At the 2002 Commonwealth Law Ministers and Senior Officials Meeting in Kingstown, St. Vincent and the Grenadines, Senior Officials agreed that the Model Bill on the Protection of Personal Information needed more reflection on the balance between privacy and the legitimate needs of governments in respect of law enforcement and security. Senior Officials therefore recommended that Law Ministers refer back the matter for further consideration and asked the Secretariat to prepare an amended draft in light of written comments from governments. On the basis of this request, the Commonwealth Secretariat sought expert views from the UK Information Commissioners Office. The following analysis was received from them and is based on UK legislation (the UK Data Protection Act 1998).
The UK's Data Protection Act 1998 is based on a set of enforceable standards for handling personal information, 'the data protection principles', and on a set of individuals' rights. The standards for handling personal information require that personal information be:
* obtained and handled fairly and lawfully;
* obtained for specified and lawful purposes;
* adequate, relevant and not excessive;
* accurate and up-to-date;
* not kept for longer than is necessary;
* processed in accordance with individuals' rights;
* kept secure;
* not transferred overseas unless there is adequacy of protection.
The Data Protection Act 1998 gives the individual a right to:
* gain access to information held about him or her;
* prevent records being used for direct marketing;
* appeal decisions made solely by automatic means;
* obtain compensation in certain circumstances;
* have records rectified, blocked or erased in certain circumstances.
The Act also contains certain 'conditions for processing'. These are essentially 'gateways' that restrict the purposes for which personal information can be processed. These have a particular effect on the processing of sensitive personal information, such as that concerning the offences that a person has committed. The way the legislation works in the UK is that all the information standards must be adhered to, and all the individuals' rights delivered, unless a particular exemption applies. However, the Act contains several exemptions that can be applied in the contexts of law enforcement and national security.
Personal information processed for the prevention of crime or for the apprehension or prosecution of offenders, such as information contained in intelligence records held by the police, is exempt from the requirement to obtain information fairly and lawfully. The normal standard under data protection law is for the individual to be informed when and why information about him or herPage 216 is being collected. Clearly it would not be possible for policing to be carried out effectively should law enforcement agencies always be required to tell individuals that information about them has been obtained, for example as part of an on-going policing operation. However, the exemption only applies to the extent to which the requirement to information fairly and lawfully would prejudice the purposes of crime prevention or the apprehension or prosecution of offenders. This means in practice that law enforcement agencies are, in some circumstances, free to collect information about individuals covertly but are, in general, bound by the legislation's transparency provisions.
As mentioned above, the UK legislation contains certain 'conditions for processing' which, in effect, places additional restrictions on the processing of personal information, particularly sensitive information. However, there is a condition that can be satisfied where the processing is necessary for the administration of justice, for the exercise of functions conferred under an enactment or for the exercise of crown or governmental functions. In general, the processing of personal information done by law enforcement agencies as part of their official duties will fall within the terms of this condition for processing. This aspect of compliance with the law is not, therefore, generally a problem for law enforcement agencies.
There is also an exemption from the right of subject access in circumstances where to grant access would prejudice the purposes of crime prevention or the apprehension or prosecution of offenders. In practice, this means that where an individual applies for access to records held by a law enforcement agency, the agency must make a careful assessment of the personal information it holds about the applicant and must decide whether or not to release some, all or none of the information. Typically an individual will be provided with his or her criminal record and with some locally held intelligence data. The individual will not, though, be provided with information about on-going cases where its provision would prejudice crime prevention or the apprehension or prosecution of offenders.
It should be noted that the UK Information Commissioner receives a considerable number of complaints and queries about access to, and the contents of, law enforcement agencies' records. They often detect problems, for example where access has been denied where there is no proper basis for doing so, or where one person's file has been confused with that of another. They frequently encounter problems to do with the timeliness and quality of intelligence data held by law enforcement agencies. In the UK certain offences become 'spent' for the purposes of the Rehabilitation of Offenders Act 1974, yet sometimes police forces fail to record properly that an offence has become spent; this can clearly have a very serious effect on the individual. They also encounter problems where details about an individual's offences have simply been recorded wrongly, or where an unsubstantiated allegation is recorded as if proven fact. Given these problems, it seems that a statutory right of access to law enforcement agencies' files, and the adherence to good information handling standards by law enforcement agencies, make these agencies more transparent and accountable than they would otherwise be. Ultimately law enforcement agencies' compliance with the rules of data protection is a key safeguard for the functioning of a democracy. There seems to be no evidence to suggest that the application of the Data Protection Act 1998 to law enforcement agencies prevents their effective functioning. As explained earlier, there are exemptions that allow a proper balance to be struck between the law enforcement agencies' need to collect and use information about individuals and individuals' rights in respect of information kept about them. There is no reason why these exemptions should not be replicated in law to be used in Commonwealth countries.
To summarise, the UK Data Protection Act 1998 contains exemptions from:
* the 1st data protection principle (fair/lawful processing, including obtaining);
* the right of subject access; and
* the Act's non-disclosure provisions.
These exemptions are qualified by a 'prejudice test'. This means, for example, that subject access should normally be granted, but can be withheld where to provide access would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. It seems that our model law broadly replicates the provisions found in the UK law -see for example s.11(c) of our model law, although the prejudice test is absent. Similarly s.13(1)(f)(i),(ii) of our model law will have an effect similar to that of s.29(3)(a) of the UK law, and it does contain a test of necessity, which though different to a test of prejudice, could have a similar effect. It is clear from the UK law that exemptions...