1) - Email
Abstract
Policy as regards a European database to fight organised crime needs to distinguish between criminal records databases and intelligence databases. The issues involved are different. As will be argued later: prosecutors need a case tracking database; employers need a convictions database for vetting purposes; judges need a convictions database for sentencing purposes; but police officers need databases for convictions, for intelligence and to store material on a particular complex investigation or series of interlinked investigations. The issues involved in setting up and using each overlap but are not identical.
Databases should not be seen as a route around problems arising from differences between national jurisdictions. The legal problems need to be identified and overcome as a prerequisite to setting up a database. Cyberspace is imaginary, not extra-jurisdictional
Questionnaire
1) Does your country have a database for investigations? Is it central or regional? Do these databases include exclusively criminal investigations or do they also include administrative/other investigations? What is their legal basis (statutory or other)?
Please analyse and attach the introducing legal texts as amended (in English or the original language of publication).
Background
The UK has a number of different databases, the legal basis of which is in need of clarification. The Bichard Enquiry into the Soham murders has recently reported and made a number of recommendations which will affect the whole system of data recording within the criminal justice system.
The Police and Crown Prosecution Services are organised into 43 areas in England and
Wales. There are 8 areas in Scotland, where the prosecuting authority is called the Crown
Office and Procurator Fiscal Service, and there is a single area covering Northern Ireland.
Scotland has a separate legal system to England and Wales. Each of these police and prosecution areas has at least one local database as well as access to records on the Police
National Computer [PNC2].
Although policing in the UK is traditionally locally organised, there has been a National
Crime Squad [NCS] since 1998, there is also a National Criminal Intelligence Service
[NCIS] and there is shortly to be a Serious Organised Crime Agency [SOCA] at national level. [see Consultation document “One Step ahead” Cm6167 http://www.homeoffice.gov.uk/docs3/wp_organised_crime.pdf
]
1
There are a number of other police organisations within the United Kingdom, in addition,
Customs and Excise play an important role with regard to duty evasion, drug smuggling and trafficking and the Immigration Service has a role to play in dealing with trafficking in human beings. Some of these functions will be taken over by SOCA.
The whole system of national databases is undergoing a process of reform. A National
Identity Register is planned to support the introduction of ID cards, the Office of National
Statistics is working on a population register, it is proposed to make the electoral register a national database, and the Department of Education is looking at plans to produce a child identifier database. In addition there are plans for increased interactivity between databases in the criminal justice system, particularly with regard to individual criminal cases.
The Government has targets for the computerisation of recording systems in all branches of the public sector and this will include Social Services, who will be introducing an
Electronic Social Care Record.
See: http://www.dh.gov.uk/PolicyAndGuidance/InformationPolicy/InformationForSocialCare/
FrameworkDocument/FrameworkDocumentArticle/fs/en?CONTENT_ID=4073669&chk
=4CBoI2
Access to this without the consent of the client on child protection and mental health grounds is already envisaged. Given the historical relationship between police and social work, there may be conflict in this area in the future.
In addition all social care workers will be registered on a database. Social workers will be the first to be registered, followed by care workers. There will also be special procedures for workers with international qualifications. See: http://www.gscc.org.uk/
The use of databases has been reviewed by the Bichard Inquiry, following on the Soham murder case…”to assess the effectiveness of the relevant intelligence-based record keeping, the vetting practices in those forces since 1995 and information sharing with other agencies , and to report to the Home Secretary on matters of local and national relevance and make recommendations as appropriate.” The recommendations from this
Inquiry and the response to them of the Home Office are likely to produce new legislation and a different legal basis for all these matters. The Bichard Inquiry’s report is now in the public domain at: http://www.bichardinquiry.org.uk/report/ . The most important recommendation in the present context is for a national intelligence database for Police purposes.
Existing databases used by the Police
Databases for particular investigations
What do we mean by a database for investigations? For a complex stand-alone investigation, such as a murder or similar serious crime where a great deal of information
2
has to be collated and analysed quickly, the UK has HOLMES2 [Home Office Large
Major Enquiry System]. This allows a database to be created quickly from new data gathered in the course of the investigation of a serious crime or a major incident. “It identifies and plots lines of enquiry, keeps track of vital pieces of evidence and reduces paperwork. All 53 police forces are signed up to it as well as National Crime Squad,
National Crime Faculty, Ministry of Defence [MoD] police, British Transport Police
{BTP] and Royal Military police [RMP]. Several forces can work together adding information to a single Incident Room”. [PITO website] It can also be used for lowprofile crimes such as a series of burglaries where data management becomes complex.
There also exists SCAS [Serious Crime Analysis System], which is a specialised database related to murder, rape or abduction. This is to enable the rapid comparison of such crimes and the rapid identification of past cases exhibiting similar behaviour. This enables offender profiling and allows the investigating constabulary to have access to evidence previously gathered.
These two databases were the ones identified by representatives of the police during interviews as what could genuinely be called “investigative databases”.
The general system of data recording
There is a summary of the PITO statement to the Bichard Inquiry below that explains the
PNC system nationally and the local systems. There are a number of highlights not mentioned by PITO which are worth noting here:
“…the strength of PNC is that it is a national system and depends on all forces entering quality, accurate and timely data to common minimum standards” I use this quote from the July 2000 Thematic Report of Her Majesty’s Inspectorate of Constabulary “ On the
Record” to illustrate what will be the biggest problems of any European database.
There is also the C.A.T.C.H.E.M database at the National Criminal and Operations
Faculty. This is primarily a research facility.
There are also regional databases, such as the Drugs Misuse Databases.
There has been a national DNA database since 1995. This is managed on behalf of the police service by the Forensic Science Service. It consist of a suspect database and a crime scene database.
“The Police and Criminal Evidence Act 1984 (PACE), as amended by the Criminal
Justice and Public Order Act 1994, provides a power to take non-intimate DNA samples from all persons suspected of, reported for, charged with, convicted of, or cautioned for, a recordable offence. A "non-intimate DNA sample" essentially comprises a mouth swab or rooted hair (other than pubic hair). A "recordable offence" is any offence for which a person is liable, on conviction, to a term of imprisonment. The legal statutes mentioned above also provide that police may take DNA samples from suspects without their
3
consent, using force where necessary, providing a Superintendent of Police has given authority, in accordance with the provisions of PACE.”
ACPO memo to House of Lords Science and Technology Committee Inquiry on DNA
Databases http://www.parliament.the-stationeryoffice.co.uk/pa/ld199900/ldselect/ldsctech/115/115we05.htm
In the course of an investigation the police may also additionally have or seek access to a number of non-police databases:
In the public sector:
National Health Service
Inland Revenue
Passport Agency
Driver Vehicle Licensing Agency
In the private sector:
British Telecommunications PLC
The mobile phone companies such as Orange, Vodaphone etc.
Legislation
The major current pieces of relevant legislation are:
Rehabilitation of Offenders Act 1974 http://www.lawontheweb.co.uk/rehabact.htm
Amended 2002 http://www.legislation.hmso.gov.uk/si/si2002/20020441.htm
Review 2004 http://www.homeoffice.gov.uk/justice/sentencing/rehabilitation/act.html
Police and Criminal Evidence Act Revised Codes of Practice 1995
[original act 1984: http://www.swarb.co.uk/acts/1984PoliceandCriminalEvidenceAct.html
]
Code a: http://www.homeoffice.gov.uk/docs/pacecodea_textchanges.pdf
all codes: http://tash.gn.apc.org/pace_act.pdf
Police Act 1997 http://www.hmso.gov.uk/acts/acts1997/1997050.htm
Youth Justice and Criminal Evidence Act 1999 http://www.hmso.gov.uk/acts/acts1999/19990023.htm
[section 60 of the above removes section 69 of PACE
“evidence from computer records inadmissible unless conditions relating to proper use and operation of computer shown to be satisfied”
4
Data Protection Act 1998 http://www.hmso.gov.uk/acts/acts1998/19980029.htm
Human Rights Act 1998 http://www.hmso.gov.uk/acts/acts1998/19980042.htm
Computers Misuse Act 1990 http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
Freedom of Information Act 2000 http://www.hmso.gov.uk/acts/acts2000/20000036.htm
Regulation of Investigatory Powers Act 2000 http://www.hmso.gov.uk/acts/acts2000/20000023.htm
Criminal Justice and Police Act 2001 http://www.hmso.gov.uk/acts/acts2001/20010016.htm
para 134 inserts a new 120A into the 1997 act
Anti-Terrorism, Crime and Security Act. 2001 http://www.hmso.gov.uk/acts/acts2001/20010024.htm
Crime [International Cooperation] Act 2003 http://www.hmso.gov.uk/acts/acts2003/20030032.htm
Problem of legal basis
The Law Society’s submission to the Bichard Inquiry suggests that there is no coherent legal framework governing the use of personal data in the public sector. They argue that this has already been recognised by the government and that the recommendations of the
Cabinet Office Performance and Innovation Unit report “
Privacy and Data Sharing: the
Way Forward for Public Services
” provide an excellent starting point. This report identified a lack of awareness of how the legal framework operated and a problem with a lack of powers to share data between public bodies, even where consent has been given.
