Category Archives: surveillance

Monitoring of blogs and lawful/unlawful surveillance

Tim Turner wrote recently about the data protection implications of the monitoring of Sara Ryan’s blog by Southern Health NHS Trust. Tim’s piece is an exemplary analysis of how the processing of personal data which is in the public domain is still subject to compliance with the Data Protection Act 1998 (DPA):

there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it

But it is not just data protection law which is potentially engaged by the Trust’s actions. Monitoring of social media and networks by public authorities for the purposes of gathering intelligence might well constitute directed surveillance, bringing us explicitly into the area of human rights law. Sir Christopher Rose, the Chief Surveillance Commissioner said, in his most recent annual report

my commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity

“RIPA” there of course refers to the complex Regulation of Investigatory Powers Act 2000 (RIPA) (parts of which were reputedly “intentionally drafted for maximum obscurity”)1. What is not complex, however, is to note which public authorities are covered by RIPA when they engage in surveillance activities. A 2006 statutory instrument2 removed NHS Trusts from the list (at Schedule One of RIPA) of relevant public authorities whose surveillance was authorised by RIPA. Non-inclusion on the Schedule One lists doesn’t as a matter of fact or law mean that a public authority cannot undertake surveillance. This is because of the rather odd provision at section 80 of RIPA, which effectively explains that surveillance is lawful if carried out in accordance with RIPA, but surveillance not carried out in accordance with RIPA is not ipso facto unlawful. As the Investigatory Powers Tribunal put it, in C v The Police and the Home Secretary IPT/03/32/H

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

But it does mean that where surveillance is not specifically authorised by RIPA questions would arise about its legality under Article 8 of the European Convention on Human Rights, as incorporated into domestic law by the Human Rights Act 1998. The Tribunal in the above case went on to say

the consequences of not obtaining an authorisation under this Part may be, where there is an interference with Article 8 rights and there is no other source of authority, that the action is unlawful by virtue of section 6 of the 1998 Act.3

So, when the Trust was monitoring Sara Ryan’s blog, was it conducting directed surveillance (in a manner not authorised by RIPA)? RIPA describes directed surveillance as covert (and remember, as Tim Turner pointed out – no notification had been given to Sara) surveillance which is “undertaken for the purposes of a specific investigation or a specific operation and in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)” (there is a further third limb which is not relevant here). One’s immediate thought might be that no private information was obtained or intended to be obtained about Sara, but one must bear in mind that, by section 26(10) of RIPA “‘private information’, in relation to a person, includes any information relating to his private or family life” (emphasis added). This interpretation of “private information” of course is to be read alongside the protection afforded to the respect for one’s private and family life under Article 8. The monitoring of Sara’s blog, and the matching of entries in it against incidents in the ward on which her late son, LB, was placed, unavoidably resulted in the obtaining of information about her and LB’s family life. This, of course, is the sort of thing that Sir Christopher Rose warned about in his most recent report, in which he went on to say

In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should.

And one must remember that he was talking about cash-strapped public authorities whose surveillance could be authorised under RIPA. When one remembers that this NHS Trust was not authorised to conduct directed surveillance under RIPA, one struggles to avoid the conclusion that monitoring was potentially in breach of Sara’s and LB’s human rights.

1See footnote to Caspar Bowden’s submission to the Intelligence and Security Committee
2The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2006
3This passage was apparently lifted directly from the explanatory notes to RIPA

3 Comments

Filed under Data Protection, human rights, NHS, Privacy, RIPA, social media, surveillance, surveillance commissioner

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).

flyer

It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

Right now, you are being monitored

This morning, as I was leaving the house for work, I wanted to check the weather forecast so started tapping and swiping away at my newish iPhone to find the weather screen. I was startled to see some text appear which said

Right now, it would take you about 11 minutes to drive to [workplace address]

(It looked a bit like this (not my phone I stress)).

