In the ongoing debate as to the appropriate legal response to data processing activities, the topic of privacy has been afforded a place of honour with the issues involved frequently being discussed under the heading of "informational privacy". Concentration on the issue of privacy may be a cause for some regret, especially in the United Kingdom where the right to privacy receives, at best, limited legal recognition. This is well illustrated by the recent English case of Kaye v. Robertson ([1991] FSR 62). The plaintiff, a well known actor, had been hospitalised following a car accident. A journalist and photographer employed by the Sunday Sport newspaper secured through trickery access to the plaintiff's hospital room. Photographs were taken of the plaintiff which it was planned to publish in the Sunday Sport accompanying what purported to be an exclusive interview with him. An action was raised on the plaintiff's behalf seeking to injunct publication of the story. Although the action ultimately met with partial success on other grounds, Bingham LJ expressed concern at the absence of any remedy based on infringement of privacy . "If ever a person has a right to be let alone by strangers with no public interest to pursue, it must surely be when he lies in hospital recovering from brain surgery, and in no more than partial command of his faculties. Yet it alone, however gross, does not entitle him to relief in English law"
There would appear no basis upon which a Scottish court could reach a different conclusion and as will be apparent from discussion of the terms of the Data Protection Act, there is the real danger that attempting to build a system of legal protection upon the uncertain foundations of privacy produces a fragile structure. Prior to considering the provisions of this statute, this chapter will aspects of the use of personal information in order to identify the threats to individual freedoms which the legislation is intended to counter.
Every action we take says something about ourselves. The time we go to bed and the time we get up in the morning says something about our life-style. The same can be said about the food and drink we purchase, the shops we frequent, the books and newspapers we buy or borrow from a library, the journeys we make, the diseases we catch, the television programmes we watch, the telephone calls we make. In previous eras, anyone wishing to discover this information would have to indulge in extensive physical surveillance. The prospect of being placed under this degree of scrutiny would be abhorrent to most people but the labour intensive nature of the activities would mean that the effort could be directed only against a small percentage of the population. The recent introduction of surveillance cameras in public areas and of speed detection equipment on the highways indicates how technology is expanding the scale of physical surveillance. A further development is the ability to identify electronically car number plates and, albeit less effectively, particular individuals.
Although few of us might expect to be specifically targeted for physical surveillance our own actions give out information to anyone who chooses to listen - a form of passive surveillance. It is impossible to live in society without interacting with other people and purchasing goods and services. A person purchasing a train ticket to travel from Glasgow to Edinburgh necessarily engages in a degree of interaction with staff at the ticket office. It would be a nonsense for travellers to argue that their privacy had been violated because the ticket clerk became aware of their travel plans. In the same manner, we have to accept that a shop assistant will see what we buy, a librarian will issue books to us. Entering into perhaps more controversial territory, we recognise that the telephone company will have to be told the number which we wish to call and, in an age of itemised billing, will require to retain details for billing purposes[1]. At present, the television example is more remote although the tendency with satellite broadcasting appears to be moving away from the situation where the viewer subscribes to a particular channel or channels to one where individual programmes are selected on a "pay as you view" basis. Such a system already operates in certain areas of the United States. In one extensively reported case, a cinema owner faced prosecution for showing an obscene film. It transpired that the film had also been broadcast by the local cable television service which operated a payment system as described above. As part of his defence, the cinema owner sought access to the viewing records of the broadcasting company with a view to citing viewers to testify that they had not been shocked or depraved as a result of viewing the film in question[2].
We are used to the notion that we lead our lives in a series of compartments. In most of the examples cited above the range of dissemination is extremely limited. If I purchase a train ticket paying for the transaction with cash; the clerk will have some recollection of the transaction. The life span of the recollection may be limited and it is unlikely that he or she will be able to put a name against my face. If I pay by means of a cheque then the potential range of dissemination increases and my name becomes identified with the transaction. If payment is made by credit or debit card using some form of EFTPOS (electronic fund transfer at the point of sale), the time and place at which the transaction took place will be recorded along with the identifying details and, perhaps, information as to the nature of the transaction itself.