The report argued that it was possible to achieve the objective of making better use of personal data in the delivery of public services while also enhancing privacy. It did however argue that crime policy might be the area where privacy was least possible.
The Department of Constitutional affairs produced a guide to the law on data-sharing in
November 2003 http://www.dca.gov.uk/foi/sharing/toolkit/lawguide.pdf
The guidance discusses the powers of public bodies to collect use, and disclose personal information. It considers five areas of law are involved:
• the law that governs the actions of public bodies
(administrative law);
• the Human Rights Act 1998 and the European
Convention on Human Rights;
• the common law tort of breach of confidence;
• the Data Protection Act 1998; and
5
• European Union law.
The advice in the document, in summary, is that it is a matter of administrative law as to whether a public body has the power to carry out data sharing. It must then be considered whether, even though it may have the power, its exercise may be unlawful due to the operation of the Human Rights Act of 1998, the Data Protection Act or the common law tort of breach of confidence. These provisions should be interpreted with regard to the relevant principles of the ECHR and of European law.
But there are also Home Office circulars and notes of guidance which govern police use of databases. There are ACPO [Association of Chief Police Officers] Compliance
Standards governing the placing of data on PNC2 and there will be in the near future recommendations as to best practice from the Centre of Excellence at the National Crime
Faculty, Centrex, Bramshill.
A very clear statement, which is summarised in the following paragraphs, has been provided to the Bichard Inquiry by the Police Information Technology Organisation
[PITO]. This body was established as a non-departmental public body [NDPB] in 1996 under the tripartite governance of ACPO, the Association of Police Authorities [APA] and the Home Office. PITO is responsible for the provision of national Information
Technology and Communications systems to the police. “The policies and processes that govern the operational use of these ICT services are established by ACPO and monitored by the police and HMIC.”
In addition to national services provided by PITO, primarily the PNC, there are local intelligence systems devised and operated by individual constabularies. These vary greatly. PNC comprises several national police databases, including Stolen Vehicles,
Criminal Names index and wanted/Missing persons. It is a 24 hour a day, 7days a week service available to organisations approved by the ACPO IM [Information Management]
Police Security Sub-Committee [PSSC], which controls access by the police and partner agencies, including prosecution. It has existed since 1974 and has expanded over time.
The PITO report singles out as an example, the Phoenix application, which includes criminal record information and did not go on-line until May 1995.
The information on the PNC is “owned” by police forces, and each Chief Constable is a data controller under the terms of the Data Protection Act 1998 for the management of this information.
Individual forces, under HO Circular 29/95, are responsible for creating PNC records and for data input into PNC databases. Rules governing operation of all PNC services are prescribed by the PNC User Manual, which is “owned” by the Police PNC Policy and
Prioritisation Group [P4G]. This reports to the PNC Management Sub-Committee.
Weeding and deletion of records is administered by PITO and implemented directly by
PNC software in accordance with ACPO defined business rules, contained in the ACPO memo “General Rules for Criminal Record Weeding on Police Systems”. Sine 1995 rules have been incorporated in the ACPO Code of Practice for Data Protection.
6
PITO is introducing 3 further systems over the coming years:
NSPIS Custody system [National Strategy for Police Information Systems]
NSPIS Case preparation system
Violent Offender and Sex Offender Register [ViSOR]
The Custody and Case Preparation Systems are being procured by most police forces jointly and are referred to as a single system.
The Custody system is intended to assist with the administration of custody centres and ensure compliance with the requirements of the Police and Criminal Evidence Act
[PACE]. It enables automatic reporting and updating of local arrest and summons details directly onto PNC.
The Case Preparation system is designed to assist police to compile and present prosecution case files and associated evidence for presentation to other Criminal Justice
Agencies [eg Crown Prosecution Service, Magistrates Court Service and the Crown
Court Service. The outcome of any trial will automatically be reported to PNC.
Not all police forces will go along with this system. Some have already developed their own alternatives.
ViSOR will provide police and probation with a register of violent and/or registered sex offenders An interim application was in place by September 2002 and by January 2004,
38 of the 43 police forces in England and Wales were using it.
Local intelligence systems exist throughout the Cnstabularies and their CJ partners. PNC data is “hard data” based on verifiable fact. Local systems contain much more “soft data”, often based on speculation and hearsay. The National Intelligence Model is now being used to provide a framework for assessing the reliability of information sources.
Intelligence is increasingly shared between forces and with national organisations.
Regional intelligence sharing is becoming more formally organised. http://www.policereform.gov.uk/implementation/natintellmodel.html
Scottish System
The Scottish system was singled out for praise at the Bichard inquiry. They have centralised their IT systems and their intelligence database comes on-line during 2004.
For non-UK readers, it may be worth pointing out that “United Kingdom” refers to the uniting of the Kingdoms of Scotland and England in 1707. From 1603, when James VI of
Scotland became simultaneously James I of England, the same individual was King or
Queen of both countries but each had its own separate parliament and own legal tradition.
In 1707 the parliaments were merged, but Scottish legislation was a matter for a Grand
Committee of Scottish MPs within the UK Parliament. Scotland has recently regained its own Parliament, though with fewer powers that the one that sis at Westminster.
7
There are 8 police forces in Scotland. The Lord Advocate and Procurator Fiscal can give instructions to the Chief Constables on offences and prosecutions. Otherwise the Chief
Constable has sole responsibility for operations and effective and efficient use of resources. The role of the Procurator is a major distinction between Scotland on the one hand and England and Wales on the other. It also means that there is more in common between the Scottish system and Continental European systems that between “England and Wales” and other EU systems.
The major legal difference between Scotland and England and Wales is that corroboration of evidence is required for the proof of guilt. An accused cannot be convicted on the basis of a single unsupported piece of evidence. There are other differences, but this is the most important in the present instance. There is a Separate body of Scottish Law and a separate Scottish Parliament with law-making powers in a variety of areas.
The Scottish Police Information Strategy began with a feasibility study in 1993. http://www.spis.police.uk/index.html
After 1998 the process accelerated and a centralised system was put out to tender in 2000.
This included the Scottish Intelligence Database [SID]. This database will cover all
Scottish forces by Autumn 2004 and already covered three of the eight at the time of the
Bichard Inquiry. It is worth noting that the Cullen Inquiry into the shootings at Dunblane played a role in accelerating progress in a similar way to that about to be played in
England and Wales by the Bichard Inquiry.
Cullen Inquiry Report: http://www.archive.official-documents.co.uk/document/scottish/dunblane/dunblane.htm
ACPOS acted for 5 reasons:
Intelligence held on one of the 8 systems failed to comply with the legal requirements of the Human Rights and Data protection Acts
Data was a mixture of 4x4 and 5x5x5 format and therefore non-ECHR compliant
Existing systems neither met need to protect sources nor where they networked in-force, so intelligence picture fragmented
National system did not exist and intelligence exchanged via paper-based system
Development of National Intelligence Model demanded an integrated system to deliver generic products
The Scottish Criminal History System [equivalent of NCIS in England and Wales and linked to it, but the information within it is not identical, and there is a difference between a “caution” in Scotland and a “Caution” in England and Wales] already had “intelligence markers” on individual records, so that an inquirer may be informed that intelligence is held on the individual by another force. It also has “intelligence flags” so that the force holding information will know if a particular record has been accessed. It is also possible to place a “target flag” on an individual on whom a live operation is underway.
8
Full details are available in the ACPOS evidence to the Bichard Inquiry http://www.bichardinquiry.org.uk/10663/full_evidence/0089/00890002.pdf
The full statement is worth reading as it covers much of the thinking that wen into setting up an integrated system.
A quotation from this evidence is particularly pertinent:
“In an increasingly litigious society police responses have to be seen to be necessary and proportionate, particularly now that the UK has implemented ECHR in the form of the
Human Rights Act 1998.”