It was correct, it would indeed take me about that long to drive to work at that time, but I was genuinely taken aback. After a bit of research I see that this was a new feature in iOS7, (and, indeed, the weather widget was lost at the same time). Sure enough, I find that my new phone has been logging frequently visited locations, but must have also been logging the fact that I travel between A (home) and B (work) frequently. It is described by Apple as being a way to

Allow your iPhone to learn places you frequently visit in order to provide useful location-related information

I’m not going to argue whether this is a useful service or not, or even whether on general principles it is concerning or not. What I am going to say is that, because I’ve not had much time recently to sit down and learn about my new phone, to customise it in the most privacy-friendly way, I’ve been saddled with a default setting which has captured an extraordinarily accurate dataset about my travel habits without my knowledge. And yes, I know that tracking is a prerequisite of mobile phone functionality, but I would just rather it was, as default, limited to the bare minimum. 

p.s. to turn off this default setting, navigate to Settings/Privacy/Location Services [scroll to very bottom]/System Services/Frequent Locations and set to “off”

 

Leave a comment

Filed under Data Protection, interception, Privacy, surveillance, tracking

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

The Windmills of Mr Cameron

The Prime Minister revealed recently that, when it comes to justifying the introduction of disproportionately intrusive surveillance legislation, he draws comfort from fictional depictions of crime detection:

In the most serious crimes [such as] child abduction communications data… is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There’s hardly a crime drama where a crime is solved without using the data of a mobile communications device

Although this relevation has drawn some criticism, I think such criticism is unfair. Mr Cameron’s policy approach has a precedent. Hansard shows that, more than forty years ago, his predecessor adopted similarly populist bullshit robust research. Harold Wilson, in a debate on proposed changes to laws regarding investigation of serious crimes

image

is recorded as saying

The Prime Minister: In the most serious crimes a spectral assistant is absolutely vital. I love watching, as I probably should stop telling people, crime dramas on the television. There’s hardly a crime drama where a crime is solved without a private detective consulting his dead partner who has returned as ghost whom no one else but he can see. If we don’t modernise the law to permit this sort of practice we will never know how many dead people could still have fulfilled their calling to support their surviving crime-busting partners while wearing dandyish white suits

So, Loz Kaye, Paul Bernal, OnlyOneIssue et al…enough with your cynicism. Get out your history books and recognise that there’s a venerable tradition of people with too much time and money on their hands imagining that fiction is reality.

Leave a comment

Filed under satire, surveillance, Uncategorized

THIS is the purpose of subject access requests

In a recent blogpost the rather excellent Bilal Ghafoor (who goes by the handle of “FOIKid”, although I note he’s now extended this to “FOI (and DP) Kid”, evidently having rather belatedly discovered the joys of data protection) asked “What is the purpose of subject access requests?“. He drew attention to the potential discord between approaches by the Information Commissioner and by the courts (in cases such as Durant  v Financial Services Authority [2003] EWCA Civ 1746) to such requests (made under section 7 of the Data Protection Act 1998 (DPA)).

In a comment on that post I argued that the Court of Appeal in Durant was perhaps not as out-of-step with, at least, the EC data protection Directive 95/46/EC as is sometimes thought

it’s important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a “primary objective” to “protect individuals’ fundamental rights, notably the right to privacy and accuracy of their personal data held by others…

This particular primary objective is illustrated quite starkly by the news from the Press Gazette that comedian/journalist Mark Thomas discovered, through submitting a subject access request, that his name is on a “domestic extremist database”:

police held a file of seven pages containing more than 60 individual items of intelligence…”a bizarre list of events monitored by the police, lectures given, panels attended, even petitions I have supported…the police have monitored public interest investigations in my case since 1999″

Thomas says he is taking legal action to have his name removed. This will be an interesting case if it reaches court, joining a line of cases where people try to effect removal of records from police systems.