This simple example illustrates how the involvement of technology serves to break down our invisible compartmental walls. Information, which would previously have been known in partial and restricted form by one person is now stored in permanent and identifiable format by a second actor in the form of the bank or credit card company involved. The point has been well made that "(t)he biggest threats to our privacy in a digital world come not from what we keep secret but from what we reveal willingly. We lose privacy in a digital world because it becomes cheap and easy to collate and transmit data, so that information you willingly gave a bank to get a mortgage suddenly ends up in the hands of a business rival or your ex-spouse's lawyer."[3]
During the 1960's and 1970's discussion of the dangers arising from computerised record keeping practices focused on the notion of a "Big Brother" style computer. A single vast filing system in which all information relating to every aspect of our lives would be held. In part, this reflected the view of technology at the time. It is a perhaps apocryphal tale that IBM estimated that 4 computers would suffice to satisfy the computing requirements of the United Kingdom, but it is certainly the case that when the major investigations of the Younger and Lindop Committees (on Privacy and Data Protection respectively. These reports are discussed in Chapter three) were being conducted in the 1970's computers were large and unwieldy objects. As was stated by Alan Westin, one of the early writers on the topic "you do not find computers on street corners or in free nature, you find them in big powerful organisations."[4]
The world, however, has moved on and at such a pace as to make liars of even the most prescient commentators. Computers are no longer monolithic machines which occupy the whole of a building. Today it is estimated that there are some 9,000,000 personal computers in use in the United Kingdom and if we tae account of the further millions of electronic personal organisers it is clear that computers are now to be found on street corners, not least controlling the operation of traffic lights. A modern machine sitting on the corner of a small desk contains more computing power than one of the early monsters. A development of still greater significance has been the marriage between the computer and the telecommunications system. The consequence has been that computers control the telecommunications system which in turn provides a conduit through which computers can communicate with each other. More and more, the issue is not what information is held by a particular user, a more important factor concerns the information which that user can access. In a sense the analogy may be between the books which are available on my desk as opposed to the books which are available on the shelves of a library of which I am a member. A critical difference is that the information will come to me rather than my having to visit the library and there is no danger that the book or information which I need will be on loan to another user. Possession, which is normally necessary for the use of a physical object is a matter of little significance in an informational context.
In attempting to identify the implications arising from the application of information technology, a number of factors may be identified. First, more information is recorded about a particular transaction. That information may be readily accessible to a greater number of people. A further factor relates to the processing which may be conducted on the information and the actions which may be based upon the results obtained. At a simple level, most supermarkets use laser scanners at the checkouts. These identify the individual items which have been purchased. It is possible for a producer to make an agreement with the seller that whenever a competitor's products are recorded as having been purchased, a "money off" voucher will be issued to the customer enticing them to transfer their business on the occasion of their next visit.
At this level of activity, data processing holds few implications for individuals per se. Analysis of purchasing patterns may result in some diminution of choice as slow moving items are discarded from stock. The issuing of vouchers tailored to the particular customer's purchases may have implications for competition between the producer's involved. The next stage to be considered occurs where the individual is linked with particular transactions. In many situations, this linkage may not be made by a seller. In the event that the customer pays for the goods or services with a credit or debit card, the identifying data will be held by the supplier of the card although they will normally receive only limited information concerning the particular transaction. The shop will obtain details of the customer's name but not an address. Matters take on a different perspective when payment is made by means of an 'in-house' credit card and the creditor and the supplier become one and the same person.
If the attempt is made to classify items of information concerning us, it might be possible to identify a model similar in concept to an onion. At the core of the model is the category of information which we regard as absolutely private. It might be regarded as the information that we would wish to share with no-one. Moving outwards, there may be a category of information that we regard as extremely sensitive. We may be willing to share it with a restricted number of people (or people falling within a specific category such as clerical or medical) but would not wish any wider dissemination. Next, we might identify information which we disseminate in the absence of any obligation of confidence and where the transfer occurs in some public forum although without the expectation that it will be recorded or subjected to a further transfer. An example might concern the purchase of items in a shop. Moving outwards, there is what can be regarded as our public persona. This encompasses items which, by law, are regarded as a matter of public record. Examples might include certificates of birth and marriage and entries on the electoral roll. Also included, although perhaps falling into a sub-category of their own, are items such as the list of shareholders in a public company. Finally, there may be identified categories of information which are put into the public domain on a voluntary basis. Entries in a telephone directory furnish a basic example but the scope of this category might expand to encompass advertising or the submission of letters or articles for publication in a newspaper or magazine.
