The UK does not have a written constitution. In 1998, the Parliament approved the Human Rights Act to incorporate the European Convention on Human Rights into domestic law, a process that establishes an enforceable right of privacy.[2747] The Act came into force on October 2, 2000. Several cases, many related to celebrity privacy, have been decided or are pending in the courts.[2748]
The privacy picture in the UK is mixed.[2749] There is, at some levels, a strong public recognition and defense of privacy. Proposals to establish a national identity card, for example, have routinely failed to achieve broad political support. On the other hand, crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence, and freedom of speech.[2750]
The Parliament approved the Data Protection Act in July 1998.[2751] The legislation, which came into force on March 1, 2000, replaced the 1984 Data Protection Act and implements the requirements of the European Union's Data Protection Directive.[2752] The Act covers records held by government agencies and private entities. It provides for limitations on the use of personal information, access to and correction of records and requires that entities that maintain records register with the Information Commissioner.
The Act is quite complex and is considered not very effective. There are many problems with enforcing rules on access to information, especially relating to computer technologies. Many schools are adopting fingerprint systems to identify schoolchildren for lunches and checking out library books. The staff of the Information Commission wrote to the manufacturer that the system did not "raise[s] any data protection concerns" and "aids compliance with the Data Protection Act 1998." Parents and privacy groups protested the decision.[2753] Personal information from government computers is regularly disclosed inadvertently or for profit.[2754] The Inland Revenue found there were 226 cases of employees illegally accessing the records and selling or maliciously using information.[2755] The Foundation for Information Policy Research (FIPR) estimated that over 200,000 illegal requests for information are made each year by private investigators under false pretenses. There are efforts to promote confidence in government holding personal information while allowing for departments to share more information.[2756] Meanwhile, the Lord Chancellor's Department recently held a consultation on restricting individuals' access to their own files under the Data Protection Act after several politicians and prominent people obtained their own records and found that government officials were secretly trying to undermine their efforts.[2757]
The Office of the Information Commissioner is an independent agency that maintains the register and enforces the Data Protection and Freedom of Information Acts.[2758] As of March 31, 2002, there were 198,519 databases registered with the Commission.[2759] The agency received 12,479 requests for assessment and inquiries in 2001-2002. There were 106 cases forwarded for prosecution resulting in 66 prosecutions and 33 convictions. The Office has also issued several comprehensive reports for the public.
The Office has published a Code of Practice for the use of Closed Circuit Television (CCTV),[2760] a study of the availability and use of personal information in public registers,[2761] and guidelines concerning employer/employee relationships, including a new code of workplace surveillance which was released in June 2003.[2762] The Commissioner is also responsible for enforcing the Telecommunications (Data Protection and Privacy) Regulations that are currently being updated (see below). A new Commissioner, Richard Thomas, was appointed in 2002.
The interception of communications is regulated by the Regulation of Investigatory Powers Act 2000[2763] which superceded the Interception of Communications Act of 1985.[2764] Part I authorizes the Home Secretary to issue warrants for the interception of communications and requires Communications Service Providers to provide a "reasonable interception capability" in their networks. Telephone taps for national security purposes are normally authorized by the Home, Northern Ireland or Foreign Secretaries of State and the Scottish First Minister. It further allows any public authority designated by the Home Secretary to access "communications data" without a warrant. This data includes the source, destination and type of any communication, such as mobile phone location information and partial web browsing logs (but the full URL is considered content subject to a warrant). Part III allows senior members of the civilian and military police, customs, and members of the judiciary to demand that users hand over the plaintext of encrypted material, or in certain circumstances decryption keys themselves. This has not been implemented yet. Part II sets rules on other types of "human intelligence" powers that had not been previously regulated under UK law. Many legal experts, including the Information Commissioner, believe that many of the provisions violate the European Convention on Human Rights.
