PI explains risks to UK census data inherent in outsourcing to US contractor
Privacy International has briefed the UK House of Commons Treasury subcommittee on the risks to UK census data if a company with a US data centre is called on to run the census. Under weak US laws on safeguarding personal information, the UK census data could be abused without any knowledge of the UK government.
We filed a letter with the subcommittee to respond to the government minister's claims to the Commons that the government had no concerns about the US government gaining access to the personal records of UK citizens because there were adequate legal arrangements in place. This position contradicts years of evidence showing otherwise.
In our Memorandum, drafted with our partner organisation the American Civil Liberties Union, we answered the following question: "How secure is the personal information of UK citizens in light of the USA PATRIOT Act and the limited privacy protections of the United States?".
A summary of our conclusions is available below, while the full analysis is available here.
The security of British personal information is generally based on where it is located and who controls it.
Scenarios
- Information in the United States. If British personal information is located in the US, its disclosure will be governed by US law, including the USA Patriot Act and several sector-specific laws including those governing medical and financial information. These laws provide substantially less protection than British and European laws.
- Information under the custody or control of a US party. If British information is accessible to an entity within the US, even if it is held in Britain, US law obligates US actors to disclose this information. This access will be governed by US law, which is generally permissive.
- Information in Britain that is not accessible to a US party. Information inaccessible to a US party, or barred from disclosure by foreign law, still may be disclosed to US law enforcement. Assuming a US court or agency can gain jurisdiction, a five-part balancing test determines whether the US entity should be granted access to the requested information.
- Information in Britain that is not accessible to a US party and outside the jurisdiction of any US entity. In this situation a US court or agency will not be able to force disclosure of information. This does not preclude sharing through other means such as law enforcement information sharing agreements or mutual legal assistance obligations.
Conclusions
Considering lessons learned from a number of cases, including the outsourcing of information to private corporations, the information of British citizens will be in the hands of US actors and unprotected by British law. This point is dramatically illustrated by the case of Indymedia, where a US entity operating in the UK shared personal information with US authorities.
Taking into account US and international law, there would seem to be a number of avenues for protecting personal information, including reliance on existing national agreements, enacting specific statutes to block access, limiting disclosure to entities not subject to US jurisdiction and creating incentives for British corporations to fight disclosure. The best mechanism may be the enactment of a new, specific, bilateral agreement that covers all information sharing between the US and Britain.
Parliament must therefore proceed with great care as it considers developing new information systems capabilities and using vendors who have strong links to the US.