Clearly, there can be no universal or exhaustive categorisation of the items of information which will fall into each of these categories. Individuals and societies may differ in their view as to what information is to be regarded as confidential. In the United Kingdom, for example, information held by the Inland Revenue is considered highly confidential, to the extent that sanctions may be imposed upon any employee who divulges information about a taxpayer's affairs. In Sweden by contrast, the tax returns submitted by individuals are regarded as a matter of public record[5]. Again, the terms of the British Official Secrets Acts may be compared with the freedom of information statutes enacted in countries such as Sweden and the United States. Regardless of the location of particular items of information, what may be identified is a move from a reluctance to have any form of dissemination, concern at the range of dissemination moving into a recognition that the information is available and a concern at the use to which it might be put. At this stage, it may be that privacy concerns are of very limited significance. There is an increasing tendency to place cameras in public areas. An individual who chooses to walk down a public street cannot have any realistic claim to privacy in that pursuit. The fact that movements are monitored by camera in no way changes the nature of the activity. The concern, if any, is not with the fact that information is obtained but with the use to which it may be put. At strongest, the argument may be advanced that conduct which is invasive of privacy may serve as the precursor or basis of other actions which may adversely affect other interests of the data subject.
As we move along the scale, account must increasingly be taken of the potential conflict between the wishes of the data subject and those of the other parties who may be involved. A claim to privacy will normally require to be balanced against another parties claim to seek information. This conflict is apparent from the provisions of the European Convention on Human Rights. Article 8 provides that "Everyone has the right to respect for his private and family life, his home and his correspondence" whilst Article 10 states that "Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.". This concluding sentence identifies a limiting factor which permeates all aspects of the Convention. It serves to confer rights upon individuals in the context of their relationships with public authorities. Its remit does not extend to the private sector.
Information is a tool. It is today considered a truism to assert that "Information is power". In a very small number of cases, the mere fact that information is held may confer power upon the possessor. In most cases, as with other commodities, the power and the wealth arises from the use to which the commodity is put. Information is a more malleable commodity than coal, iron or any other physical product. Although swords may be beaten into ploughshares, the process is a difficult one and involves destruction of the original object. The uses to which information can be put are limited only by the imagination of its possessor and the same raw material may be used for an infinite number of purposes. In most cases, it may be assumed optimistically, the interests of the holder and the subject of personal data will coincide. What makes the attainment of any effective system of control difficult is the fact that the most mundane item of information may be used to the detriment of the subject, the most sensitive item to their benefit. Context is all important. Three incidents will be recounted below in which the use of recorded personal information played a critical role.
Prior to the second world war, the Dutch government maintained an elaborate system of population registers[6]. Most people would accept that Governments require to know a considerable amount of information about their citizens. As has been stated:
Society seeks more services from both public and private organisations. From the government it expects social security, unemployment compensation ... All these increased services require that decisions be made (often instantly) and efficiently; information must be available to allow these decisions to be made. And such services require that records be kept - many records.[7]
Included in the list of items of information held in the present case was a statement as to the religious affiliation of the citizens. The justification for holding such information might appear tenuous but, given the traditional involvement of religious organisations in the fields of health care and education, could be considered reasonable. The danger in the system manifested itself when the German army invaded Holland during the Second World War, captured the Registers and thereby a list of the name and address of every Jew in the country.