Legal Basis
The legal basis of ACPO and ACPOS manuals is unclear. Presumably Home Office
Notes of Guidance are based in legality on Delegated Legislation under Statutory
Instruments. The legal status of ACPO as a source of law appears to be anomalous, to say the least. ACPO members were at one time Justice of the Peace and therefore had some legal status but this has not been the case since the 1960s. Perhaps it should be so again, given the increasing quasi-judicial role played by senior police officers. Bichard reports that ACPO guidance aims to help Chief Officers achieve good practice but it is not binding on individual Forces or authorities other than by agreement. “Forces are free to introduce and implement their own policies, even where ACPO has agreed a national policy.” Forces are, however, invited to produce justification for departing from national policy.
Bichard Recommendations
Recommendations in the Bichard Report will affect many of the practices and processes of database management in the UK. The ones that are selected here are of general relevance. Others will be raised as appropriate in this report.
Bichard found there was no national information technology system in place for police intelligence in England and Wales. There is, however, one in place in Scotland. He thought the creation of one was a matter of urgency. There is debate between ACPO and the Home Secretary as to who is responsible for the absence of such a database. At present such intelligence systems as exist are held by the individual Forces and most are not directly readable or interrogatable by other Forces.
Bichard’s second recommendation is that the PLX [Police Local Cross-reference] system which flags that intelligence is held about an individual by a particular Police Force should be introduced in England and Wales by 2005. It is already in place in Scotland.
An intelligence system was planned for England and Wales in 1994, then dropped in
2000. PITO intends to “roll PLX out” over the next year as a stopgap. http://www.computerweekly.com/Article131698.htm
9
Bichard’s seventh recommendation is that the transfer of responsibility from the police to the Courts themselves for inputting Court results onto PNC should be reaffirmed and if possible accelerated. The present deadline of 2006 at least must be met and Bichard wished to see the transfer take place as early as possible. He placed responsibility for this on the Court Service and the Home Office.
Bichard also wants the quality and timeliness of PNC data input to be routinely inspected by HM Inspectorate of Constabulary.
Implicit in the Report is that the process called “weeding” should be recognised as two quite separate processes, one of which is retention, the other of which is deleting.
Bichard wants “clear guidelines in place as to what should be retained, what should be deleted and what should be available as part of a vetting procedure for employers particularly employers where work is to be done with children.”
2) Is there a database for prosecutions in your country? Is it central or regional? Do these databases include exclusively criminal prosecutions? What is their legal basis
(statutory or other)? Please analyse and attach the introducing legal texts as amended
(in English or the original language of publication).
There is at present no database for prosecutions in England and Wales. There are several projects under development including one to introduce a file-tracking system and various other initiatives to improve the use of and compatability of information technology systems.
The Case Preparation System mentioned above by PITO will be the one closest to what I assume is meant here by a database for prosecutions. There is no database owned by the
Crown Prosecution Service, yet, but there is a project entitled “Compass” under development, and one called “J-track”. As mentioned in the answer to question 1 above, the Crown Prosecution Service is one of the agencies allowed access to PNC2 and it is envisaged that this will be the case with the new databases and applications that are coming on-line in the next few years.
The submission of the Crown Prosecution Service to the Bichard Inquiry states that before 2003, there were at most electronic card index systems, accessible mainly locally.
A Casework Management System was introduced in 2003, principally designed to monitor the progress of individual cases. It is “neither an intelligence system nor a substitute Criminal Records Bureau”. Initial case files delivered by the police are mostly retained on paper. Many areas operate joint police-CPS units with a single file system.
Retention tends to be by the police as they have the right to retain for longer periods due to their different responsibilities.
10
Cases are divided into categories A,B,C,D,E and F. Category A consists of those that are in the long term public interest are kept for 30 years then transferred to the national archive at Kew. Of the other categories, D is treated differently. B,C, E and F are kept until the end of the sentence. Category D is managed at local level as this sort of case tends to be required at short notice.
All policies are at present under review partly because of the Soham case, partly because of the incipient introduction of electronic filing and partly because of the expectation of closer working with the police.
The CPS Records Management Manual is available both on the Bichard Inquiry website and on the CPS Website. http://www.bichardinquiry.org.uk/10663/full_evidence/0091/00910125.pdf
Scotland
The Crown Office and Procurator Fiscal Service is under more pressure than most prosecutors because of the 110 day rule. Once a charges is made, the case has to be brought to court within 110 days or dropped.
There is a working group composed of members of the Scottish executive Justice
Department and the main Criminal Justice partners working on improvement of the statistical and management information information available on the criminal justice system in Scotland. The current thinking is that a data warehouse approach will be the most effective.
The Future Office System is being introduced by the Crown Office and Procurator Fiscal to enable electronic filing, recording and case tracking. It sounds like a database for prosecutions. There is an initiative for electronic courts COPFS/SCS and an ISCJIS[
Integration of Scottish Criminal Justice Information Systems] scheme for electronic documentation production. http://www.crownoffice.gov.uk/publications/Crown%20Office%20Strategy.pdf
www.crownoffice.gov.uk/publications/ DASPID1finalrevMar03.doc [this link does not work for some reason and the Google.html search link has to be used: http://66.102.11.104/search?q=cache:jTykM62MqbkJ:www.crownoffice.gov.uk/publicati ons/DASPID1finalrevMar03.doc+Electronic+Courts+Scotland&hl=en
3) Which national, EU or international authorities have access to the databases? If such databases do not exist, who has access to information on investigations and prosecutions?
There is no direct access for EU or international authorities to the databases. Access takes place through NCIS and the Sirene Bureau. For international authorities access would be routed through the Interpol Bureau which is in the same office as the Sirene
Bureau. Requests are made under articles 39, 40 and 46 of the Schengen Convention.
11
Requests come through the Sirene Bureau which is effectively NCIS. Article 39 requests will be able to come “live” through the Schengen Information System [SIS] when that comes onstream in 2005.
Prosecutors and examining magistrates can make a request via the Home Office under the
Mutual Assistance in Criminal Matters Convention. In practice the information can be obtained much more quickly if a Prosecutor asks a Police Officer to make an Interpol request and this would then go directly to NCIS.
It is an English view that Prosecutors only need a case progression database. They have no real need for access to an investigative database. This may not be shared in other EU countries.
Since 9/11, a number of working relationships have developed, particularly with regard to terrorism, which are difficult to document for reasons of operational security.
Increasingly PITO works with the Home Office branch, the CJIT [Criminal Justice IT
Organisation] which is bringing it into contact with other agencies: courts, prison, probation CPS and it is also beginning to work with health, social services and the emergency services [evidence to Bichard Inquiry by Mr. Webb 23 rd
March 2004 am].
Child protection issues have led to the requirement for all these agencies to examine how best to exchange information. The Bichard Inquiry has addressed these and related issues in its final Report.
Evidence from abroad
The Crime [International Cooperation] Act 2003 section 81 amends the Data Protection
Act 1998 and inserts a new section 54A giving the Commissioner powers to inspect data in the Europol, Customs and Schengen Information Systems and to inspect test and operate equipment used for the purpose of data processing…is this just from a terminal in
UK or is he seriously supposed to be able to do this at the place where the server is based? And do we give reciprocal rights to similar officers in other member States?
Articles 13-19 of the same act deal with requests for evidence from abroad…but do not refer to databases or information from the same, yet the process of obtaining the evidence will clearly involve the use by the territorial authority in the UK of database interrogation in the first instance…
Section 14 gives the territorial authority power to obtain evidence where a request is made, if the authority is satisfied:
“a) that an offence under the law of the country in question has been committed or that there are reasonable grounds for suspecting that such an offence has been committed, and
(b) that proceedings in respect of the offence have been instituted in that country or that an investigation into the offence is being carried on there.”
12
This covers administrative proceedings as well as criminal proceedings.
But this does appear to be cover obtaining evidence, not simply information.
This raises a related issue, that of datasharing in the public sector. A debate has been initiated by the recommendations of the Cabinet Office Performance and Innovation Unit report “
Privacy and Data Sharing: the Way Forward for Public Services
”. Available at: http://www.number-10.gov.uk/su/privacy/pdf.htm
The response from Liberty is available at: http://www.liberty-humanrights.org.uk/resources/policy-papers/policy-papers-2002/pdf-documents/jul-2002privacy-data-sharing.pdf
And the Department for Constitutional Affairs has provided an update as of November
2003 at: http://www.dca.gov.uk/majrep/datasharing/update.htm
The intention is to bring forward legislation on data sharing. The working group has rejected the idea of a general power to share data with consent and is examining the idea of legislation to create a general power to set up data sharing gateways via secondary legislation.
