The DNA of the UK Constitution

The European Union really makes my blood boil. If they’re not telling us what shape our bananas should be, they’re ordering our grocers to sell potatoes by the metre. Now, in the latest piece of politically correct European legislation, convicted paedophiles will be allowed to keep a pale 8 year old boy in their cells, after the European Court of Justice ruled that this was a fundamental “Yuman Rite”.* You couldn’t make it up.† We’re literally going to hell in a handcart.

Or so you’d believe if you had access to no other media than the Daily Mail. But even readers of what Alan Partridge described as “arguably the best newspaper in the world” surely can’t complain about a recent judgement from the European Court of Human Rights (ECHR) which ruled that it is illegal to retain DNA profiles and fingerprints of people who have never been convicted of a crime.

The case was brought by two men from Sheffield whose DNA was taken after they were arrested on two separate and unrelated charges; one case involving alleged harassment was dropped, while the other man was acquitted of attempted robbery. Yet in spite of their innocence, these two men’s DNA and prints are still on a national criminal database, along with 570,000 other profiles of innocent individuals (some sources, notably today’s Guardian, say 850,000).

In reaction to the ruling the Home Secretary, Jacqui Smith, said that while she was “disappointed” (shouldn’t that be “disappointing”? Ed.), the existing law would remain in place “while we carefully consider the judgement.”

Well Jacqui, consider this. Presumption of innocence is an inseparable part of this country’s DNA, stretching back at least to Magna Carta. The principle of ei incumbit probatio qui dicit, non qui negat (that the burden of proof rests on whom asserts and not on whom denies, for those of you with a state education) is a fundamental foundation of our entire legal system which, in spite of frequent criticisms, remains one of the best in the world.

Ms Smith argues that DNA and fingerprinting is vital in the fight against crime, and claims that it provides the police with more than 3,500 matches a month. But Jacqui, we’re going to let you into a little secret. You know that statue of Justice on top of the Old Bailey? What’s that she’s holding in her left hand? That’s right – scales! And do you know what that represents, Jacqui?
Yes, it’s balance! And that’s what justice is all about – balance.

Taking the Home Secretary’s comments at face value, we should take the prints and DNA of every British child at birth; then we’d have a nice big database of everyone’s details. But that wouldn’t play very well with the public, would it, so how about taking young people’s DNA the moment they turn 16 – what could be objectionable about that?

Merely the fact that it criminalises the innocent and robs us of a fundamental principle of our centuries-old legal system.

The EU can often be a ponderous, calciferous and obtuse organisation, but we should applaud it when it makes the right decisions. Well done.

* Probably.
† Well, actually you could.

Gut feeling

In spite of our previous post about the NHS, this blog is concerned primarily with data in general, and the impact of technology on personal information in particular.

So, at the risk of appearing to stray off topic, we’ll start today with Gordon Brown’s plan to liberalise the UK’s rules on organ donation. The prime minister wants everyone in the UK to be automatically included in the organ donor register under a system of “presumed consent”. Anyone who objects to having their kidneys re-used after their death would have to opt out of the system.

The thorny issue of organ donation provokes visceral (sorry) reactions in most, if not all, of the population: some see it as inherently selfish not to let others use your lights after you’re dead; others see it as yet another example of the creeping nanny state robbing citizens of jurisdiction over their own bodies.

There are, of course, powerful arguments both for and against presumed consent, and it’s beyond the remit of this blog either to defend or denounce Gordon’s plan.

But the principle of consent, and specifically the opt-in / opt-out debate, sits at the very heart of the continuing debate about the protection of our personal data, especially on the web.

Should services that use our personal data be opt-in or opt-out? Most people would instantly and decisively declare that any Internet service which collects, processes, uses or stores our personal data should naturally be opt-in.

We strongly disagree.

Regular readers will know that this blog tries to champion people’s right to privacy, whether online of offline, so there might be some who are surprised that we feel so strongly against the opt-in model. After all, shouldn’t we have to give our express permission, based on thorough information, before allowing others access to our private lives?

Ah, but indeed; and therein lies the problem.

Every time we tick the checkbox accepting terms and conditions – be it for a website, a new online service, or to set up an email account – we are giving our consent to everything in the small print.

