Yet more evidence has come to light to show that the Regulation of Investigatory Powers Act 2000 (RIPA) is woefully out of date.
It has been revealed that GCHQ, has the ability to request large amounts of un-analysed communications from foreign intelligence agencies without first obtaining a warrant. The documents, obtained in the course of a case brought before the Investigatory Powers Tribunal (IPT), show that the use of a warrant was not necessary if it is “not technically feasible” for GCHQ to obtain one.
This is not the first revelation from the case, which was brought by a number of groups including Liberty and Privacy International. In June this year it was revealed that messages sent via platforms such as Facebook and Twitter are classed as “external communications” even if they have been sent between UK citizens. This means that there is no need to apply for a warrant before collecting the information.
As it stands the legislation being used to authorize surveillance was passed before the advent of social media, which revolutionized the way in which we communicate. When MPs were debating this bill they could not have been expected to anticipate the dramatic change in how we would communicate with each other after the launch of Facebook (2004) and Twitter (2006). As a result RIPA has not kept pace with technology and is now open to worrying interpretations.
In what is becoming an ever more regular occurrence for the NHS, it has been reported that the East Midlands Ambulance Service has lost a disk containing the notes of 42,000 patients’ who had been treated by paramedics in the last few months.
This incident once again underlines the dangers of organisations holding increasing amounts of personal information about individuals both electronically or in paper format. It seems obvious that the greater the amount of information that is held in one place, the more likely it is to go missing, either by accident or as the result of a deliberate breach. Indeed, just last week Kent Social Care Professionals unintentionally sent out an email containing the names, addresses and phone numbers of 120 elderly and vulnerable individuals to nearly 200 people.
Accidental leaks such as this make the need for proper data protection training amongst staff painfully apparent. If an organisation knows that it is going to hold large amounts of personal information, about staff or customers, it should ensure that its employees know their responsibilities under the Data Protection Act 1998 (DPA). Of course this cannot help to stop those who wish to purposely breach data protection law. This can only be achieved by improving the sanctions that are available to punish those who seek to misuse personal information.
The Edited Electoral Register (EER) has come under fire in the past few weeks, with a series of reports indicating that the Register is proving to be more trouble than it is worth. To add fuel to the fire, the Local Government Association (LGA) has called for the sale of the EER to be stopped and the register itself to be scrapped.
Councillor Peter Fleming, Chair of the LGA’s Improvement Board has hit the nail on the head with what is wrong with the EER, arguing that councils resent having to pass “the electoral roll onto direct marketing companies”, continuing that “it demeans our democracy for the voters’ details to be sold off to help direct marketing companies make money.”
Indeed, one of the main problems with the EER is that it is of benefit to no one but the very marketing companies that purchase the data. In fact it is especially troublesome for residents who find themselves being deluged with junk mail due to their councils being forced to sell it on.
Today’s publication of the Health and Social Care Information Centre’s (HSCIC) register of data releases is striking for what it does not include. It is only the tip of the iceberg.
Minister Dr Dan Poulter told Parliament on 25 March that records of the data released by HSCIC would be made public and would cover “all the data releases” made. He said: “Following concerns expressed by the Health Select Committee in its meeting of February 25, Sir Nick Partridge, a newly-appointed Non-Executive Director on the HSCIC Board, has agreed to conduct an audit of all the data releases made by the predecessor organisation, the NHS Information Centre, and report on this to the HSCIC Board by the end of April. Furthermore, a report detailing all data released by the HSCIC from April 2013, (including the legal basis under which data was released and the purpose to which the data are being put), will be published by HSCIC on April 2. This report will be updated quarterly.”
This does not appear to be the case. HSCIC have either deliberately sought to limit the scale of the disclosure by concentrating on one data set – Hospital Episode Statistics – or they have such a poor grasp on what information has been released that they do not want to admit their ignorance. Either way, it is not a full publication and HSCIC must immediately explain why. Read more
Last year, the Guardian published an order under Section 215 of the PATRIOT Act made to Verizon, which made clear that the NSA was collecting details of phone calls made by American citizens not on a targeted basis, but in bulk.
We have a simple question – is the same happening here?
Appearing before the Home Affairs Select Committee on Tuesday, our Director raised this issue and revealed that BT had refused to deny that it hands over data in bulk:
“Late last night I received a letter from British Telecom refusing to deny that they are handing over information in bulk on thousands or millions of British citizens and that mirrors a refusal to deny the same situation in a parliamentary answer received by Mr Davis.”
