137
Views
2
CrossRef citations to date
0
Altmetric
Original Articles

Stolen Identity: Regulating the Illegal Trade in Personal Data in the ‘Data-Based Society’

Pages 177-190 | Published online: 20 Sep 2007
 

Abstract

In May 2006, the UK Information Commissioner's Office (ICO) presented a report to Parliament entitled What Price Privacy? The report highlighted the extent of the illegal trade in personal data. Arguing that the risk of security breaches had increased largely as a result of the rise of the ‘data-based society’, the ICO called for a change in the legislation to permit jail sentences of up to 2 years. In February 2007, the UK government stated its intention to adopt that recommendation. This paper examines the current UK policy approach to regulating the illegal flow of personal information, and the lead taken by the UK Information Commissioner. Reference is made to the ‘privacy toolbox’, where data protection legislation is combined with measures such as codes of practice and privacy impact assessments (PIAs). Comparisons are made with the work of overseas regulators. In addition, the current regulatory framework regarding section 55 offences is examined, with the author attending an ICO prosecution hearing in December 2006. The paper concludes by arguing that a greater emphasis needs to be placed on the assessment of privacy risks posed, in particular, by the expansion and proposed merger of government databases. Adoption of PIAs could help achieve this.

Acknowledgements

The author wishes to acknowledge the invaluable contribution made by Philip Taylor, prosecuting solicitor for the ICO, particularly in arranging attendance of the hearing at Kingston Magistrates' Court in December 2006 and commenting on an earlier draft of this paper. Clearly, he is not responsible for any ensuing errors or misinterpretations. The author also wishes to express his gratitude to Dr Russell for his interest in this paper and to the anonymous referees.

Notes

1 ICO What Price Privacy? The Stationery Office, London, 10 May 2006.

2 Ibid.

3 DCA ‘Increasing penalties for deliberate and wilful misuse of personal data. Response to consultation’ DCA, London, 7 February 2007.

4 C J Bennett and C D Raab The Governance of Privacy: Policy Instruments in Global Perspective 2nd edn, The MIT Press, Cambridge, MA, 2006.

5 ICO, op cit, note 1, p 7.

6 Home Office ‘Strategic action plan for the national identity card scheme: safeguarding your identity’ Central Office of Information (COI), London, December 2006. According to this document, the NIR is to initially comprise information from three existing databases: the Department of Work and Pensions' Customer Information System, existing biometric systems for asylum seekers and biometric visas and existing Identity and Passport Service systems.

7 Number 10. Policy Review. Impact of data-sharing and privacy laws on customer service, 15 January 2007, http://www.number10.gov.uk/output/Page10759.asp; and N Morris ‘Big Brother: what it really means in Britain today’ The Independent 15 January 2007.

8 ICO What Price Privacy Now? The Stationery Office, London, 13 December 2006.

9 ICO v Clifford, Kingston Magistrates Court, 12 December 2006.

10 This interdependence could lead to a ‘race to the top’, where countries fashion their data protection policies according to the highest possible standard, or a ‘race to the bottom’ where countries might consider that a less regulated climate would attract global businesses wishing to bypass higher standards elsewhere. See Bennett and Raab, op cit, note 4, p xv.

11 Bennett and Raab, op cit, note 4, p xxv.

12 J-P Bergfeld ‘The impact of the EC Data Protection Directive on Dutch Data Protection Law’ Journal of Information, Law and Technology Vol 1, No 1, 1996 at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/bergfeld/.

13 Royal Philips Electronics ‘How Philips uses a privacy impact assessment as a building block for the privacy compliance of its global IT systems’ Paper presented at ‘Privacy Laws and Business Annual Conference’, St John's College, Cambridge, UK, 5th July, 2005, available at http://www.privacylaws.com/templates/page.aspx?id=834.

14 See C D Raab ‘The future of privacy protection’ Cyber Trust and Crime Prevention Project, Office of Science and Technology, London, June 2004; Office of the Information and Privacy Commissioner, Ontario, Canada and Netherlands Registratiekamer Intelligent Software Agents: Turning a Privacy Threat into a Privacy Protector Information and Privacy Commissioner and Registratiekamer, Toronto, 1995; Office of the Information and Privacy Commissioner, Ontario, Canada and Netherlands Registratiekamer Privacy-Enhancing Technologies: The Path to Anonymity Information and Privacy Commissioner and Registratiekamer, Toronto, 1995.