What is also interesting though is that Thomas, and the National Union of Journalists (NUJ), are encouraging journalists to submit subject access requests to the police. As Thomas says

I know of other NUJ members on the database….Which is why I am asking NUJ members to take action. If your work brings you into contact with the police whether covering riots or climate camp, from Plebgate to the NSA, then the police could have you on their database

and the NUJ general secretary Michelle Stanistreet adds

we want as many other members as possible to find out what information the Met is holding

In answer to Bilal’s question, then, I think that this – the investigation of how an arm of the UK state monitors and records the activities of the free press – is a vitally important example of what the purpose is of subject access requests.

1 Comment

Filed under Data Protection, police, Privacy, surveillance

Is the BBC spying on whistleblowers?

A couple of the normal BBC-baiting newspapers report that that organisation has been “accused of spying on whistleblowers”, after a Freedom of Information request revealed that the BBC’s Investigation Service monitored emails of 30 workers last year. The Telegraph says this

raised fears that BBC management is engaged in a crack down on people it suspects of whistle-blowing about their concerns over the running of the corporation

There seems to be absolutely no evidence for this. To me it looks more like an employer intercepting communications on business systems in order to prevent or investigate potential unlawful behaviour. The law provides for this, and the paper reports that the BBC even said

The BBC Investigations Service does not target whistleblowers. The four cases of leaked information involved other matters such as the release of commercially sensitive information or the release of internal information – none of the four cases of leaked information could be considered as whistleblowing in any sense. The BBC has a clear policy protecting the right to whistleblow

The circumstances under which email communication can be intercepted by an employer are clearly prescribed by law. The much-maligned and -misunderstood Regulation of Investigatory Powers Act 2000 (RIPA) corrected the previous domestic position that workplace surveillance could not amount to an infringement of an employee’s Article 8 rights (a position criticised by the European Court of Human Rights in Halford v UK). The provisions of section 1 of RIPA create a criminal offence of unlawful interception of a communication (transmitted either by public or private telecommunications system) where the interception occurs without lawful authority. However, secondary legislation, made under RIPA, prescribes what “lawful authority” can mean within an employment context. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”) provide inter alia that interception of emails will be lawful if it is done for the purposes of preventing or detecting crime, or for the purpose of investigating or detecting the unauthorised use of that or any other telecommunication system. This can be done without consent or notification as long as the business informs users of its systems in advance (normally by way of a policy) that emails may be intercepted for relevant purposes (I wrote on this in detail in None of our business? Private emails, FOI and lawful interception (PDP FOI Journal, Nov/Dec 2011
Volume 8, Issue 2, subscription only)).

So, provided the BBC have a policy informing staff that their emails could be intercepted (and I would be amazed if they don’t) they will have done nothing wrong, and nothing that a responsible employer, and public service provider, should be blamed for doing. Do the Telegraph and the Mail think the BBC should not investigate alleged unlawful – perhaps criminal – behaviour on the part of its staff?

Leave a comment

Filed under BBC, employment, interception, RIPA, surveillance

Privacy in the workplace – Employment Appeal Tribunal ruling

The boundary between a person’s private life and their public activities is not easy to mark, and its position has shifted with development of human rights jurisprudence. Thus, a person attempting to commit suicide in public, captured on CCTV, was held to have had his rights under Article 8 of the European Convention on Human Rights breached when the footage was subsequently broadcast (Peck v UK [2003] ECHR 44).

Similarly, the question as to the extent to which an employer must respect an employee’s privacy rights in the workplace, or the working environment, is no longer simply answered by reference to the terms of the employment contract. In addition to the employee’s Article 8 rights, the employer must have regard to the Data Protection Act 1998 (DPA) for which there is guidance, in the form of the Employment Practices Code, published by the Information Commissioner’s Office under section 51(2) of the DPA (“the ICO Code”).

All of these issues are addressed in an interesting recent judgment handed down in the Employment Appeal Tribunal (EAT). The case – Swansea Council v Gayle – was an appeal from an earlier Employment Tribunal (ET) decision, which had found that Mr Gayle had been unfairly dismissed (although it also found that he had not been wrongfully dismissed, nor racially discriminated against). He had twice been observed at a leisure centre during working hours and was subsequently covertly filmed several times by an investigator while leaving, or being in the process of leaving, the same leisure centre at times when he was claiming to be working.