When was the last time you read through a website’s Ts&Cs? In fact, have you ever done so? Do you know what you consented to when you signed up to watch YouTube or set up a Google Mail account? No, but you checked the box without thinking, just because you were impatient to get on with it.

And that’s where the danger of opt-in lies. Irresponsible sites – unlike YouTube and Google Mail – can use the opt-in mechanism to obtain people’s explicit consent for any number of nefarious activities by slipping new services into their terms and conditions, knowing that the vast majority of people will blithely tick the box without reading them.

Much better, then, to obtained people’s informed consent before they sign up – let them know exactly what they’re consenting to by having an unavoidable notice, explaining any changes to service, on the log-in page.

No reasonable person can argue that it should be easy as possible for people to see what they’re signing up to; yet most campaigners on this issue seem still to be in thrall to the sanctity of opt-in, which makes it so easy for people to bury nasty surprises in the Ts&Cs.

This visibility, this informing of stakeholders, is what’s lacking from the prime minister’s plans for presumed consent. While presumed consent is fair to the educated, literate and informed, it ignores the much greater majority of people who are not au courant and thus are in no position to give informed consent to organ donation.

Two cheers for the NHS

Of all the categories of sensitive data, it is information about our health and our medical histories that is perhaps the most personal and private.

For example, you wouldn’t want a stranger – or worse, a colleague – knowing that you’re being prescribed Anusol Ultra for your chalfonts, would you? Nor would you want your boss to know about the methadone prescription, or your mother to know about your latest suicide attempt. Unless, of course, it was a cry for help.

But even if it contains nothing as dramatic as an overdose, we tend to guard our medical history very jealously.

So it may come as a shock to learn that not only has the NHS amassed a central database of around one billion confidential records of patient visits to hospital, it is routinely sending some of these records to an academic organisation outside the NHS. These records contain personally identifiable information, such as postcodes and NHS numbers, as well as medical information, including diagnoses and any treatment given.

Now, a certain breed of querulous privacy advocate will start whining the moment they hear the words “giant database” in conjunction with “confidential data”. Not so data grub: we understand that there are often the very best reasons for aggregating personal data, as long as stringent measures are in place to ensure absolute confidentiality.

In this case, the aim is to use this vast resource of information to improve the NHS’s service and treatment outcomes, which I think we can agree is a Good Thing.

The other good news is that both the NHS and the academic organisation that uses this data, the inanely-titled Dr Foster Unit, seem to have taken decent precautions to protect patients. All data is held on encrypted discs and is sent by secure courier, which is a pretty good start. Then, at the Dr Foster Unit, the data is kept in secure offices, on disc-less workstations which have no link to the Internet.

While this compares pretty favourably with the cavalier approach towards data security shown by other public sector bodies, among them the Ministry of Justice, the MoD and the Department for Work and Pensions, it’s certainly far from perfect.

Our main gripe is that personally identifiable information (PII) is contained within the data that’s being sent out of the NHS. While PII such as postcodes may be vital for making distinctions between different areas of a town or the country, surely the NHS should secure people’s informed consent if they are to use their data in this way?

So, two cheers for the NHS and the Dr Foster Unit for at least trying to apply best practice to the use of sensitive data. But, as we asked at the beginning, why should anyone other than one’s doctor be able to look at your confidential medical history, even if it’s just some academic at Imperial College?

Now, if they anonymised this PII irreversibly, ensuring that records cannot be traced to an individual, while at the same time remaining useful to the bean counters (all perfectly possible with today’s technology), well – that would be just what the doctor ordered.

We’re big fans of Richard Thomas here at data grub.

Mr Thomas, as any fule kno, is the UK’s Information Commissioner and head of the Information Commissioner’s Office. They’re the independent regulatory office dealing with all sorts of privacy legislation like the Data Protection Act, the Freedom of Information Act and many others too numerable and mind-numbing to mention.
Put succinctly, Mr Thomas and his team are there to prevent the creeping threat of a Big Brother state, and also to stop any attempt by private companies to read our emails, share our data or plant transponders in our brains constantly reminding us that Sud-U-Like Washes Even Whiter.

