I recently re-read The Hitch-Hiker’s Guide to the Galaxy. It begins with Arthur Dent discovering his house is about to be destroyed to make way for a bypass, under plans that “have been available in the local planning office for the last nine months”, in a dark basement where they were almost impossible to find:
“But look, you found the notice didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’.”
It seems The Telegraph has turned up some similarly obscure proposals. It ran an article this week, claiming
Details of the financial history, qualifications and property wealth of millions of Britons could be shared across Whitehall for the first time without their consent, the Telegraph can disclose. Information including voters’ driving licences, criminal records, energy use and even whether they use a bus pass could be shared under a radical blueprint to link up thousands of state databases used by schools, councils, police and civil servants.
So, the basic idea is to link databases into one big database. This blog considers that idea – which in itself is hardly new – measuring it against the existing law, and framing the existing law in the context of the ongoing rumblings of discontent in the UK with anything European.
Where are these new bypass proposals to be found? The article appears to be based on this document. I have to say it’s a bit obscure: it’s headed up “Cabinet Office Initial Discussion Document on Data Sharing Policy for publication on http://datasharing.org.uk/”. That website is registered to Simon Burall, presumably the Director of Involve who are described as “experts in public participation“. On that website (and it appears to be nowhere else, in particular not on the Cabinet Office website), links to the document from here and here are both broken; and anyway as the unanswered question in the comments section observes,
Is this blog or http://www.datasharing.org.uk the official channel for publishing Cabinet Office discussion documents such as that on data sharing?
I cannot find it – or any mention of it – on the Cabinet Office website – and there are no links to datasharing.org.uk
Could I suggest that the Cabinet Office publishing discussion documents (with no formal attribution) on an obscure website hardly represents transparency or a desire for any public response.
I’ll assume that the Telegraph did verify its source though, not least because on Tuesday, it published a fascinating response from the minister concerned. Under the heading “This Government is not interested in building large databases”, Francis Maude wrote,
We are not interested in building large databases. We will not weaken the Data Protection Act. Nor will we collect more data about people, or use information in ways beyond those that the public already assume we do.
At present, the data Whitehall holds is divided between departments. There is no simple way to cross-reference it, if indeed it can be done at all.
This means that the public miss out on more effective, tailored services, and that the taxpayer loses billions to fraudsters.
So we think it’s worth exploring, in a very open and transparent way, whether we can use the data we already have more effectively.
Taking that at face value, the argument can be simplified thus:
- the state is an entity;
- the state as an entity proposes to consolidate the data it already holds in the name of efficiency;
- citizens will benefit from the State having more efficiently consolidated data.
Data-Sharing or Data-Processing?
The issue of the right or otherwise to share information between bodies is so embedded in the public imagination that it may come as a surprise if I say that the Data Protection Act as originally enacted had nothing to say about data-sharing at all.
What it had a lot to say about was data-processing. While that sounds dull, conjuring up images of poorly-paid data-inputters, the truth is that just about anything we do with data, including sharing it, is data-processing.
The reason this matters now is that Francis Maude’s argument appears to raise an idea that different organs of the State are all part of the same big entity. We are being invited to stop thinking about this as sharing between one organisation and another, and start thinking about it as a single entity, putting forward proposals that do not involve sharing with anyone outside itself. However, the short legal answer to that invitation is that creating a consolidated database or sharing databases internally is just as much data-processing as is data-sharing between organisations.
Limits on data-processing
Since the Data Protection Act regulates data-processing and not simply data-sharing, what limits does it place? The following are key (schedules 1 and 2):
- data-processing, and not just data-sharing, must be fair, and this means “regard is to be had to the method by which [data is] obtained, including in particular whether any person from whom [data is] obtained is deceived or misled as to the purpose or purposes for which [data is] to be processed” (schedule 1, part II, paragraph 1);
- data-processing, and not just data-sharing, must be either with consent or else necessary in accordance with one of the alternatives to consent (schedule 2);
- other data-protection principles continue to apply including that data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes” (schedule 1, part I, paragraph 2).
Unless the creation of this new State Database is both necessary and consistent with what we all expected when we chose our child’s school, swiped our bus-pass or changed our electricity supplier, it is hard to see how it can fail to fall foul of the existing law.
Data-processing as European law
If Francis Maude is right, that the government “will not weaken the Data Protection Act” it is hard to see how this new Mega State Database can be going anywhere.
It is plain, though, that the existing protections for our privacy are closely linked to Europe. As I have set out elsewhere,
It is the case, of course, that Europe features in both human rights and data protection: the former because it is the European Convention of Human Rights, from the Council of Europe, that is set out in the Human Rights Act; the latter because the Data Protection Act gives effect to the law of the European Union, specifically EU Directive 95/46/EC.
The plain fact is, the current government has little time for either Human Rights or the European Union. On the latter front, under cover of a ministerial reshuffle last month, it pushed through emergency legislation to renew provisions that had been held by the European Court of Justice to have been in breach of European Union law.
And those provisions were about… data protection and state surveillance.
Anyway, back to the plot. It quickly emerges that plans to destroy Arthur Dent’s house are neither here nor there, as the planet is about to be destroyed to make way for a hyperspace bypass:
There’s no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you’ve had plenty of time to lodge any formal complaint and it’s far too late to start making a fuss about it now. …
I don’t know, apathetic bloody planet, I’ve no sympathy at all.