15 Data Protection Act, section 51(3), 1998.

16 See House of Commons ‘Home Affairs Committee on Identity Cards’ 3 February 2004; ICO ‘The Identity Cards Bill—The Information Commissioner's concerns’ June 2005, at http://www.ico.gov.uk/eventual.aspx?id=2655; D Murakami Wood (ed), A Report on the Surveillance Society. For the Information Commissioner by the Surveillance Studies Network. ;[?tjl]>September 2006.

17 Cabinet Office Modernising Government Cm 4310, The Stationery Office, London, 1999.

18 Cabinet Office: Performance and Innovation Unit ‘Privacy and data-sharing: the way forward for public services’, April 2002.

19 Cabinet Office Transformational Government: Enabled by Technology Cm 6683, Cabinet Office, London, 2005.

20 Ibid, pp 18–19.

21 NHS. National Programme for IT ‘Connecting for Health. A guide to the national programme for information technology’, 2005, available at http://www.connectingforhealth.nhs.uk/resources/brochures/npfit_brochure.

22 For a brief discussion of some of the problems that have, and continue to, beset ‘Connecting for Health’, see D Leigh and R Evans ‘Most patients reject NHS database in poll’ The Guardian, 30 November 2006 http://www.guardian.co.uk/uk_news/story/0,,1960170,00.html; T Collins ‘Supplier sets out risks facing NHS IT plan’ ComputerWeekly.com, 13 February 2007 http://www.computerweekly.com/Articles/2007/02/13/221746/supplier-sets-out-risks-facing-nhs-it-plan.htm.

23 ‘Every Child Matters. Factsheet—Information sharing index’, 2006 http://www.everychildmatters.gov.uk/deliveringservices/index/

24 Foundation for Information Policy Research (FIPR) ‘Children's databases—safety and privacy. a report for the Information Commissioner’ FIPR, 2006.

25 J B Rule Private Lives and Public Surveillance Allen Lane, London, 1973, p 309.

26 The systems are: the Department of Work and Pensions' (DWP) Customer Information Service, which holds national insurance records; the Identity and Passport Service computer system; and, initially, the existing biometric system used for asylum seekers. See Home Office ‘Strategic Action Plan for the National Identity Scheme: Safeguarding your identity’ COI, London, 2006, pp 10–11.

27 BBC News ‘Giant ID computer plan scrapped’ BBC Online, 19 December 2006, at http://news.bbc.co.uk/1/hi/uk_politics/6192419.stm.

28 BBC News ‘Tesco “spychips2 anger customers’ BBC Online, 26 January 2005 at http://news.bbc.co.uk/1/hi/business/4209545.stm.

29 PWC ‘Information security breaches survey: technical report’ Published for the DTI, April 2006, at http://www.pwc.com/uk/eng/ins-sol/publ/pwc_dti-fullsurveyresults06.pdf.

30 Ibid, p 4.

31 K Zetter ‘Hackers clone e-passports’ Wired.com, 3 August 2006, http://www.wired.com/news/technology/1,71521-2.html

32 The author is particularly grateful to Mr Taylor for his help in confirming the order of events in this section.

33 ICO, op cit, note 1, p 15.

34 The Metropolitan Police later launched Operation Glade into possible corruption by police officers or civilian police officers: ICO, op cit, note 1, p 15.

35 ICO, op cit, note 1, p 17.

36 The defendant was understood to have been suffering a terminal illness. Telephone conversation with Philip Taylor, 29 June 2006.

37 Between mid-November 2002 and January 2006, the ICO brought 25 section 55 prosecutions in Crown and Magistrates Courts in England and Wales. Convictions were obtained in all but three of the cases. See ICO, op cit, note 1, p 12.

38 ICO, op cit, note 1, p 27.

39 For example, see BBC News ‘Privacy traders “must be jailed”‘BBC Online, 12 May 2006, http://news.bbc.co.uk/1/hi/uk_politics/4762937.stm; B Dowell ‘Journalists “face conviction” over data breaches’ The Guardian, 12 May 2006, http://www.guardian.co.uk/uk_news/story/0,,1773798,00.html.

