What’s the connection between human rights and information security?

I attended a couple of events over the past week. On Saturday I went to Liberty’s 75th Birthday Conference and on Thursday the ISSA UK Chapter event on the Data Protection Act (DPA).

I had planned to write about Lord Bingham’s excellent speech at the Liberty conference but after an interesting discussion at the ISSA event I thought it would be useful to first describe the fundamental link between Data Protection and Human Rights.

The 1998 Data Protection Act can trace its ancestry directly to Article 8 of the European Convention on Human Rights (ECHR) through the EU Directive on Data Processing (95/46) and the Council of Europe’s Treaty 108.

The European Convention for the Protection of Human Rights and Fundamental Freedoms

http://conventions.coe.int/treaty/en/Treaties/Html/005.htm

The ECHR was agreed by the Council of Europe after the (horrors of the) second world war and aimed to set out the basic Human Rights which all citizens of Europe would enjoy. There are some 13 rights defined within the 18 articles, including the right not to be tortured, the right to a fair trial and the right to freedom of thought and religion.

Article 8 of the ECHR states:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
Agreed in 1981 and generally known as treaty 108 (as ECPIAPPD isn’t a good acronym) this convention aimed to establish a pan-European framework to balance the article 8 right to privacy with the fact that data is processed by computers and will be exchanged across national borders.

The preamble states:

The member States of the Council of Europe, signatory hereto,

  • Considering that the aim of the Council of Europe is to achieve greater unity between its members, based in particular on respect for the rule of law, as well as human rights and fundamental freedoms;
  • Considering that it is desirable to extend the safeguards for everyone’s rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing;
  • Reaffirming at the same time their commitment to freedom of information regardless of frontiers;
  • Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples,

Have agreed as follows:

And then if you go on to read the Convention you’ll find many familiar definitions such as ‘Data Subject’ and sections which are clearly forerunners of the DPAs eight principles:

Article 5 – Quality of data

Personal data undergoing automatic processing shall be:

  • obtained and processed fairly and lawfully;
  • stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are stored;
  • accurate and, where necessary, kept up to date;
  • preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.

Article 7 – Data security

Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination.

The first UK Data Protection Act came about in 1984 as a result of this convention.

(In fact both the 1984 DPA and Treaty 108 have a common influence in the work done in the 1970s by the UK Government’s Younger Committee on privacy)

Directive 95/46/EC

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
To give it its full name, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data aimed to create a standard data protection environment across all countries in the EU. In broad terms the remit of the Council of Europe is political, and the EU’s remit is economic. The purpose of the EU directive was to harmonise and create a level playing field for data protection across the member states so that:

  • No organisation can gain a competitive advantage by processing data in a member state with poor (and therefore cheaper-to-implement) data protection legislation
  • Any European citizen will be confident that their personal data will be looked after to the same standard by any company based in any member state

And again if you look at some of the clauses of the EC directive they show their parentage from Treaty 108 and point to what their descendants will look like:

Article 6
1. Member States shall provide that personal data must be:

  1. processed fairly and lawfully;
  2. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
  3. adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

The 1998 Data Protection Act

http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1
All member states were required to enact legislation to implement the EC directive and so the UK government passed the 1998 Data Protection Act with its now-familiar eight principles. You can see that the principles trace their ancestry back to article eight of the ECHR via the EC Directive and the Council of Europe Treaty 108.

  1. Personal data shall be processed fairly and lawfully
  2. Personal data shall be obtained only for one or more specified and lawful purposes
  3. Personal data shall be adequate, relevant and not excessive
  4. Personal data shall be accurate and, where necessary, kept up to date
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area ….

On a day-to-day basis I deal with all sorts of technical matters, talk about ‘risks’ and ‘controls’ and help organisations comply with the Data Protection Act. It’s good to remember that in a small way, alongside commercial imperatives, I’m also helping to protect one of the fundamental human rights of people’s privacy.

Liberty – formerly the National Council for Civil Liberties – is dedicated to protecting civil liberties and promoting human rights for everyone. Founded in 1934 they held their 75th birthday conference last weekend with an impressive set of speakers including Lord Bingham, Jack Straw, Nick Clegg, Dominic Grieve, Tony Benn, Ken Macdonald (ex-DPP), Sarah Ludford MEP and Privacy International’s Simon Davis.

Liberty’s 75th Birthday Conference

http://www.liberty-human-rights.org.uk/about/1-history/75th-anniversary-conference/index.shtml
The conference keynote given by Lord Bingham (who was the most senior Law Lord until retirement) addressed the position of the 1998 Human Rights Act (HRA). The HRA incorporates the ECHR into UK law, and after the next general election there’s the probability that whoever wins will try to amend or replace it. Often the debate on the HRA and the European Convention is ill-informed with people confusing the ECHR, the UK Act, the EU and the Council of Europe and calling for a plague on all of it.

Lord Bingham’s speech was a lesson in clarity and a well argued defence of the HRA. He made these ten points:

  1. Just because the ECHR starts with the word ‘European’ doesn’t mean that it’s some foreign import. British politicians made a huge contribution in drafting it and the UK was the first country to ratify it.
  2. The UK is bound by the ECHR under international law. If a Government repealed the HRA, it would still be bound by the convention.
  3. All that the 1998 HRA did was allow people in the UK to assert their rights under the convention in UK law, without having to go to the European Court of Human Rights in Strasbourg.
  4. The HRA does not transfer interpretative power from politicians to judges. Before the HRA, European judges in the European Court had interpretative power, now after the HRA it is UK judges who have that interpretative power.
  5. The HRA is not undemocratic. Judges can not overturn the will of Parliament, the ‘worst’ they can do is declare an Act of Parliament as incompatible with the ECHR, but it is Parliament that has to work our what to do – only Parliament can repeal and amend Acts.
  6. The HRA is criticised as elevating the rights of the individual above the community. In some respects this is true – articles such as the right not be enslaved are absolute. For the non absolute rights (such as Article 8’s right to privacy) the rights of the individual always have to be balanced with the rights of the community.
  7. Another criticism is that the HRA and ECHR only mention rights and not responsibilities. True – but our responsibilities as citizens are enshrined in a detailed manner in countless other Acts. If there are duties and responsibilities that are not defined they need to be clearly defined in law, not in well-meaning statements.
  8. The ECHR is a minimum standard, not a ceiling. It doesn’t stop a UK government from creating better protection for human rights if it wants to.
  9. People criticise the HRA for ‘foolish decision making’. In Lord Bingham’s opinion the level of judicial decisions in cases on the HRA and ECHR is no more foolish than elsewhere.
  10. The fundamental rights and freedoms protected by the ECHR and the HRA are just that – basic rights which everyone should enjoy by virtue of their existence. Which should be discarded?

If you’ve ever wanted to understand where the Human Rights Act came from, or why it’s important then I highly recommend reading Lord Bingham’s full speech (PDF).

Leave a Reply

Your email address will not be published. Required fields are marked *