Few people would regard details of their date of birth as being of any practical sensitivity. In the United States during the 1960's a chain of ice cream parlours ran a promotional campaign targeted at its teenage customers. In return for details of the customer's date of birth, the company undertook to send a card and a voucher for a free ice cream on the 18th birthday. For thousands of teenagers, the offer was too good to miss. At the time in question, reaching one's eighteenth birthday signified more than just an entitlement to a free ice cream. The Vietnam war was in progress and those attaining eighteen years of agewere obliged to register for compulsory military service. Evasion was widespread and the military authorities took extensive measures to identify those involved. As part of this endeavour, they sought and obtained the ice cream parlour's records[8].
A final incident occurred in the United Kingdom during the passage of the measure that was to become the Abolition of Domestic Rates (Scotland) Act 1988. This statute, which introduced the system of community charges (poll tax) prompted considerable opposition and a number of petitions were presented to Parliament. Faced with criticism that the Government were taking inadequate account of these petitions, the response was made by the Minister of State that the list of names and addresses contained therein "could be a useful source of information for the Community Charge Registration Officer" (i.e. be used to track down those who had evaded the requirement to register as liable to pay the charge). Asked to confirm that "from now on the names and addresses on petitions will be used for the purpose of gathering the poll tax", the response was "That is broadly what I suggested."[9]
A number of observations may be made concerning the above incidents. First, it may be noted that the word computer is nowhere used. Indeed, the most lethal incident preceded the machine's invention. The danger of informational abuse did not await the computer. The Dutch example serves to illustrate a further point. No legal system can provide absolute security against external threats. Abstinence from record keeping is the only certain safeguard. Although this will seldom be a practical or desirable option, an assessment requires to be made of the level of risk and of any security measures which may be available. Any record keeping involves the subject giving a hostage to fortune.
The second example serves to raise the issue which is central to much of the debate in the area. Put simply, where does the right lie? Certainly, information supplied for one purpose was put to another use, but the obligation to register for military service was prescribed by law. The military authorities were attempting to enforce the law whilst the unregistered ice cream addicts were in breach of it. Such an analysis may be considered unduly simplistic. Only a proportion of those whose details were disclosed would have been in breach of the law. The argument is often heard: "If you have done nothing wrong then you have nothing to hide". The corollary may be that "If I have done nothing wrong, what right have others to interfere?" The issue is one which has been exacerbated by the computer. It is possible to store vast amounts of data in a physically tiny space. Parkinson's law tells us that work expands to fill the time available for its completion. It appears equally true that the need to store information expands in line with any increase in storage capacity. Information is sought and retained on the many against the eventuality that it may be used against the few.
The final example cited raises further complex issues. Again, there might be a conflict between the interests of law enforcement and the individual's claim "to be let alone". Again, there is a situation where information supplied for one purpose is used for another. In the United States example, if the question were posed "What would the respondents to the promotional campaign have done had they known that their involvement would be recorded and used against them?", the answer is obvious. A reluctance to respond to promotional campaigns might be regarded as a matter of little significance. The consequences of a similar response in the United Kingdom example might be considered more serious. It is apposite to make reference to a recent decision of the German Constitutional Court in which the tribunal was asked to rule on the constitutionality of a statute prescribing the information which was to be supplied by citizens in connection with a national census and the uses to which this information might be put. The possibilities of data transfer led to the statute being struck down as unconstitutional. Whilst the Court recognised the legitimate need of the state to gather information about its citizens, it held that:
The possibilities of inspection and of gaining influence have increased to a degree hitherto unknown and may influence the individual's behaviour by the psychological pressure exerted by public interest ... if someone cannot predict with sufficient certainty which information about himself in certain areas is known to his social milieu, and cannot estimate sufficiently the knowledge of parties to whom communication may possibly be made, he is crucially inhibited in his freedom to plan or to decide freely and without being subject to any pressure/influence. (5 Human Rights Law Journal (1984) 94)
The Court went on to cite a reluctance to participate in a "citizens initiative" as a specific illustration of the undesirable consequences which might flow from such informational uncertainty. It has indeed been suggested that developments in data processing make the concept of a universal census obsolete. The information required, it is argued, can be obtained through more selective techniques similar to those used in opinion polls. Such a step has been taken in Norway.
