On Friday the Divisional Court has struck down section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA), the UK government’s latest attempt to square the circle of data retention and privacy. The effect is not immediate as the court has suspended the order until March 2016. Although that might seem a long time away, allowing for the summer parliamentary recess and the time that is always needed to put legislation through Parliament some rapid thinking is going to be required. It’s also worth remembering that this was the piece of legislation that the government introduced believing that it did indeed have the balance between privacy and security correctly weighted.
I recently took part in a private seminar, under the aegis of FutureAgenda, which amongst other things, tackled this issue. There were representatives from the legal, the technical and the policy side of the privacy community, as well as some of those responsible for the consideration of these issues from government, security services and the police. Despite a certain amount of suspicion, initially held on both sides of the divide, it became clear that a fundamental understanding was accepted, there had to be a balance. With neither all-encompassing privacy nor untrammelled state security access really on the agenda – so far, so sensible. It was also accepted that government needed to rebuild trust, so that the necessary use of private data was seen as reasonable. (There was an interesting side debate as to whether the Snowden revelations were helpful in forcing the issue of the balance up the political agenda). But whatever its genesis, the problem arises, what exactly is the balance required and more fundamentally, how is it to be achieved?
My own view is that there are two keys to this, the first of which will be the transparency of the process. This would not mean that each individual decision will necessarily be available for scrutiny by the general public. But that does not, in and of itself, mean that it is not transparent. The Information Commissioner’s Office already has to rule on a security services exemption under FOIA. Not all such uses by public authorities have been accepted; conversely neither have all applications for such material under FOIA been successful. Yet with rare exceptions, I think most people would accept that the ICO have undertaken that balancing act in a reasonable and professional manner. All sides know the status of the organisation making the decision, the process by which it is made, and indeed the appeals process that is available beyond it. This brings me to the second key element, a realistic public belief in the independence of the body given the task. Again I think the ICO can be held up as a good role model. Of course not everyone in government, nor all individual requestors would necessarily agree with me, but perhaps that’s the point. When I first became a producer at what was then called BBC Westminster, one of the old hands suggested but if I was worried about impartiality I should just make sure that I count up the number of complaints that I received about my programs. As long as there were as many complaints from both sides I was probably tackling the important issues and getting the balance about right.
This does not necessarily mean that I believe the ICO should be the specific body required to undertake this task. With the new EU General Data Protection Regulation coming down the track and the recently announced government review of FOIA, I think it’s got more than enough on its plate. However I think it does show that independent bodies can achieve the aims of balancing interests between government and the public in these spaces, in a manner which is transparent enough, and impartial enough, to start building that trust between the government and the governed.