The ET determined that, even before the covert filming had begun, the employer had had sufficient evidence to support its suspicions that its employee had been untruthful about his activities during working hours:

There was no longer a legitimate reason (or for Article 8 purposes, a legitimate aim) to place him under covert surveillance.  Even if there was a legitimate aim the Council’s manner of doing so was disproportionate and unjustified

Accordingly

the process by which the Council dismissed Mr Gayle involved an unjustified interference with his Article 8 right to a private life…the circumstances of his dismissal fell within the ambit of Article 8; the state had a positive obligation to safeguard his Article 8 right (as, indeed, did the Council as a public body); in all the circumstances, the Council’s interference with that right was unnecessary and disproportionate; the fact that the Council had a permissible reason to dismiss Mr Gayle is not by itself sufficient since it could have fairly dismissed him without such interference

As the EAT said, this amounted to the rather odd proposition that

the dismissal was unfair because the investigation was too thorough

Therefore they accepted the three-part submission that there could be no breach of Article 8(1) (“Everyone has the right to respect for his private and family life, his home and his correspondence”) because

First, the photography was in a public place of somebody in a public place…Next…this was at a time when the Claimant was “on the clock”; it was in his employer’s time…An employee can have no reasonable expectation that he can keep those matters private and secret from his employer at such a time…Thirdly…the Claimant here was a fraudster; he was busily engaged on his own business whilst receiving his employer’s money for his employer’s business…a person in such circumstances can have no reasonable expectation that their conduct is entitled to privacy

Because no breach of Article 8(1) had occured, there was no need for the EAT to consider arguments for justification under Article 8(2). However, had they had to, they would have held that interference was justified in pursuance of two legitimate aims. Firstly the prevention of crime, and secondly

the protection of the rights and freedoms of others, the “others” here being the employers whose money was at stake and who had contractual rights in agreement with the Claimant that he would behave in a way in which as it happened he did not

The EAT was particularly critical of the ET’s reliance on an apparent breach by the Council of the ICO Employment Practices Code. The ET had found that the Council’s apparent ignorance of the Code, in conducting the covert filming as it did, constituted a breach of the DPA which rendered the dismissal unfair. The EAT attacked the logic of this approach

[the ET says] that that ignorance would be such that the result would be that its investigation could no longer be considered reasonable; it does not say why.  It is not obvious to see why ignorance of a code which the employer was not bound in law to have regard to in any event would render an investigation into the wrongdoing of the Claimant unreasonable when it would otherwise have been reasonable

The EAT notably did not say that the Council’s actions were or were not permissible under DPA, or the Code, but rather that the ET

in criticising the employer for covertly filming the Claimant was not dealing with any matter relevant to the fairness of the dismissal

This case does not break any new ground, but the EAT did observe that no authority had been drawn to their attention which suggested that covert filming in a public place of claimants in personal injury cases had been held to be in breach of Article 8 (provided there were no alleged breach of the Regulation of Investigatory Powers Act 2000). And this case suggests that an Article 8 complaint about covert recording in a public place within an employment context is similarly unlikely to have much chance of success, despite what might be (in the EAT’s description of the ET’s feelings) “the Tribunal’s distaste for the employer’s use of covert surveillance”.

1 Comment

Filed under Data Protection, employment, human rights, Privacy, surveillance

Why won’t you read my secret guidance?!

The Office of Surveillance Commissioners (OSC) is in charge of reviewing the exercise of powers and duties under the Regulation of Investigatory Powers Act 2000 (RIPA) and the equivalent Scottish Act. It does not regulate RIPA (that is the role of the judiciary) but conducts inspections, provides reports and issues guidance. That guidance is, effectively, secret.