The Home Office has produced a model protocol for data-sharing available at: http://www.crimereduction.gov.uk/infosharing21-00.htm
and a Government data standards catalogue is available at: http://www.govtalk.gov.uk/schemasstandards/eservices.asp
There is a standard for information security management: ISO 17799/BS7799
4) At which procedural stage are data introduced to the database (for example, at police/law enforcement investigation, launch of formal prosecution, or trial)?
This depends on which database an entry is being made.
The individual Police Forces are responsible for entering data onto the PNC Phoenix database and each has direct access to the system. Normally Phoenix includes an individual’s name, known aliases, sex, age, height and distinguishing features.
At present the Police are still responsible for putting Court results onto the PNC. The original intention was that arrests and summonses would be placed on the PNC at the time they were made. Bichard found, however, that with the exception of prevention of terrorism legislation the first record on the PNC is usually when a person is charged or cautioned. The Court Service will take over responsibility for inputting Court results in
2006. Bichard would like to see that process accelerated.
For the new intelligence database that Bichard envisages, his prime concern was with the recording of acquittals and cases not proceeded with, so this data would be entered at the same point.
13
Data for proactive investigation would be another matter entirely and where this happens at present the relevant information is not at present in the public domain.
5) At which procedural stage are data erased for the databases?
Repeating information supplied in answer to question 1, the information on the PNC is
“owned” by individual police forces, and each Chief Constable is a data controller under the terms of the Data Protection Act 1998 for the management of this information.
Individual forces, under HO Circular 29/95, are responsible for creating PNC records and for data input into PNC databases. Rules governing operation of all PNC services are prescribed by the PNC User Manual, which is “owned” by the Police PNC Policy and
Prioritisation Group [P4G]. This reports to the PNC Management Sub-Committee.
Weeding and deletion of records is administered by PITO and implemented directly by
PNC software in accordance with ACPO defined business rules, contained in the ACPO memo “General Rules for Criminal Record Weeding on Police Systems”. Sine 1995 rules have been incorporated in the ACPO Code of Practice for Data Protection.
Increasingly there is a debate about records, particularly as regards fingerprints and DNA.
With US demand for biometric data and proposals for a National Identity Card, there are proposals that some forms of personal data will be kept permanently. Paedophile databases are also permanent so that enquiries can be made where individuals are applying for work with children and sexual offenders excluded from this area.
There has also been a disagreement between ACPO and the Information Commissioner which is documented in the submissions to the Bichard Inquiry arising from individual complaints about data kept by the police and passed on to employers. This will be dealt with in greater detail in response to Q 22.
Bichard found the following and this point is central to his Inquiry, as it concerns the failure to identify Huntley as having a record of accusations against him with regard to underage sex.
[The following is paraphrased from the Report]: there is a lack of clear national guidance about information management in the sense of the way information is recorded, reviewed, retained or deleted. There is reference to record creation in the ACPO Code of Practice on data protection of 2002 which replaced the 1995 Code. This does little more than summarise the importance of information being relevant, accurate and up-to-date and is more or less taken from the Data Protection
Act. There is a “pressing need for clearer guidance in this area” [Para 3.67].
The ACPO Code did provide eight pages of guidance for Forces in terms of retaining data in compliance with principal 6 of the Data Protection Act of 1984. This stressed that
14
no absolute rules could be laid down about how long particular items of personal data could or should be retained. A series of questions were given as a test:
What purpose does the data now serve?
Is the data still relevant to the registered purposes?
How useful is the information likely to be in future?
The original guidance also advised that it might be necessary to consult the officer responsible for making the initial record and the 1995 guidance recommended that all the above should be applied to manual records despite the fact that the legal requirement for this came later. [ Para 3.70]
It also suggested an automatic review should be built into systems. This, Bichard stressed, was a review not automatic deletion. [Para 3.71].
16 th
June 1995 a policy document was circulated by ACPO General Rules for Criminal
Record weeding on Police Computer Systems.
Conviction for a reportable offence, retention for twenty years. Exceptions where the conviction was for an offence against a child, or young persons, in this case the record was to be kept until the offender was seventy years old subject to a minimum twenty year retention period.
In case of a rape conviction record to be retained for the life of the offender.
Records of cautions assuming there were no other convictions or further cautions, retained for five years.
Records of disposal other than conviction, caution, acquittal, discontinuance and not guilty bind over were to be retained for the same period as set out for convictions, ie twenty years, but acquittals and “discontinued cases without caution” not normally to be retained beyond a forty-two day period from the disposals notification date.
However this general rule is subject to exceptions when the record “should be considered for retention”. These included
Acquittal for an offence of unlawful sexual intercourse by a male with a female under sixteen. In such a case the record should be deleted when the male’s age reached twenty-five subject to no other offences being recorded.
If there was an acquittal or discontinuance because of a lack of corroboration or an allegation of consent in a case in which a sexual offence was alleged the record could be retained for five years on the authorisation of an officer not below the rank of Superintendent and the record would be reviewed at the end of that period.
15
The [ACPO] Crime Committee policy gave guidance to the officer making that decision and laid down three criteria as necessary preconditions for retention: (a) the case’s circumstances would give cause for concern if the subject was to apply for employment in a post that involved substantial access to vulnerable persons;
(b) the facts of the case showed that the subject’s involvement was based on information that was high quality and could be graded A1 when the 4x4 reliability test was applied; (c) the decision to retain the information could be defended on public interest grounds.
[4x4 test: a subjective alpha/numerical intelligence grading system used by most police forces to determine the reliability of a piece of information (on a scale of A, B,
C and X) and the reliability of the source of the intelligence (on a scale of 1–4).
Therefore, ‘A1’ means the intelligence source is highly credible and the intelligence is of a high standard. Glossary, Bichard Report
Now succeeded by 5x5x5 test incorporating the two factors above but including a judgement about who can have access to that intelligence (on a scale of 1 to 5).]
In September 1999 new rules from the ACPO Crime Committee changed the general period of retention from twenty years to ten years. There were exceptions where the conviction was for an offence involving a child or a young person as victims. In such a case the record was to be retained either until the subject died or until the subject reached
100 years of age. Records of disposals were to be retained for ten years for most offences. The 1999 weeding rules removed the reference to AS1 intelligence.
In October 2002 the ACPO Code of Practice on data protection was revised. Again the foreword from the Information Commissioner stressed that any specified retention period could only be a benchmark. The Information Commissioner would be obliged to examine on its individual merits any case referred to her. The 2002 ACPO Code did not make any changes of significance for the Bichard Enquiry. It dealt with criminal intelligence records and recommended that all intelligence reports should be regularly reviewed and considered for deletion subject to a maximum review period of 12 months.
Each of the 43 Forces produced its own set of local guidance and directions to give effect to ACPO and others national guidance. Content varied widely. Humberside, for example, followed a very different approach to that contained in the national guidance.
HMIC admitted that it had not carried out inspections of data protection weeding and that it would be doing so in future.
Stop Press:
On 22 nd July 2004 in a landmark judgement the House of Lords decided that the Police can keep DNA samples even where criminal investigations have been dropped. The argument had been made that the South Yorkshire Police, in keeping DNA samples after the two cases were dropped, were contravening either the individual’s right to a private life under Article 8 of the European Convention on Human Rights or the right not to be
16
discriminated against under Article 14 of the same Convention. Lord Brown argued that the cause of Human Rights would be better served by expanding Police databases rather than deleting records. He said the only logical reason to objecting to samples being kept by the Police was that it would make it easier for Authorities to arrest someone if they ever offended in future. Lord Steyn said that Police should be able to take advantage of modern technology which “enables the guilty to be detected and the innocent to be rapidly eliminated from enquiries.” The decision affects both DNA and fingerprint records. It is likely to be taken to the European Court of Human Rights.
6) What is the purpose of the databases as described in their founding instruments?
What is their use in practice?
The databases exist for a number of purposes but the PNC was originally established to improve record-keeping on criminals. PNC2 was established to improve exchange of information between constabularies.
It is the use of these databases for employment vetting that has caused most conflict in practice. Bichard has proposed that a separate agency is made responsible for deciding what details to release to employers so that the police can be removed from the conflicts involved.
7) Is there collaboration with foreign authorities for the acquisition of data on investigations and prosecutions (please refer to Europol/Eurojust)? Which authorities have access to this data?
The UK cooperates with foreign authorities via the Sirene Bureau, the Europol Bureau and the Interpol Bureau, all now in NCIS. Michael Kennedy represents us on Eurojust and is also President of Eurojust.