Several draft codes and regulations have been issued by the Home Office.[2765] In June 2002, the Home Office announced that the list of government agencies allowed under the act to access communications data was being extended to over 1,000 different government departments including local authorities, health, environmental, trade departments and many other public authorities. This resulted in a substantial public outcry over the dramatic expansion of power, especially after the Surveillance Commissioner admitted in his annual report that "I clearly cannot carry out meaningful oversight of so many bodies without assistance" even before the proposed expansion.[2766] Home Secretary David Blunkett announced a few weeks later that he had "blundered" and withdrew the order.[2767] A public consultation on access to communications data was held in early 2003 and the Home Office is reviewing the responses.[2768]
In December 2001, the Parliament approved the Anti-terrorism, Crime and Security Act 2001.[2769] The law allows the Home Office Secretary of State to issue a code of practice for "the retention of communications data by communications providers" for the purpose of protecting national security or preventing or detecting crime that relates to national security. This code must be approved by the Parliament. It only applies to data that is already being held by the CSPs for business purposes. A leaked submission by the police and intelligence services to the Home Office in 2000 proposed a seven year data retention scheme.[2770] An opinion commissioned by the Office of the Information Commissioner found that the access to information retained under the act for non-national security purposes would violate human rights and would be unlawful.[2771] The Home Office also began a consultation in 2003 on voluntary retention of data by communications providers and is considering the responses.[2772] A review by the Parliament's All Party Internet Group estimated that over one million requests a year are made for communications data, mostly related to identification of individuals.[2773]
In 2001, there were 1,145 warrants for interceptions issued in England and Scotland under RIPA.[2774] The process is overseen by the Interception of Communications Commissioner, a former high court judge who has not appeared in public since his appointment. He reported in his 2001 report that "a significant number of errors and breaches have been reported to me during the course of the year - 43 in all" (up from 26 the previous year) but that "none of the breaches or errors were deliberate" and were technical or procedural in basis and that if an interception had been made, that the materials were immediately destroyed. The Investigatory Powers Tribunal hears complaints from individuals that they have been subject to illegal surveillance. It received 120 complaints from October 2000 until December 2001. It operates in secret and has never upheld a case of illegal wiretapping. In January 2003, it ruled that its procedures should be changed so some of its hearings may be made public.[2775]
There is a long history of illegal wiretapping of political opponents, labor unions and others in the UK.[2776] In 1985, the European Court of Human Rights ruled that police interception of individuals' communications was a violation of Article 8 of the European Convention on Human Rights.[2777] The decision resulted in the adoption of the Interception of Communications Act 1985. The ECHR ruled in 1997 that police eavesdropping of a policewoman violated Article 8[2778] which resulted in RIPA. In the late 1970s and 80s, MI5, Britain's security service, tapped the phones of many left-leaning activists including the future Secretary of State for Trade and Industry Peter Mandelson, and kept files on Jack Straw, now Foreign Secretary, and Harriet Harman, former Social Security Secretary, as well as Guardian journalist Victoria Britain.
In April 2003, transcripts of telephone conversations between Sinn Fein MP Martin McGuinness and members of the government were published in newspapers in the UK, revealing that his phone was being tapped by the security services in violation of the "Wilson Rule," which prohibits wiretapping of Members of Parliament.[2779] Two journalists and a former member of the Special Branch who conducted the taps were arrested for publishing the information.
The Police and Criminal Evidence Act 1984 allows police to enter and search homes without a warrant following an arrest for any offense. And while police may demand identification before arrest only in limited circumstances, they have the right to stop and search any person on the street on grounds of suspicion. Following arrest, a body sample will be taken for inclusion in the national DNA database.[2780] The Court of Appeals ruled in 2002 that DNA and fingerprints could be kept even if the person was not convicted. Under the pending Criminal Justice Bill, the police will be able to take DNA and fingerprints of any person who is detained, regardless of whether any charge has been brought.[2781] The police stopped and searched 740,700 people under the Act in England and Wales in 2001-02.[2782] The Crime and Disorder Act 1998 provides for information sharing and data matching among public bodies in order to reduce crime and disorder. The Data Protection Commissioner (now Information Commissioner) issued a report on the privacy implications of the Act.[2783]
Further oversight is provided by a Surveillance Commissioner who reviews other investigatory techniques under RIPA Part II and PACE. According to his last report, there were 2,565 authorizations including 371 for "intrusive" authorizations for break-ins into homes under the Police Act 1997 and 310 under Part II of RIPA between April 2000 and March 2001. There were 18 reported errors including wrong addresses and failures to obtain authorization or overly broad requests.[2784]
There has been a proliferation of CCTV cameras in hundreds of towns and cities in Britain. The camera networks can be operated by police, local authorities or private companies, and are partly funded by Home Office grants. Their original purpose was crime prevention and detection, though in recent years the cameras have become important tools for city center management and the control of "anti-social behavior." Between 250 million and 400 million pounds a year is spent expanding the web of 1,500,000 cameras covering public spaces in Britain,[2785] but despite the ubiquity of the technology, successive governments have been reluctant to pass specific laws to govern their use. Many of the systems have been enhanced with technology for facial recognition but the jurisdictions that have installed the systems have admitted that the technology has yet to result in an arrest. In London, a system for "congestion charging" uses a sophisticated number plate recognition system to charge motorists who drive into central London during business hours. It was later revealed that the system was organized in cooperation with the intelligence services who will use it with facial recognition systems to monitor the drivers of the cars.[2786] Traffic cameras have also spread across the country.