I can understand why details of specific instances of lawful surveillance must not be disclosed publicly. I have never fully understood why guidance from the person appointed to review the exercise and performance of powers and duties conferred or imposed by or under RIPA should not be disclosed publicly

The Office of Surveillance Commissioners’ remit is

keeping under review (except in relation to the interception of communications and the intelligence services) the exercise and performance of powers and duties conferred or imposed by or under Part II (covert surveillance) and Part III (encryption) of RIPA and its Scottish equivalent RIP(S)A

(interestingly that website contains a typo – this remit is contained in section 62 of RIPA, not section 63).

This is an important role (which is in addition to the OSC’s remit under the Police Act 1997 to review authorisations by law enforcement agencies “for operations involving entry on, or interference with, property or wireless telegraphy, without the consent of the owner”). RIPA is muchmaligned, although, ironically enough, in key areas it merely provides a regulatory framework for intrusions  into private lives which were formerly permissible at common law (i.e. the sort of surveillance RIPA regulates perhaps always used to happen, it’s just that it was not prima facie unlawful).

However, the Chief Surveillance Commissioner never seems happy with his lot. In his latest report he bewails the limits on his office’s funding

The Home Secretary is required…to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction. (¶3.13)

If true, this is pretty shoddy. I would suggest that if anyone needs to be sure about their information security it’s the Chief Surveillance Commissioner (and why is he still reliant on “facsimile machines”?).

He is also unhappy with some authorities he has inspected

My Inspectors are not lawyers and they address their reports to me. Their reports are subject to my endorsement which I will make clear in my covering letter to the chief officer of the authority inspected. It is therefore important that conversations with them during an inspection are not misquoted or shared with others without prior agreement…There have been a few occasions when correspondence from me to a single public authority has been promulgated by that authority to others as a general interpretation. Usually my guidance relates to specific facts and may not be applicable in circumstances which may appear to be, but which on analysis are not, similar.(¶3.3-3.4)

This reluctance to be open about things he and his inspectors say carries through – in spades – to the guidance he produces. In the most recent report he says

my Commissioners from time to time publish guidance in a single document for use by public authorities. I do not wish to apply a security marking to my guidance but, despite clear instructions, I am dismayed at thoughtless disclosure of a document which provides information which necessarily alludes to covert tactics. The Home Office has not yet provided me with a website capable of balancing the need for transparency to the public with controlled access to specific guidance by a limited audience.

and refers back to the previous year’s report which provided reasoning for not publishing it

my small office does not have the capacity to answer the inevitable influx of requests for clarification this would invite…law enforcement agencies in particular are concerned that tactics might unnecessarily be revealed…it is not a comprehensive document which covers every eventuality and it might be misconstrued or misused; and…it is not my remit to provide free legal advice, though I proffer guidance to public authorities which I have a responsibility to review, in order to raise standards and promote consistency (¶3.4)

although not before regretting it is not always readily available to those who need it

If I continue to find this document is not readily available to those who need it, or is not promoted by national associations, I may make it publicly available on my website

Which seems to me to be a case not of threatening to take your bat home with you, but going home and leaving your bat behind.

All this seems to reveal an attitude rather, shall we say, paternalistic and ante-Freedom of Information Act. Needless to say, someone tried, a couple of years ago, to use FOIA to get a copy (asking the OSC, which is not a public authority for the purposes of FOIA, nonetheless to use the Act’s spirit as a model for discretionary disclosure). Although the OSC refused, the requestor, on the admirable whatdotheyknow.com site*, later found that a local authority had helpfully uploaded a copy as part of a committee report. Perhaps this was one of the naughty authorities lambasted by the OSC. If so, he hasn’t done much about it, because the report is still there, happily providing guidance and – I hope – not actually causing him any trouble whatsoever.

 

*I’ve not linked to it, out of deference to the OSC – I can tug my forelock with the best of ’em – but a bit of googling will get you there in no time.

 

 

 

 

 

1 Comment

Filed under Freedom of Information, RIPA, surveillance, surveillance commissioner