There is also collaboration via Mutual Legal Assistance or through Liaison Officers in the European Embassies or through, in the case of terrorism, the Terrorism Liaison
Officers who go via Special Branch in the UK and this is a completely separate system.
For cases of fraud and for the Serious Fraud Office, on the whole contacts are via the
NCIS but lawyers from the Serious Fraud Office can write directly to their counterparts in other jurisdictions. There is thus a legal route and an intelligence route which is via
NCIS. There is not necessarily an absolute demarcation between these two routes, they represent tendencies towards a particular direction.
17
The UK has a problem with Europol in terms of second party disclosure.
Comment repeated from answer to question 3
There is no direct access for EU or international authorities to existing databases. Access takes place through NCIS and the Sirene Bureau. For international authorities access would be routed through the Interpol Bureau which is in the same office as the Sirene
Bureau. Requests are made under articles 39, 40 and 46 of the Schengen Convention.
Requests come through the Sirene Bureau which is effectively NCIS. Article 39 requests will be able to come live through the SIS when that comes onstream in 2005.
Prosecutors and examining magistrates can make a request under the Mutual Assistance in Criminal Matters Convention and this would go to the Home Office. In practice the information can be obtained much more quickly if a Prosecutor asks a Police Officer to make an Interpol request and this would then go directly to NCIS.
The feeling of the senior English Police Officers interviewed was that Prosecutors only need a case progression database. They have no real need for access to an investigative database.
If the question is about possible routes forward, then a TETRA-style network might be developed to link networks such that the simple question could be answered as to whether an investigation was under way or a prosecution in process against a particular named individual.
8) What provision is made in your national laws for data sharing between public bodies? What are the relevant restrictions?
PNC is a 24 hour a day, 7days a week service available to organisations approved by the
ACPO IM [Information Management] Police Security Sub-Committee [PSSC], which controls access by the police and partner agencies, including prosecution.
General comment on data-sharing law repeated from answer to Q.1.
The Law Society’s submission to the Bichard Inquiry suggests that there is no coherent legal framework governing the use of personal data in the public sector. They argue that this has already been recognised by the government and that the recommendations of the
Cabinet Office Performance and Innovation Unit report “
Privacy and Data Sharing: the
Way Forward for Public Services ” provide an excellent starting point. This report identified a lack of awareness of how the legal framework operated and a problem with a lack of powers to share data between public bodies, even where consent has been given.
The report argued that it was possible to achieve the objective of making better use of personal data in the delivery of public services while also enhancing privacy. It did however argue that crime policy might be the area where privacy was least possible.
18
The Department of Constitutional Affairs produced a guide to the law on data-sharing in
November 2003 http://www.dca.gov.uk/foi/sharing/toolkit/lawguide.pdf
The guidance discusses the powers of public bodies to collect use, and disclose personal information. It considers five areas of law are involved:
• the law that governs the actions of public bodies
(administrative law);
• the Human Rights Act 1998 and the European
Convention on Human Rights;
• the common law tort of breach of confidence;
• the Data Protection Act 1998; and
• European Union law.
The advice in the document, in summary, is that it is a matter of administrative law as to whether a public body has the power to carry out data sharing. It must then be considered whether, even though it may have the power, its exercise may be unlawful due to the operation of the Human Rights Act of 1998, the Data Protection Act or the common law tort of breach of confidence. These provisions should be interpreted with regard to the relevant principles of the ECHR and of European law.
9) Are there national general principles of law and privacy laws which prohibit either the creation of national databases on investigations and prosecutions or the use of such data? Please describe and attach these laws.
There are no UK laws prohibiting the creation of a database. Such databases already exist in the UK. As noted in the answer to the previous question it is data-sharing that raises legal problems.
10) Is there an exemption to these laws, for example on the basis of the general “public interest” to combat crime? Could such an exemption supersede national privacy laws?
National Security
Is there really a public interest exemption or is this something drummed up by newspaper editors to protect themselves against a privacy law? [answer yes it’s to do with data retention. Discussed in Bichard]
11) In view of measure 12 of the mutual recognition programme (OJ C 12, 15.1.2001, p.
10), would linking national databases be an effective weapon against transnational
19
crime or would an EU database on investigations and prosecutions from all EU
Member States be preferable? What added value for your national authorities do you see in the setting up of a EU judicial database as foreseen in Eurojust and, if there are any, what would be the current legal difficulties to be upheld in your country for the connection to such a data bank?
If there were to be an EU judicial database, what would it contain? There is a feeling in the UK that a comparative law database is increasingly needed. If such a database included judicial decisions this would be especially useful given the move of the EU to framework decisions which produces 25 different national implementations which in turn produces a need to know what the differences are between the different implementations.
A database that provided that information would be extremely useful.
Measure 12 asks how best the competent authorities in the European Union should be informed of investigations or prosecutions outstanding in respect of a given individual, covering, in particular, the categories of offence potentially concerned and the stage of proceedings at which the information process should start. It should also consider which of the following would be the best method: (a) to facilitate bilateral information exchanges; (b) to network national criminal records offices; or (c) to establish a genuine
European central criminal records office.
The grammar of the measure is odd. Presumably, it means, how can the competent authorities find out if a given individual has an investigation or prosecution outstanding against them? Or does it imply that a passport or identity card check should immediately and automatically throw up this information as a result of a barcode scan that would link into a closed and secure network in some way.
Where an investigation of a serious crime is underway, surely the last thing that an investigator would want is that a routine check of a person’s documentation led to behaviour on the part of a uniformed police officer that informed the person being investigated that such an investigation was under way? Investigating organised crime involves surveillance and identifying an individual’s contacts without alerting them to the fact that they are under investigation.
If the intention is to apprehend an absconder, then that is a totally different matter.
Is, however, what is required a system that throws up information on investigations or prosecutions underway in other Member States against an individual into whom an investigation has been opened or whose name has come up in the course of an investigation? If so, the existing Sirene Bureaux is the appropriate system upon which to build, but with an improvement in accessibility for investigators at lower levels than the national as long as it has provision to warn other investigators that access has been made, so that on-going investigations are not compromised. There will need to be a body and a
20
procedure to deal with such conflicts as to which investigation and which country has priority and this will almost certainly mean a role here for Eurojust and for Europol.
Presumably what we are looking at is something that would benefit a hands-on investigator. And the question that needs to be answered is what we would need above and beyond the SIS (Schengen Information System). The Europol database is a good one but it is not supplied with sufficient data and it can only be accessed via national units.
The existing databases need a greater quantity of data supplied and they need the possibility of wider access to improve the possibilities for a hands-on investigator.
Access is the fundamental problem, as opposed to the architecture of the databases. The level at which access can be made needs to be determined. As mentioned above, there also need to be dispute resolution procedures in place. The greater the access, the more likely it is that investigations will conflict, and the greater the likelihood of security being breached.
The problem for a hands-on investigator is not so much access to data on prosecutions and convictions, but to data on intelligence. For this reason a European version of the UK
National Intelligence model is required together with a 5x5x5 test of reliability. The legal problems of empowering direct access to such data on the part of an investigator from another country are the ones that need to be addressed, rather than data on convictions.
Often what is required is to know what an individual is suspected of in order to know what to look for in their relations with other individuals and organisations. The creation of a UK intelligence database needs to parallel those similar databases that already exist in other member States. The interviewees thought that the data protection issues here would be fairly difficult to overcome.
The prevailing IT doctrine in the UK is, however, changing as the following quote shows:
“I think today we are looking at a far more information centric architecture which provides information as the entity which is common across the entire environment, whereas in the days of NSPIS, it was a far more systems-based structure where people had individual systems and they would talk to each other, whereas now we are looking at far more commonality of information, perhaps in central databases or centralised
databases, where the information is shared.” Mr. Webb of PITO Bichard Inquiry March
23 rd
2004
The EU needs to go through the intermediate step of a common data recording strategy.
When all Member States record the same data in the same format, it will become possible to move to central databases.
Most so-called transnational crime actually consists of regional groups trading with other regional groups. The Europol Joint Investigative Team with a case specific approach seems adequate enough and databases for individual investigations are more rational.
Although there is now software available in the US, apparently, that can search databases much more quickly than has previously been possible, the principle of Occam’s razor remains an excellent one.
21
An EU database will only be efficient if there is an obligation to notify which is then followed through. Irene, OLAF’s database has been plagued by a failure to notify of offences of fraud. Multiply that by 50 other major offences and there will be lots of gleaming machinery and very little data. Tupman and Tupman discussed the EU database strategy in 1999. The same shortcomings are still apparent:
The following thoughts from the present author, written in 1999 have been updated slightly to take account of changing names of organisations.