“My concerns is that there is the activity going on under the Telecommunications Act that is unsupervised and that is why BT cannot publicly refuse that they are handing over information in bulk.”
Clearly when data is held by a third party, a different set of risks exist – from concerns about foreign Government access to the use of the data by the third party for other purposes. Patients appreciate their information will be held by the NHS but do they think it will end up on a server in California run by companies who base their business model on knowing more about people? That is perhaps what is most troubling about the revelation that PA Consulting uploaded the entire NHS England hospital patient database was uploaded it to Google.
The point was highlighted by Sarah Wollaston MP, a member of the Health Select Committee, who tweeted: “So HES [hospital episode statistics] data uploaded to ‘google’s immense army of servers’, who consented to that?”
We have warned for many months that the new NHS database is deeply flawed. Not only does it centralise data into what cyber-security experts call a ‘honeypot’ it also puts at risk patient privacy, both from abuse and also later re-identification.
We’ve highlighted how patients still don’t know what is going on, and remain convinced that a national leaflet drop is simply inadequate to ensure people know about a fundamental change to how their medical records are used.
However, it seems the NHS is equally confused about the risks. Compare and contrast:
February 2, 2013: Tim Kelsey, national director for patients and information at the NHS Commissioning Board, said that data sharing was vital for improving the NHS: “This does not put patient confidentiality at any risk. Data quality in the NHS needs to improve: it is no longer acceptable that at a given moment no one can be sure exactly how many patients are currently receiving chemotherapy, for example.”
And today: Mark Davies, the centre’s public assurance director, told the Guardian there was a “small risk” certain patients could be “re-identified” because insurers, pharmaceutical groups and other health sector companies had their own medical data that could be matched against the “pseudonymised” records. “You may be able to identify people if you had a lot of data. It depends on how people will use the data once they have it. But I think it is a small, theoretical risk,” he said.
So is there risk or not?
If you would like to opt-out, you can use the form here. Let us know if you have any problems or feedback from your GP.
We are barely into 2014, yet we are faced with yet another serious data protection breach concerning a public sector computer. On this occasion, a police officer has been charged with stealing thousands of accident victims’ details from her police force’s computer and selling them to law firms
This case alone highlights that serious need for our courts to issue much tougher penalties for unlawfully obtaining or disclosing personal information, otherwise these cases will continue to occur.
A court has heard that Sugra Hanif accessed Thames Valley Police’s command and control computer to note down the personal details of members of the public involved in road traffic accidents, including the unique reference number each incident was given.
As the new school term gets underway, now is the time for parents to check if their children are among the hundreds of thousands of pupils who are using biometric technology.
Today we have published our latest report looking at the use of biometric technology in secondary schools and academies which, based on data from the 2012-13 academic year, makes clear that fingerprints were taken from more than one million pupils.
You can read the report here.
Our research, gathered from Freedom of Information Requests to more than 3,000 schools, shows that at the start of the academic year 2012-13:
- An estimated 40% of schools in England are using biometric technology
- An estimated 31% of schools did not consult parents before enrolling children into a biometric system prior to the Protection of Freedoms Act 2012 becoming law
December 3, 2013
Posted in CCDP, Civil Liberties, Communications Data Bill, Databases, Freedom of Expression, Internet freedom, Mastering the Internet, Online privacy, PRISM, Privacy, Surveillance, Terrorism Legislation, United States
Today, the editor of the Guardian gives evidence to the Home Affairs select committee, as part of the committee’s work on counter terrorism.
Perhaps that might give the committee to question why Parliament learned of much of GCHQ’s activity from the newspaper, rather than from Ministers. Indeed, it seems on current evidence that will remain the case – as the Lords found on the 20th November, when they were told they could not even be informed which law authorised Project Tempora.
Lord Richard: My Lords, of course the Minister cannot go into details on these very sensitive matters. We all accept that. However, for the life of me, I do not see why she cannot answer a straightforward Question about which Minister authorised the project and why the existence of the project was not disclosed to the Joint Committee on the Draft Communications Data Bill. These are not sensitive issues. They are pure matters of fact, surely capable of being answered.
Baroness Warsi: It is interesting that the noble Lord interprets it in that way but I think he would also accept that it would be inappropriate for me to comment on intelligence matters, which includes any comments on the project.
We have been repeatedly assured that it would be unacceptable for a central database of communications to be built – both by those in Government and those seeking to be.