It’s a pretty thankless task, but one that he and his team have been doing pretty bloody well, at least in my opinion. They’re not afraid to stand up for citizens’ privacy when it’s genuinely threatened by big business or big government, while at the same time ever-ready to slap down spurious, misinformed petitions from bleating, single issue, self-important “privacy experts”. (I think you’ll know whom I’m referring to, Alex...)
So even though the latest utterance to pass the Commissioner’s lips could have come from the Department of Bleeding Obvious, at least it’s being said by someone whose words carry weight.

In a speech yesterday Mr Thomas warned that the proliferation of ever larger centralised databases is increasing the risk of people’s personal data being lost or abused.
He also drew attention to bears’ predilection for sylvan defecation and raised questions about the Pope’s commitment to Islam.

But sometimes you do need to state the obvious, loudly and often. This is one such time.
Because on Tuesday, Jacqui Smith was forced to admit that the Government will soon begin technical work on its giant database of all email, text, phone and web traffic – even though the legislation has yet to be passed by Parliament.

Of course, the present Government is completely contemptuous of Parliament and will go ahead with its plans whatever Richard Thomas, or anyone else, says.

Which is a shame, because much of Mr Thomas’ speech was given over to a report on how reported data losses have soared in the past year. The number of data breaches - including lost laptops and memory sticks containing sensitive personal records - reported to him has risen to 277 since the loss of 25 million child benefit records was disclosed nearly a year ago.

The new figures show that the information commissioner has recently launched investigations into 30 of the most serious cases. The 277 breaches include 80 reported by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector.

Mr Thomas pointed out that as new technology is harnessed to collect vast amounts of personal information, the risks of it being abused increase: "It is time for the penny to drop,” he said. “The more databases that are set up and the more information exchanged from one place to another, the greater the risk of something going wrong.”

"The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made."

It is not difficult to grasp this concept, Jacqui. It is a simple, elegantly expressed and indisputable fact. But why listen to boring old Richard Thomas?

Sir Ken Macdonald, the director of public prosecution (DPP), speaking after Smith’s admission, weighted in to warn that the government was in danger of “breaking the back of freedom” with the relentless pressure of a security state.

But I think Richard Thomas’ point is the stronger – if we can’t trust the government with our private data now, how the hell are we supposed to trust it when it holds details of all electronic communications in the UK?

Doubting Thomas?

We’re big fans of Richard Thomas here at data grub.

Mr Thomas, as any fule kno, is the UK’s Information Commissioner and head of the Information Commissioner’s Office. They’re the independent regulatory office dealing with all sorts of privacy legislation like the Data Protection Act, the Freedom of Information Act and many others too numerable and mind-numbing to mention.


Put succinctly, Mr Thomas and his team are there to prevent the creeping threat of a Big Brother state, and also to stop any attempt by private companies to read our emails, share our data or plant transponders in our brains that constantly remind us that Sud-U-Like Washes Even Whiter.

It’s a pretty thankless task, but one that he and his team have been doing pretty bloody well, at least in my opinion. They’re not afraid to stand up for citizens’ privacy when it’s genuinely threatened by big business or big government, while at the same time ever-ready to slap down spurious, misinformed petitions from bleating, single issue, self-important “privacy experts”. (I think you’ll know whom I’m referring to, Alex…)


So even though the latest utterance to pass the Commissioner’s lips could have come from the Department of The Bleeding Obvious, at least it’s being said by someone whose words carry weight.

In a speech yesterday Mr Thomas warned that the proliferation of ever larger centralised databases is increasing the risk of people’s personal data being lost or abused.


He also drew attention to bears’ predilection for sylvan defecation and raised questions about the Pope’s dedication to Islam.

But sometimes you do need to state the obvious, loudly and often. This is one such time.


Because on Tuesday, Jacqui Smith was forced to admit that the Government will soon begin technical work on its giant database of all email, text, phone and web traffic – even though the legislation has yet to be passed by Parliament.

Of course, the present Government is completely contemptuous of Parliament and will go ahead with its plans whatever Richard Thomas, or anyone else, says.