“The Database Strategy
In default of a European FBI, all attempts at cross-border police organisation since 1985 have centred on the creation of a networked computer database. A number of such crossborder databases and database-related communication systems have now been established as necessary prerequisites for risk-assessment together with offender and offence profiling. Their advantages are:
offender profiling is vital for identifying individuals and organisations who commit relevant types of offence - fraud, smuggling, trade in people;
offence profiling ensures that investigators are up-to-date with the modus operandi of the various offences being committed and with the organisational structures required to commit them;
risk-assessment enables proper targeting of scarce resources, both for prevention and successful investigation;
information technology enables rapid exchange of relevant intelligence between investigative organisations across frontiers and removes bureaucratic obstacles with regard to provision of evidence. At the same time officers remain accountable to existing command structures.
All cross-national database schemes have had problems achieving their original goals.
The major problems have been:
compatibility between EU Member States' software and hardware;
judicial acceptability of on-screen communication in place of paper;
data-protection and privacy;
analytical software for profiling;
consistency of reporting of offences by individual countries and organisations.
The Schengen Information System (SIS) has been transformed into a man-machine interface by the SIRENE bureaux. The former’s original anti-immigration aspect has recently been transferred to the proposed database Eurodac .
The European Commission’s own investigative organisation, formerly UCLAF, now
OLAF, assists Member States to focus on high risk areas by providing information resulting from an analysis of information on its databases: - pre-IRENE (IRégularities,
ENquêtes et Exploitation), for cases of fraud under investigation and IRENE, for cases successfully investigated. These were combined to create IRENE 95, another step
22
towards upgrading the system from an electronic filing cabinet to a full-scale independent knowledge-based system that can identify and analyse risk factors. IRENE has had many problems in gestation, but in late 1999 included over 20,000 cases.
The other major relevant databases are DAF (Database Anti-Fraud), SCENT (System
Customs ENforcement Network), and CIS (Customs Information System). There are now 323 SCENT/CIS terminals installed at airports and administrative headquarters.
They may be used to record and to access data on both Community and non-Community matters. With regard to CIS, European Union Member States have adopted a convention on the use of information systems in the customs field. Agreement has also been reached on the provisional application of this convention between some of the Member States.
The convention itself has not yet been ratified, so the central database cannot yet be created. Without further research, it is impossible to say whether there is deliberate obstruction on the part of some Member States, or if some have a technology problem.
On 26 July 1995, under article K3 of the Treaty of Maastricht, a Convention was signed on the use of information technology for customs purposes. It provided a legal basis for including in a database information to combat drug-trafficking. This database has been set up. In addition, the system for registration of goods in transit across the EU is being computerised, in cooperation with EFTA: ‘Although it is obvious that computerisation will not totally wipe out fraud, it is safe to assume that the cost of this project will soon be recouped’.
This view is belied by the development of every computer system. It is not safe to assume costs will be recouped. It is safer to assume that the system will not do what the client originally thought it would. What it does may be useful but will not be as per specification. The databases so far established in the European Union have been good at recording data, but poor at analysis, and have run into data-protection and judicial supervision problems that have reduced them to electronic filing-systems of limited utility as investigative tools. Nevertheless they continue to proliferate. The Europol
Convention is 75 per cent concerned with database matters. It is time for serious analysis of investigator use of databases in order to establish how successful they have been in achieving their original goals, to identify good practice and to establish real costs. Above all, a project needs to be established to examine and overcome the legal and technological problems of moving from a primitive man-machine interface to intelligent, analysiscapable software.
An intelligence- and database-oriented approach is unlikely to be successful if information is slow to reach database managers because of bureaucratic delay and complexity. To by-pass obstacles, UCLAF proposed the installation of ‘an experimental freephone service to allow European citizens to provide information on fraud in confidence directly to the Commission’. The freephone number received over 4,000 calls in the first 12 months of its operation from November 1995. Around 200 of these led to further investigations and subsequent formal enquiries involved amounts of over 30 million ECUs . It is tempting to wonder what the impact would be of a European version of Crimewatch [It would be a big step forward from the Eurovision Song Contest!] [I’m copyrighting this idea!]
23
Equally important, if databases are to provide a true picture, is the issue of notification.
A targeted strategy demands reliable, up-to-date information. A Commission proposal to improve both the level of detail and frequency of submission of Member States’ reports of fraud and irregularities was adopted during 1996. The intriguing question is how long it can be before banks and financial institutions are also placed under legal obligation to report fraud to a central database run by a Financial Intelligence Unit. The impact of a database-led strategy will be affected by the priorities of individual countries.
Investigative priority will be determined by the perceived scale of the problem and this is normally measured on a purely financial basis. Article 209a of the Treaty of Maastricht establishes ‘the assimilation principle’, whereby Member States shall take the same measures to counter fraud affecting the Community as they take to counter fraud affecting themselves. In the UK this may be counter-productive - officers from the
Serious Fraud Office have told the author privately that they do not investigate frauds below £5million. This is because of the immense costs of prosecution. Presumably, local fraud squads, Ministry of Agriculture, Food and Fisheries inspectors and Inland
Revenue officials operate to different guidelines. Recognising this problem, the
Convention on the Protection of the European Communities Financial Interests of 26 July
1995 instructs Member States to define serious fraud as involving a minimum amount that cannot be set at less than 50,000 ECUs. Legislators may define an offence as serious by using financial criteria, but investigative priority cannot be guaranteed where there is already a heavy domestic case-load that is being prioritised on the basis of higher monetary value.
As long as the policing of cross-border crime is hamstrung by governments’ reluctance to set up a permanent cross-border police organisation, idiotically complex sets of regulations will continue to be passed. The Treaty empowered Europol to set up joint investigative teams for individual operations. Customs organisations can already do this, so there is a precedent and this may produce a more effective halfway house.
The Customs network, finance ministry-driven and concentrating on drug smuggling and revenue invasion, has been the most successful integrator of information technology and joint investigation teams. I commented in 1999 that Europol had too many potential responsibilities and suffers from in-fighting between the Ministries of the Interior and
Justice, which was then preventing the K4 Commission [ now the Title VI Commission] from developing into a successful driver of policy. The Schengen system has made progress but had to move away from its original, information technology-driven, vision.
Europol and OLAF need to be coordinated. OLAF fortunate in its freedom from the multi-national decision-making process and single-crime oriented, is the only supranational body capable of driving cross-border investigative policy and practice forward. The organised crime groups it investigates are involved in many other types of crime outside its competence. It will of necessity exceed any brief it is given. While this should be welcomed if it increases the effectiveness of the battle against organised crime, it will inevitably be portrayed as part of the battle for sovereignty between the
Commission and certain Member States.” (Tupman and Tupman Policing in Europe pp
91-94)
24
12) Could the EU establish a database for investigations and prosecutions that includes relevant data on EU citizens, supervised by a judicial/quasi judicial authority be acceptable to your national legal orders? What problems, if any, would you foresee and how could they be resolved?
There would probably be less legal problems for the UK than for many other member states of the European Union. The UK databases would have to comply with data protection law, the European Convention on Human Rights, and Court decisions with regard to privacy.
The problems will primarily be political. Daily Telegraph will go berserk, followed by the Mail, the Times and probably the Express! UK would opt out. Databases for paedophiles and sex offenders are easily saleable, but cigarette and alcohol duty evaders are seen as legitimate. The Sun newspaper has even run a campaign supporting them.
There is a frightening lack of recognition in all the European Commission documents on this question of the existence of a European democratic deficit and of a need for any aspect of policing to concern itself with legitimacy. The European Parliament may appear to be obstructionist to the technocrats that are proposing these solutions, but there is a danger of widening the gap between the public and central institutions unless this issue is borne in mind. Databases are a useful tool, but if the public isn’t coming forward and reporting crime, there will not be any data. Equally, there will not be any witnesses giving evidence when the court proceedings begin. So there will be no convictions.
13) Could the EU database supply data to be accepted and used as indirect information or evidence before your national courts, or would your national laws limit its use to the support of investigations and prosecutions via the provision of soft intelligence?
It is unlikely that data from an EU database would be accepted as evidence. The UK
Courts would want to go back to the source of the information and be able to cross examine the witness who provided it. As regards the provision of limiting it to the provision of soft intelligence, the answer is almost certainly ‘yes’.
The UK government in the Organised Crime White Paper March 2004 strongly supports the creation of an EU intelligence model on the lines of the existing UK National
Intelligence Model and supports the second generation of the Schengen Information
System.
