  Hughes LJ agreed.

Hughes LJ also stated that the importance of multi-agency working to child welfare in general, and to child-centred family proceedings in particular, has been recognised for many years, has been the repeated subject of judicial and ministerial exhortation alike, and is difficult to overstate. It is, nowadays, the daily norm of cases in the family courts. The Rehabilitation of Offenders Act 1974 is expressly made not to apply to these proceedings either.  It may well be that at times such co-operation throws up difficult questions about the extent of disclosure which a police force ought to make to social services or other child welfare professionals, but that is not a reason for failing to have available a comprehensive record in order to make a fully-informed decision about it.

As regards the vetting of potential employees, Hughes J said that, given the statutory framework, it is plain that it is part of the necessary public purposes of the PNC that it maintain a complete record of convictions etc to enable the statutory scheme to work.

(Via Panopticon Blog.)

Commission considers wider-ranging data breach notification law: “The European Commission will consider passing new laws forcing organisations that lose personal data to go public with that loss. The Commission has until now been opposed to the creation of wide-ranging data breach notification requirements.”

(Via OUT-LAW News.)

Police make a mockery of data protection: “

Court judgment ‘forgets privacy rights of millions’

Comment While the police are very keen to retain as much data on the average citizen as they can ‘just in case’ it becomes useful, they are markedly less happy when the data being collected relates to them.…

“

(Via The Register – Public Sector.)