my speaking notes for Scrambling for Safety 10 [Check against delivery]
Caspar Bowden’s pinned tweet is from February of last year and is about data access: “US will unilaterally and secretly access UK data when expedient”. He’s right of course.
MedConfidential works to ensure you can know what happens to your medical records.
Given what we know now, Caspar could also have said that the UK will access any data when expedient, covertly or overtly. They call those bulk personal datasets — which is a very descriptive name. We’ve heard today that this bill is simply stating and thereby legalizing what the agencies already do. It is secretive, and it is invasive.
What are the bulk personal datasets?
They’re the databases that are everywhere in modern life. They’re recording the number plates that go past your window. They’re the record of what you’ve watched on netflix, and the interaction data that says you were chilling at the time. They are the administrative trivia of where you were late to work, or the banking records of what you donated to church, and the implementation details of how you pay your taxes.
The raw dataset truth — personal data on all of us ends up, in bulk, in a database somewhere — probably from Oracle. This bill is the secret part of whitehall’s desire to see everything.
No 2 ID’s tagline was “stop the database state”. It wasn’t about the card, it was about the database behind it. It turns out, they were building it all anyway. We’ve heard today that this bill is simply stating and thereby legalizing what the agencies already do — they put the rules into effect immediately on publication.
The Intelligence and Security Committee has said “The information on individuals within Bulk Personal Datasets “…may include, but is not limited to, personal information such as an individual’s religion, racial or ethnic origin, political views, medical condition, ***, sexual orientation, or any legally privileged, journalistic or otherwise confidential information”
That incomplete list is why you don’t have scrambling for safety bingo cards this year.
The Home office fact sheet says “A bulk personal dataset (BPD) is a dataset containing information about a wide range of people…” which “…includes a large amount of personal information, the majority of which will relate to people who are not of security or intelligence interest.”
The Home Office Handling arrangements say “Bulk personal datasets may be acquired through overt and covert channels.” — so they might ask, but even if someone said no, they’ll just take it anyway.
The one thing that’s new in the Handling arrangements now say that the Secretary of State must know what they have. When the ISC published in March, Theresa May didn’t want to know — the foreign secretary wanted knew what we did overseas, but Theresa just didn’t want to know what was done domestically.
She lost that fight, and now she has to know.
According to Lord Strasburger, the Home Office will not confirm to parliament what the ISC said. So much for the new transparency of avowal. If there’s not regular updates on the categories, the situation that prompted Snowden to act, and privacy International to win in the IPT will both reccur.
The ISC has said that medical conditions are covered by bulk personal datasets. Whether the agencies have NHS data is an interesting question. A better question is should they have it? Is that something that a modern digital democracy should do?
If it’s unlimited open season on bulk personal datasets, the first target of every agency will probably be companies like IMS Health, that has linked, lifetime medical records of 500 million people kicking around on their servers — all the US, UK, Singapore, bits of Europe and a few other places.
One half of Government is currently asking the people in this room about strengthening the digital economy. Theresa May is looking on and rubbing her hands with glee because she can undermine it to steal data on people she agrees are not of security or intelligence interest.
The Home Secretary not only doesn’t care, she doesn’t want to care. The agencies who made the decision to grab lifetime, linked datasets are not the only people who should be included in the decision. That’s what the proposals are.
Will Parliament be given any say over any principles? Or will the data backbone of the U.K’s Digital future be compromised by the Home Secretary’s secretive, invasive and nasty requests?