See answer to Q 11
Polics and politicians in the UK would be interested in the creation of a European criminal intelligence model. This would need to be created by the European Police
25
Chiefs Task Force. It would then be necessary to create appropriate hardware and software to provide the analytical capability. All this would have to be in a framework that would define intelligence in such a way that it would not terrify East Europeans who remember the meaning of intelligence as used by their former communist rulers.
14) Which crimes could be included in the EU database for investigations and prosecutions? Could it extend past the limited crimes included in the
Europol/Eurojust mandate?
You need to start by deciding what the requirements are for a successful investigation of organised crime, then build your database so that it can supply useful information. Unless it is intended that the database will consist of a list of individuals convicted for their involvement in organised crime and the cases in which they were prosecuted plus your soft intelligence on them. Start with the individuals not the crime. But to do that you need to have legislation in place legalising proactive investigation and a procedure for legalising and legitimising data entry.
In terms of United Kingdom law any crime could be included on a database. The decision would be a business or economic decision rather than a legal decision.
22 nd
July 2004 House of Lords decision that the Police can keep DNA samples even though criminal investigations have been dropped. The argument had been made that the
South Yorkshire Police in keeping DNA samples after the two cases were dropped were contravening either the individual’s right to a private life under Article 8 of the European
Convention on Human Rights or the right not to be discriminated against under Article 14 of the same Convention. Lord Brown argued that the cause of Human Rights would be better served by expanding Police databases rather than deleting records. He said the only logical reason to objecting to samples being kept by the Police was that it would make it easier for Authorities to arrest someone if they ever offended in future. Lord
Steyn said that Police should be able to take advantage of modern technology which
“enables the guilty to be detected and the innocent to be rapidly eliminated from enquiries.” The decision affects both DNA and fingerprint records. It is likely to be taken to the European Court of Human Rights.
The UK Prime Minister, Tony Blair has now returned to support for the original wording for European Public Prosecutor’s Office, which includes “serious crimes affecting more than one member state” as well as fraud against the community budget.
Is this a practicality type of question? If so, surely best to start with a limited numbers of offences. But if it is for the investigation of organised crime, isn’t that the wrong way round. One way I’ve heard organised crime defined is “ we know who the bad guys are, we just don’t know what they are up to”. If a database is to be of any use in investigating organised crime it needs to be capable of supporting a proactive investigation, and has to get away from “reactive” thinking.
Or are we talking about an OLAF-style approach, involving a database that can somehow
26
be used to risk-profile new policies for opportunities for organised crime…OLAF reports claim to be able to do this for fraud against the Community Budget.
15) What safeguards could ensure that the transfer of data from your national authorities to the database does not clash your national law?
The Data Protection Act and the European Convention on Human Rights are the two major pieces of legislation that govern UK use of data on databases. In certain circumstances, particularly if it threatened the security of an on-going investigation into serious crime, the request to see what data was held could be refused. This is outlined in the Data Protection Act.
Citizens would have to have a right to ask to see what data was held on them, there would have to be a date by which data was removed, except in the case of paedophiles and terrorist suspects, possibly other categories. The UK Information Commissioner already has the right to inspect data input to the Schengen Information System and similar
European databases.
16) Which national authority within your jurisdiction could undertake the task of transferring the relevant data to the EU database?
.
Have to be NCIS or its successor, unless PITO can be given some form of external jurisdiction as for PNC. An NCIS – PITO partnership would be the most likely body to take responsibility for data transfer. The position of Scotland in the UK means that there is already experience of running such a system. ACPOS says Scotland updates PNC every four hours. Presumably a similar system could be established from PNC to a
European database, but we surely wouldn’t be talking about transferring EVERYTHING would we? There would have to be some decision as to what sort of cases would be involved and how they would be defined as involving organised crime. See answer to question 14.
17) Which national/EU persons may have access to the EU database: judicial, prosecution, police?
For the UK it is and would be NCIS. The Scottish Procurator Fiscal may have a claim but does not at present have access to PNC except via a Police Officer. The Fiscals have a liaison officer to carry out functions normally only carried out by a serving Police
Officer.
27
Elsewhere in Europe it may be judges or procurators. You’re going to end up reinventing
Sirene bureaux, I suspect.
18) Which EU agency could be a suitable host for the EU database? Could Eurojust
(pursuant to Article 14 of the Eurojust Decision) establish a database for investigations and prosecutions that includes relevant data on EU citizens, supervised by a judicial/quasi judicial authority be acceptable to your national legal orders? What problems, if any, would you foresee and how could they be resolved?
The Directorate General of Justice and Home Affairs within the Commission would have to create and build a new database. It would make sense to put it in Strasbourg alongside
SIS2. There are two major systems, the visa information system at Salzburg and SIS2 in
Strasbourg. In Strasbourg is the backup for Salzburg and in Salzburg is the backup for
Strasbourg, if you follow me, the online site for each of these databases is in a different place to the backup site.
It would be a good idea to have a system that could capture criminal convictions based in either Strasbourg or Salzburg. There is in place a new system S (for secure) TETRA
[TErrestrial Trunked RAdio] http://www.tetramou.com/ . This is a network that will enable the exchange of information and may be able to search SIS2 and any criminal convictions database.
The English response is that we need integration, harmonisation and consolidation of existing IT systems, NOT yet another one. STETRA is the most sensible and rational next step forward.
Overall it makes sense to:
1) Define business needs, ie the needs of the Police investigators.
2) Look at Human Rights and data protection problems that would be raised by these needs.
3) Adopt those solutions that could be obtained by adding extra functionality to SIS.
This would cover most of the present problems.
In other words we should take a Police wish list which should go to the politicians in order that they can decide what is acceptable and produce, then, the appropriate legislation.
In the UK it is not necessary to worry about the purpose for which data was entered.
Once it is entered it is available as intelligence or general information. In a number of
European countries you can only look at data in a context similar to that in which it was first entered.
Tampere recommendation 44 set up a Police Chiefs operational Task Force which links
28
to Europol. It has a responsibility to exchange best practice and contribute to the planning of operations. Such an institution is another possible host for a database if it became permanent.
Eurojust or Europol? UK could understand Europol hosting such a database. England and
Wales don’t have a tradition of prosecutors supervising investigation. We will have all sorts of problems adjusting, but we have linked PNC2 to SIS and established a process of data protection and inspection.
The European Public Prosecutor would also be obvious, but the UK is not politically ready for that. Although according to the Financial Times 31.5.04, government sources are saying that the UK could return to a wider role for the EPP, as long as the veto is retained over extensions of the mandate.
The House of Lords European Union Committee has discussed the role of Eurojust in its
23 rd
Report of Session 2003-4. http://www.publications.parliament.uk/pa/ld200304/ldselect/ldeucom/138/138.pdf
para 6 quotes Hans Nilsson, the Head of Judicial Cooperation in the Council Secretariat as saying that Eurojust “ is at the crossroads of two conflicting models: one seeking increased harmonisationof criminal law and procedures and centralised EU structures and the other based on mutual recognition of Member States’ laws and procedures and enhanced cooperation between them.” The UK sees it as the latter, not the former.
Eurojust is a useful institution for exchanging information and facilitating coordination of a prosecution. It is difficult in a UK view to see why it should have access to a database, let alone be the home for one. The UK Information Commissioner even criticised the composition of the Eurojust Joint Supervisory body. He argued that judges might not be experts in data protection and that members of national data protection authorities would be more appropriate. [para 55]
In para 102 of the Report, the Committee was not convinced of the necessity for the establishment of a European Criminal Record. They felt that there has been a proliferation of databases at EU level and that “the feasibility and added value of these databases was questionale and their impact on privacy and the protection of personal data may be considerable”[footnote 138 of the Report attributes the quotation to a letter from
Lord Grenfell, committee chairman (sic), to Caroline Flint MP parliamentary under-
Secretary of State at the Home Office] Links between national databases could achieve the same objective. There certainly should not be a European database containing data on investigations
The Committee was in agreement with Drs Xanthaki and Stefanou that if a European
Criminal Record were to be established, taking into account the fact that several new
Member States have no criminal records as such, then there should be three safeguards: data should be held only on convictions, data should be held only on transnational offences and only judicial authorities should have access [paras 100 and 102].
19) In view of the free movement of persons within the EU and the increase in crime, would such a database constitute an effective weapon against crime?
29
The United Kingdom has not signed up to the free movement of peoples and has kept border controls. On the other hand, the feeling among investigators is that any more information would be useful. Ideally, a proper evaluation needs to be done as to what a separate database could achieve that improved cross-border access to national databases couldn’t.