Which is a shame, because much of Mr Thomas’ speech was given over to a report on how reported data losses have soared in the past year. The number of data breaches - including lost laptops and memory sticks containing sensitive personal records - reported to him has risen to 277 since the loss of 25 million child benefit records was disclosed nearly a year ago.

The new figures show that the information commissioner has recently launched investigations into 30 of the most serious cases. The 277 breaches include 80 reported by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector.

Mr Thomas pointed out that as new technology is harnessed to collect vast amounts of personal information, the risks of it being abused increase: “It is time for the penny to drop,” he said. “The more databases that are set up and the more information exchanged from one place to another, the greater the risk of something going wrong.”

“The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made.”

It is not difficult to grasp this concept, Jacqui. It is a simple, elegantly expressed and indisputable fact. But why listen to boring old Richard Thomas?

Sir Ken Macdonald, the director of public prosecution (DPP), speaking after Smith’s admission, weighed in to warn that the government was in danger of “breaking the back of freedom” with the relentless pressure of a security state.

But I think Richard Thomas’ point is the stronger – if we can’t trust the government with our private data now, how the hell are we supposed to trust it when it holds details of all electronic communications in the UK?


By the way, have a look at http://www.guardian.co.uk/technology/2008/oct/29/data-security-breach-civil-liberty for Thomas’ table on this year’s data breaches.


Ta ta for now, data chums!

A guest editor writes…

I’m delighted to announce that this week we have a guest editor, a Ms H.W. from somewhere in the South East. You’ll immediately notice the balance, reasoned argument and tolerance of other nationalities that has, until now, been so clearly absent from this blog. So, without further ado, I give you Ms H.W.:

A German Court has given permission for website operators to store internet protocol (IP) addresses of their visitors, claiming it does not violate data protection legislation. Surely not? I hear you cry. Yet they say that without additional information IP addresses can’t be classified as personal data because they cannot be easily obtained and used to determine a person’s identity. Note they said data cannot be easily attained therefore it is in fact still possible. The court in Munich did present a good case by ruling that ISPs could not present information to third parties regarding who had been using a certain IP address at a particular time without a court order.

The German court ruling is in fact consistent with the advice issued by the UK’s Information Commissioner last year. However, this did point out that IP addresses could constitute personally identifiable information (PII). This has resulted in people including The Article 29 Working Party (a reference to the 29th article of the European Directive concerning the protection of EU citizens’ personal data) to argue that if it could become personal data it should be treated this way regardless.

As a nation we put a certain amount of our trust in online actors including behavioural targeting firms, internet service providers and search engines, to use our data correctly and appropriately. The big question is: does using this data breach our privacy laws? The German court obviously thinks not.

I wonder if Pythias Brown, 48, from New Jersey agrees. He used to be a baggage screener at an airport and in charge of people’s property. He admitted to stealing regularly from his workplace and selling the stolen items on eBay using the handle “alirla”. Brown was found by investigators who tracked down this alirla account using Brown’s IP address for his home computer. This case provides a great argument against the claim that IP addresses cannot be counted and used as personal data. It would appear privacy here has most certainly been invaded.

Camden RIPA-off

Camden Town Council has more than quadrupled its surveillance of local residents since the introduction of the Regulation of Investigatory Powers Act (RIPA).

While the Act allows for the interception of communications and the use of covert human intelligence sources to prevent crime, including terrorism, it appears that Camden Council are using this legislation to spy on low-level offences, such as dog fouling, littering and checking whether or not a child lives in a certain catchment area.

Admittedly, Camden is the haunt of some of the most loathsome Untermensch that inhabit this fair city, from strutting, skinny-jeaned new media types to coin-eyed rip-off merchants selling “legal highs”.

But while I personally would be glad to sweep this whole swathe of faux-bohemia into the Regent’s Canal, I grudgingly have to admit that, owing to a loophole in the law, these people have the right to exist without being persecuted by the local council.

Of course, if the police and security services have reasonable grounds to suspect someone of planning a terrorist operation, that’d be a great time to start tapping the phones. But if you think that someone is mis-using a disabled parking badge, I would suggest that surveillance is both disproportionate and a fatuous waste of time and money.