The previous sections have sought to identify some of the dangers facing individuals as a result of actions being based upon recorded information. The notion of recording personal information is not new. The Doomsday Book is one of the best known works whilst a census is integral to the Gospel stories . What is novel about the modern era is the degree to which decisions and actions are based upon reference to recorded information as opposed to any form of personal knowledge or individual assessment. In previous generations, an individual wishing to secure a bank loan would have to endure an interview with a bank manager who would base a decision in part upon his or her subjective assessment of the applicant's character perhaps coupled with some personal knowledge of the state of the latter's finances. Today, a similar information is likely to be made in writing with the decision being based upon recorded information held either by the potential creditor or by a credit reference agency. In other cases, the use of credit scoring techniques may remove almost all trace of individual judgment from the exercise. Based upon an assessment of many thousands of credit transactions, credit scoring techniques seek to ascertain and weight the factors which may influence the likelihood of a debtor making full repayment. Factors such as age, occupation, marital status, income, can all be taken into account together with the applicants status as a tenant, lodger or home-owner. Pointage values are allocated to the various items of information. The task for the potential creditor is to add up the various elements and consult a table which indicates the statistically probability of default associated with various values. It may be, for example, that a score of 20 points equates to a 5% risk of default. If the score rises to 25 points, the risk of default may drop to 3%. Essentially, the creditor may choose what degree of risk they are willing to accept. No account need be taken of the particular circumstances of the applicant.
If record keeping has been present for centuries, the development of the computer and the nature of the operations associated with it open the way to new forms of behaviour. More information can be held in a given space. To give a simple example. A compact disk - which is not a particularly efficient storage device - can hold 650 mega bytes of data. The text of this work occupies about half a megabyte. A single disk could hold 1,300 copies of this work. About 20 metres of shelving would be required to hold that amount of paper. Beyond the issue of storage capacity, the linkage between the computer and the telephone referred to earlier allows data to be entered and retrieved from many different places. A travel agent, for example, will be able to access the computerised reservation system of an airline or holiday company, discover the availability of seats or holidays and make a booking. The geographical location of the travel agent and the computer system is almost irrelevant.
The ease with which data may be transmitted and accessed introduces a significant international dimension to the topic. Assuming that the necessary communications facilities are built into the system, data held anywhere in the world can be accessed from anywhere else using the normal telephone system. One example can be seen in the computerised legal retrieval system Lexis. This contains a substantial amount of English and Scottish legal materials and is widely used by legal practitioners. The data base is physically located in Ohio in the United States. Every use of the system from the United Kingdom involves an international or transnational data flow. In this context the issues raised affect governments and concerns of national sovereignty to a greater extent than they do individual rights[10].
A further aspect of computer operations to be considered concerns the nature of the processing which may be undertaken. In the 1975 White Paper, Computers and Privacy (Cmnd 6353) it was asserted that computers "make it practicable for data to be combined in ways which might not otherwise be practicable". The key word in this phrase is "practicable" If a human were to be given a telephone number and a telephone directory and asked to find the name and address associated with the number it would be possible for them to discover the necessary linkage. Such a task would involve no intellectual effort but few people would regard it as a practical undertaking. Such processing involving a mixture of searching and comparison would be well suited for a computer and even a small machine could be programmed to obtain the information in a matter of seconds.
The conclusion at this stage may be that to an increasing extent decisions affecting significant aspects of our lives and fortunes are made on the basis of recorded information. The practices make new facilities and services available and by removing elements of subjectivity from the decision-making process may avoid the effects of bias and prejudice. The point has been made on a number of occasions that information is to be considered a commodity. As with all other commodities it may be used in ways which are harmful. Over the past 25 years, the concept of data protection has become recognised as a major component of the legal response to the dangers of informational misuse. The following chapter will examine the evolution of data protection paying specific and critical attention to the features of the United Kingdom's Data Protection Act 1984. As this statute enters its second decade, the chapter will conclude with an examination of the proposed European Directive on data protection, the enactment of which would require the making of significant changes to the existing regime.