The danger is that such a database would be used against immigration and political dissidents rather than criminals. The profiling and analytical software isn’t there yet and the storage capacity doesn’t yet exist. Cross-border networking between police officers and prosecutors together with Joint Investigative Teams is more likely to work at this stage of European Development.
A sex offenders database is more likely to be successful in the first instance and likely to be accepted as legitimate by the European public at large. [see next answer]
20) Do you foresee political opposition, in your country, to a move for the creation of such a database either by political parties or by human rights groups?
Human Rights groups will protest. Justice will certainly object strongly. The Joint
Supervisory Authority [JSA] for SIS has criticised moves to widen access, so it isn’t simply going to be a local political issue.
The British Press is more likely to go berserk. Europe really isn’t popular in the UK right now. The idea of faceless Brussels bureaucrats invading our private lives is not one that would receive a positive response. Human rights groups may jump up and down, but they would not be the main opposition to this. It is an issue that the Conservative Party would expect to exploit. See “the Five Ways the EU Constitution would harm our lives”. Four of the five are about European judges, rights and law. http://www.conservatives.com/campaigns/campaign.cfm?obj_id=73417
But the Caroline Dickinson murder trial at present underway in France has already led to calls for a European database of Sex Offenders [Nicky Campbell on the Breakfast Show,
Five Live 9 th
June 2004].
Home Secretary has called for a DNA database and a database of sexual offenders for whole of Europe. The latter is likely to be acceptable. The former is more debatable.
21) Is crime seen as a serious problem, by the media and the public, in your country?
Justify your opinion by reference to interviews with representatives of the main political parties (a telephone call to their headquarters is adequate).
30
Yes it is. But it is petty crime and anti-social behaviour and fear of crime that are the big issues not transnational crime. This will change if there were to be a terrorist attack on
London or a major incident involving criminals in which a number of policemen are killed.
Labour Party position on crime: http://www.labour.org.uk/crime04/
Conservative Party position on crime: http://www.conservative.com/policies/
[the crime consultation document The Conveyor Belt to Crime is a long way down the list, but there are documents on crime in London earlier in the list.] speech by David Davis http://www.conservatives.com/news/article.cfm?obj_id=111556
Howard’s Middlesborough speech on http://www.conservatives.com/news/article.cfm?obj_id=113496&speeches=1
Liberal Democrat party position on crime: crime:
Speech http://www.libdems.org.uk/index.cfm/page.homepage/section.home/article.7258
Policy: http://www.libdems.org.uk/documents/policies/Policy_Papers/51JusticeandtheCommunit y.pdf
22) Is there a move in your country towards the reduction of police powers and the promotion of the rehabilitation of ex-offenders?
The phrasing of this question is somewhat unfortunate. I do not see a link between the two.
Police powers: the police would always say they are being reduced, lawyers would say they are increasing. Speed cameras and random breath-tests cause much grumbling in pubs!
There is a major dispute between ACPO and the Information Commissioner on how long records can be kept on file, which opposes the need for child protection to the requirements of the rehabilitation legislation.
Bichard discusses the entire system of employment vetting and refers back to Article 8 of the European Convention of Human Rights which has markedly different things to say about whether information should be retained and whether it should be disclosed. He argues that an individual’s privacy can be interfered with to the extent that confidential information may be retained but it may not be justifiable to communicate that information to the employer. There is an issue of fairness to the job applicant and in
4.109 he acknowledges that careers may be blighted and job prospects lost. He lists what he considers to be the essential issues:
31
What should the ingredients for fair treatment be?
Can the system be made to work efficiently, protectively and fairly all at the same time bearing in mind the call on limited resources?
How should the balance be struck between the rights of the individual and the need to protect the vulnerable?
The Courts have been involved in considering disclosure of Police information for vetting purposes. A recent successful judicial review challenged the provision of local Police information to an employer was X versus Chief Constable of the West Midlands (2004)
EWHC (Admin) 61 Mr Justice Wall. In summary Mr Justice Wall decided that the discretion to be exercised by the Chief Constable under Section 115 of the Police Act
1997 as to whether to disclose intelligence material has to be exercised in accordance with Common Law principles of fairness and in the present context those principles were set out in ex parté Thorpe (1996) QB396 and ex parté LM(2000) 1FLR612.
The principles require that the job applicant be given an opportunity to make representations before the disclosure is made to the prospective employer. The conclusion was based on the seriousness of consequence of disclosure for the job applicant and on the very small number of enhanced disclosure requests producing a result other than no trace. The figures cited to the Court indicated a figure of 3 in every
1000 for that force. The judgement is under appeal. The effect if the appeal is unsuccessful is likely to be that there will have to be an extensive review and debate with the job applicant and lawyers in a significant number of enhanced disclosure cases before any disclosure is made. Bichard feels that in terms of fairness there are attractions in according applicants a prior opportunity to comment on disclosed information.
23) Please feel free to make additional comments.
Alternative routes forward:
A system of separate databases for separate purposes could be set up in order to satisfy the legal requirement that data placed on a database can only be accessed for the purpose the data was originally entered. The legal basis here needs clarifying but several documents from the European Parliament suggest that this is an important consideration in many continental European jurisdictions. This would have the advantage of satisfying human rights concerns but the disadvantage that it would be expensive and would hamper cross-border investigation. On the other hand if any other system means that evidence so obtained cannot be presented in court, then economic cost cannot be used as an argument to outweigh human rights costs and the ultimate benefit of successful prosecution.
The European Commission proposal to change the purpose of the Schengen Information
System from a control system i.e. a system that exists primarily to prevent the admission
32
of “undesirables” to the European Union to a more investigative system is one that is inevitably going to succeed given the growth in the use of the database for enquiries about wanted persons, evidence and objects. The problem that was not anticipated when
SIS was set up was that there might be individuals, such as football hooligans who it might be necessary to prevent crossing internal frontiers at specific times, or such as paedophiles, whose movements need to be monitored. The English view that the author of this report has encountered seems to accord with that of the Commission, that the
Schengen Information System should be developed for investigative purposes.
There is not such support for a European Criminal Records database and more support for the idea of a procedure by which individual Member States’ criminal records databases can be accessed via the SIS. Whether the attitude would be different if it were to turn out that not all member states have Criminal records databases at national level would need to be explored, but support is more likely for the creation of individual national databases that an all-European one at this point. The UK is strongly in favour of taking a Third
Pillar approach to Criminal Justice matters, while accepting that immigration requires a centralised approach.
A prosecution database at European level is equally unlikely to find favour, although access to individual member States databases via SIS would be acceptable. The Home
Secretary has proposed a European DNA database, but whether Parliamen, particularly the House of Lords would in practice pass such legislation will be a question for future empirical verification.
A database for investigating terrorism and organised crime, where a definion could be agreed for entry purposes is a possible step, but a database for intelligence, in the sense of investigative intelligence, not security services information will require a European version of the UK National Intelligence Model.
Interface between databases is the favoured UK approach, preferably via direct access terminals with such access recorded and monitored. A series of bureaux on the lines of
Sirene would be seen as a retrograde step. A further possibility might be that Member
States databases develop sections that would be all-European access, with judicial supervision of the rules for data entry and occasional regular inspection by an appropriate data protection officer. Access level is probably the issue that most interests UK investigators.
List of those interviewed for the Project
July 2004 12.00-2.00 NCIS London
Brian Donald, Senior Business Manager, Sirene Project Manager, NCIS
Matthew Foley, Senior Intelligence Officer, NCIS
May 2004 12.30-3.30 Centrex Bramshill
Insp. G. Marshallsay “Genesis” Helpdesk, Central Police Training and Development
Authority, Bramshill
33
Sgt B. Cook “Genesis” Helpdesk, Central police Training and Development Authority,
Bramshill
June 2004 email contact with Sandy Taylor of the Scottish executive Justice Department
Justice Statistics Unit
The issues are:
Big centralised database vs Smaller local databases
What data goes where
What software is available to process data
Soft data and hard data
Compatability of rules for data handling and their relation to laws of evidence and disclosure
Defining organised crime in legal terms
Proactive vs reactive investigation. Legal basis for proactive investigation and data gathering and storage in such investigation
Database for single investigation that crosses Member State boundaries [LESTRADE rather than HOLMES???].
Disclosure?
Politics
Nature of evidence taken from a computer
How would you cross-examine it? Basic misunderstanding of adversarial system here.
Crime [International Cooperation] Act 2003
Scots would require corroboration.
34
