Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PEC Regulations") came into force in December 2003.1 The PEC Regulations implement Directive 2002/58/EC on Privacy and Electronic Communications into UK law. The PEC Regulations impose rules on the use of cookies and require opt-in for most email and SMS advertising. The ICO issued guidance in 2007 that messages sent over Bluetooth were not covered by the PEC Regulations.2 Overall, the PEC Regulations are not regarded as an effective instrument against the unwanted distribution of spam. A recent survey of UK businesses found that 30 percent do not observe the requirements of the PEC Regulations.3 There have also been very few enforcement cases against illegal spamming. In one of the few cases of its kind, in 2007, a spammer who was found to have contravened the requirements of the PEC Regulations was fined £270.4 Several UK bodies have signed a Memorandum of Understanding with the US Federal Trade Commission and the equivalent Australian government bodies in order to facilitate cooperation in anti-spam efforts. Under a 2005 EU agreement, the Office of Fair Trading (OFT) obtained the power to investigate and seize equipment in spam investigations.5


The UK has not been successful in fostering a culture of security for personal data. Personal data from government computers are regularly disclosed inadvertently or for profit-making purposes. The ICO released two reports in 2006 revealing an extensive illegal trade in personal data among police and private detectives who obtain information through bribery or impersonation.6 There have been a series of major losses of personal data in recent years, mostly by government bodies. In one of the most high profile cases, HM Revenue and Customs (HMRC) lost 25 million records belonging to 7.25 million UK families receiving child benefit.7 Other major cases include a contractor in Iowa, USA, losing 3 million UK driver records,8 the Ministry of Defence losing a laptop with the personal data of 600,000 recruits,9 and PA Consulting, a major contractor for the National ID system, losing 377,000 information records that included 84,000 UK prisoners in August 2008.10 The National Health Service has been a particularly bad culprit, responsible for more than 300 breaches between November 2007 and June 2010.11 There have also been numerous incidents in the financial services sector, resulting in large monetary sanctions from the Financial Services Authority. Overall, the ICO received reports of over 400 breaches over the 2009-2010 period. These incidents have led to increased calls for the adoption of a national breach notification law, under which organisations would be compelled to report the loss or misuse of personal data. To date, only a few European Member States, including Germany and Austria, have enacted breach notification legislation.

Online targeted advertising and search engine privacy

Nothing to report.

Online social networks and virtual communities

Nothing to report.

Online youth safety

Nothing to report.

Workplace privacy

Nothing to report.

Health and genetic privacy

Health privacy

The British Medical Association, amongst others, has already expressed concern that the Spine database system is being rolled out too quickly and there have been recent media reports to the effect that an NHS Trust in Wales is failing to ensure that proper restrictions are being placed on hospital staff accessing patient data.

The police have been criticised for building up a database of protesters. In the case of Wood v. Commissioner for Police of the Metropolis (2009),12 the Court of Appeal found that the Metropolitan Police had acted unlawfully when it retained photographs which it had taken of an anti-arms trade campaigner.

In March 2009, the Joseph Rowntree Reform Trust published its report "The Database State" which considered 46 databases across the major government departments including the national DNA database, the national pupil database, the NHS detailed care record system, and the automatic number-plate recognition system.

In summary, the report concluded that: a quarter of the 46 databases reviewed were "almost certainly illegal under human rights or data protection law; that they should be scrapped or substantially redesigned" (including, for example, the Contactpoint index of all children in England and the national DNA database); "more than half have significant problems with privacy or effectiveness and could fall foul of a legal challenge" (including, for example, the NHS Summary Care Record and the National Pupil Database); fewer than 15 percent were "effective, proportionate, and necessary with a proper legal basis for any privacy instrusions"; Britain was generally out of line with other developed countries as a result of its comparably greater tendency to centralise and share records on sensitive matters like healthcare and social services; that "the benefits claimed for data sharing are often illusory".

Genetic privacy

Under a voluntary moratorium agreed by the former Labour government and the insurance industry in 2001 and renewed in March 2005 and June 2008, insurance companies will not demand or use the results of genetic tests for policies under £500,000 unless approved first by the Genetics and Insurance Committee. The moratorium lasts until 2014. Tests done for research studies do not have to be disclosed.13 The level of protection for employees is less clear.14 Certain groups had demanded legal protections against genetic discrimination in the Equality Bill, but these were not included in the final draft of the legislation.15