There has been growing criticism of the use of the cameras. The European Court of Human Rights ruled in January 2003 that a Council's release of CCTV footage of an attempted suicide for a campaign on CCTV that resulted in the person being identified publicly violated Article 8 of the ECHR.[2787] Research by the Scottish Centre for Criminology found that the cameras did not reduce crime, nor improved public perception of crime problems.[2788] A study in June 2002 found that in many areas with CCTV that crime increased and that street lighting is a more effective deterrent.[2789] As mentioned above, the Information Commissioner has also issued a code of practice for the use of these cameras. Motorists across the UK have engaged in vandalism of traffic cameras and they are widely criticized for being used for fundraising rather than traffic safety.[2790]
The Department of Trade and Industry is currently holding a consultation to implement the 2002 EU Directive on privacy and electronic communications (Directive 2002/58/EC).[2791] The regulations will place new rules on cookies and require opt-in for most e-mail and SMS spam. The regulations will replace the Telecommunications (Data Protection and Privacy) Regulations 1999. The DTI plans to have the regulations come into force on October 31, 2003. Under the old regulations, over 2.6 million people had registered for the opt-out Telephone Preference Service (TPS) run by the Direct Marketing Association for Oftel.
There are also several other laws that affect privacy, most notably those governing medical records[2792] and consumer credit information.[2793] Other laws with privacy components include, the Rehabilitation of Offenders Act 1974, the Police Act 1997, the Broadcasting Act 1996, Part VI and the Protection from Harassment Act 1997. The House of Commons Culture Media and Sport Committee recommended the adoption of a privacy law relating to the media in June 2003, but the Government immediately rejected the proposal.[2794] The National Health Service recently completed a consultation on privacy as part of an effort to computerize and network all patient records.[2795]
There is no national ID card in the UK. Home Secretary David Blunkett announced in July 2002 a six month consultation period on "entitlement cards," a new name for a national ID card proposal.[2796] The cards would be mandatory for all persons over 16 and would be required to obtain heath care, jobs and other services. The proposal has already been widely criticized by politicians and major media across the political spectrum. The Information Commissioner Elizabeth France said the plans for identity cards could violate data protection laws, unless an enormous amount of work were done to make sure that all the information used was accurate and up to date in existing databases.[2797] Blunkett first proposed the card shortly after September 11, 2001 but was forced to back away after it was severely criticized. It has subsequently been promoted as a means to prevent illegal immigration. The vast majority of responses to the consultation were against the proposal. The Home Office initially denied that they had received over 5,000 mostly negative e-mail responses via the Stand.org.uk site and the government told Parliament that plan to consider them as a petition or opinion poll even though they were individually sent by 5,000 different people.[2798]
The Freedom of Information Act was enacted in November 2000.[2799] The government announced in 2001 that implementation on the right to access provisions are being delayed until 2005, the longest delay for implementation of any FOI law in the world. The Act has received considerable criticism as being insufficient and weaker in some areas than the existing code of practice. In June 2002, the Scottish Parliament approved a Freedom of Information Act[2800] that is regarded as somewhat stronger than the UK Act. It will not go into effect until January 2005.
The UK is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[2801] and the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2802] In November 2001, the UK signed the Council of Europe Convention on Cybercrime but has not yet made any changes to domestic law.[2803] The UK is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The Isle of Man Data Protection Act 2002 came into force in April 2003. It is based on the EU Data Protection Directive. The Office of the Data Protection Supervisor enforces the Act.[2804] The Data Protection (Bailiwick of Guernsey) Law, 2001 was approved in March 2002.[2805] it went into effect in August 2002, replacing the 1986 law. The Isle of Guernsey Data Protection Commissioner enforces the Act.[2806] The EU Article 29 Working Group released an opinion in June 2003 finding that the law is adequate.[2807] The Data Protection (Jersey) Law came into force in 1987. The law is equivalent to the 1984 UK Data Protection Act. The Data Protection Registry who registers databases and conducts investigations oversees the Act.[2808] A new law has not yet been implemented.