40 ICO, op cit, note 1, p 5.

41 A statutory body established under the Private Security Industry Act 2001 to introduce compulsory licensing for private investigation firms.

42 The industry body for private investigators: http://www.theabi.org.uk/.

43 ICO, op cit, note 1, pp 5–6.

44 Ibid, p 16.

45 Ibid, p 31.

46 Ibid, pp 33–34.

47 Telephone conversation with Philip Taylor, 29 June 2006.

48 The Guardian Leader ‘Bugs in the system’ The Guardian, 12 August 2006 at http://www.guardian.co.uk/commentisfree/story/0,,1842910,00.html.

49 C Tryhorn ‘Clive Goodman sentenced to four months’ The Guardian, 26 January 2007, http://www.guardian.co.uk/uk_news/story/0,,1999276,00.html.

50 Ibid.

51 DCA ‘Increasing penalties for deliberate and wilful misuse of personal data. Consultation’ 24 July–30 October 2006, at http://www.dca.gov.uk/consult/misuse_data/cp0906.htm.

52 Ibid, pp 5–6.

53 Ibid, p 10.

54 Ibid, p 13.

55 DCA, op cit, note 3.

56 ICO ‘Information Commissioner v Anthony Gerald Clifford. Draft Opening’ November 2006 [Unpublished].

57 Author's notes from court hearing, 12 December 2006.

58 Ibid.

59 J Rozenberg ‘Blagger's guide to cheating the system’ The Telegraph, 14 December 2006, at http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2006/12/14/nlaw14.xml.

60 D Leigh and R Evans ‘Illegal investigators, a detective agency, and a leading law firm’ The Guardian, 15 November 2006, at http://www.guardian.co.uk/crime/article/0,,1947915,00.html.

61 Ibid.

62 New Zealand. Email correspondence with Office of the Privacy Commissioner, 10 January 2007.

63 ICO, op cit, note 8.

64 ICO, op cit, note 8, p 21.

65 ICO, op cit, note 8, p 28.

66 ICO, op cit, note 1, pp 12–13.

67 ICO, op cit, note 1, p 13.

68 ICO, op cit, note 8, p 26.

69 See House of Commons, op cit, note 16; ICO, op cit, note 16.

70 R Clarke ‘A history of Privacy Impact Assessments’ February 2004, at http://www.anu.;[?tjl]>edu.au/people/Roger.Clarke/DV/PIAHist.html.

71 New Zealand: Privacy Commissioner Privacy Impact Assessment Handbook March 2002, at http://www.foi.gov.uk/sharing/toolkit/pia_h-book.pdf.

72 PIAs have also been mandated in Canada. See Canada: Treasury Board Secretariat, ‘Privacy Impact Assessment Policy’, 2002, at http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.asp.

73 United States, Department of Justice, Office of the Deputy Attorney General Privacy Impact Assessments: Official Guidance revised 7 August 2006, at http://149.101.1.32/pclo/pia_manual.pdf.

74 New Zealand, op cit, note 71.

75 New Zealand, op cit, note 71, p 14.

76 New Zealand, op cit, note 71, p 21.

77 Cabinet Office, op cit, note 18.

78 Murakami Wood, op cit, note 16, pp 76–77, 81, 89–95.

79 ICO ‘Minutes of Policy Committee’ 18 September 2006, at http://www.ico.gov.uk/Home/about_us/who_we_are/corporate_information/policy_committee.aspx.

80 C D Raab, P 6, A Birch and M Copping ‘Information sharing for children at risk: impacts on privacy’ e-Care Programme, Leith, Health Department, Scottish Executive. Publication: 23357, 2004.

81 In addition to the NIR, these systems include a number of police databases such as the Facial Images National Database, IDENT1 (fingerprints), Lantern (hand-held fingerprint ID) and ViSOR (violent and sex offenders).

82 Hong Kong Security Bureau ‘HKSAR Identity Project—Initial Privacy Impact Assessment Report’ 2001, at http://www.legco.gov.hk/yr00-01/english/panels/se/papers/b715e01.pdf.

83 S H Holden and L I Millett ‘Authentication, privacy and federal e-government’ The Information Society Vol 21, pp 367–377, 2006.

84 [All links accessed on 13 February 2007]

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.