INFORMATION MANAGEMENT LEGAL AND SECURITY ISSUES Andrzej Adamski 1. Introduction This section discusses the legal protection of information and the security issues of computer data and electronic information systems and is organised into four parts: First, it focuses briefly on the basic conceptual distinction between information and data, providing a basis of understanding of the primary object of legal and technical means of protection. Second, access to Government information will be discussed. Third, protection of personal data in the administration of criminal justice will be presented. Finally, security of data and network communications will be explored 2. Information and data: Legal Protection of information and data 2.1 Information and data Data is a formal representation of concepts, facts or instructions. Information is the meaning that data has for human beings. Data has, therefore, two different aspects: as potential information for human beings or as instructions meant for a compute Information is not material, but a process or relationship that occurs between a person's mind and some sort of stimulus Information, therefore, is a subjective notion that can be drawn from its objective representation which we call data Different information may be received from the same data. As in the various natural languages the same word may have different meanings, so in computer programming the same byte or set of digits(e.g. 01100010)may serve as a carrier of different content 2.2 Legal Protection of lnformation and data The new legal doctrine of information law and law on information technology recognises information as a third fundamental factor besides matter and energy. This concept realises that modern information technology alters the characteristics of information, especially by strengthening its importance and by treating it as an active factor that works without human intervention in automatic processing systems. In this new approach, it is obvious that the legal eval of corporeal and incorporeal(information)objects differs considerably Information, being an intangible and an entity that can be possessed, shared and reproduced by many, is not capable of being property as most corporeal objects do. Unlike corporeal objects, which are more exclusively attributed to certain persons, information is rather a public good. As such it must principally flow freely in a free society. This basic principle of free flow of information is essential for the economic and political system, as indispensable for the government's accountability and the maintenance of a democratic order A second difference between the legal regime of tangibles and intangibles is that the protection of information has not only to consider the economic interests of its proprietor or holder, but at the same time must preserve the interests of those, who are concerned with the contents of information-an aspect resulting in new issues of privacy protection a third difference originates from the vulnerability of data for manipulation, interception and erasure proprieties that constitute a major concern of computer security, and the criminal law provisions on computer crime 3. Access to government information
INFORMATION MANAGEMENT: LEGAL AND SECURITY ISSUES Andrzej Adamski 1. Introduction This section discusses the legal protection of information and the security issues of computer data and electronic information systems and is organised into four parts: First, it focuses briefly on the basic conceptual distinction between information and data, providing a basis of understanding of the primary object of legal and technical means of protection. Second, access to Government information will be discussed. Third, protection of personal data in the administration of criminal justice will be presented. Finally, security of data and network communications will be explored. 2. Information and Data: Legal Protection of Information and Data 2.1 Information and Data Data is a formal representation of concepts, facts or instructions. Information is the meaning that data has for human beings. Data has, therefore, two different aspects: as potential information for human beings or as instructions meant for a computer. Information is not material, but a process or relationship that occurs between a person=s mind and some sort of stimulus. Information, therefore, is a subjective notion that can be drawn from its objective representation which we call data. Different information may be received from the same data. As in the various natural languages the same word may have different meanings, so in computer programming the same byte or set of digits (e.g. 01100010) may serve as a carrier of different content. 2.2 Legal Protection of Information and Data The new legal doctrine of information law and law on information technology recognises information as a third fundamental factor besides matter and energy. This concept realises that modern information technology alters the characteristics of information, especially by strengthening its importance and by treating it as an active factor that works without human intervention in automatic processing systems. In this new approach, it is obvious that the legal evaluation of corporeal and incorporeal (information) objects differs considerably. Information, being an intangible and an entity that can be possessed, shared and reproduced by many, is not capable of being property as most corporeal objects do. Unlike corporeal objects, which are more exclusively attributed to certain persons, information is rather a public good. As such it must principally flow freely in a free society. This basic principle of free flow of information is essential for the economic and political system, as indispensable for the government=s accountability and the maintenance of a democratic order. A second difference between the legal regime of tangibles and intangibles is that the protection of information has not only to consider the economic interests of its proprietor or holder, but at the same time must preserve the interests of those, who are concerned with the contents of information - an aspect resulting in new issues of privacy protection. A third difference originates from the vulnerability of data for manipulation, interception and erasure - proprieties that constitute a major concern of computer security, and the criminal law provisions on computer crime. 3. Access to Government Information
3.1 From Secrecy to Openness In most countries, the disclosure of government documents is largely discretionary. Government agencies, at both the central and the local level, are rarely forthcoming with information unless it is in their interest. There are no general laws that provided a mechanism for public access enerally, access to government information can be defined as the availability for lon or coping of both records and recordings, possessed or controlled by a public authority. This mechanism came, for the first time in history, in the eighteenth century Sweden with the passage of the Act on Freedom of the Press (1766). After 1945 this regulatory approach was followed in other Scandinavian countries, in the United States(since 1996, when the Freedom of Information Act was enacted), and in several other countries. Among these are Australia, Canada, france, the Netherlands, and New Zealand. Some other countries have constitutional clauses relating to a right of access, but not lways transformative legislation The route by which the promotion of the rights of access to official information has become a strong political issue is varied. Initially, the public's right to government information had been found to be closely related to the concept of human rights. Because of its importance for democratic society, the public's right to information was even acknowledged to constitute a third generation of human rights, after the civil and political rights of the eighteenth century, and the economic and social rights of the first half of the twentieth century. As it was stressed in the Council of Europe Recommendation on"Access by the Public to Government Records and Freedom of Information":"A parliamentary democracy can function adequately only if people in general and their elected representatives are The most recent emphasis, however, is on the commercial rather than human rights aspect of public sector information. There is now a widespread recognition by the private sector of the commercial value of much govemment information. Large data sets, as land registers, company registers, demographic statistics, and topographic information (maps)are routinely produced as a by-product of the day-to-day functioning of public administration. Information is not an end in itself. Sound and comprehensive information is needed if government is to frame workable public policies, plan effective services and distribute resources fairly and equitably. Government information, therefore, constitutes a resource of considerable importance. The potential of such data for exploitation via the digital network was noted and 3.2 Impact of Computerisation Over the 1970s and 1980s, when computerisation of public sector information systems in the most developed countries was in its infancy, there were fears that government agencies would use computerisation as a technology of secrecy rather than a technology of freedom utional provisions relating to a general right of public access to official informatio found in Austria, Belgium, Estonia, Finlan Hungary, the Netherlands, Portugal, Romania and Spain 2 Council of Europe, Recommendation on"Access by the Public to Government Records and Freedom of Information", I February 1979, No854
3.1 From Secrecy to Openness In most countries, the disclosure of government documents is largely discretionary. Government agencies, at both the central and the local level, are rarely forthcoming with information unless it is in their interest. There are no general laws that provided a mechanism for public access. Generally, access to government information can be defined as the availability for inspection or coping of both records and recordings, possessed or controlled by a public authority. This mechanism came, for the first time in history, in the eighteenth century Sweden with the passage of the Act on Freedom of the Press (1766). After 1945 this regulatory approach was followed in other Scandinavian countries, in the United States (since 1996, when the Freedom of Information Act was enacted), and in several other countries. Among these are Australia, Canada, France, the Netherlands, and New Zealand. Some other countries have constitutional clauses relating to a right of access, but not always transformative legislation1 . The route by which the promotion of the rights of access to official information has become a strong political issue is varied. Initially, the public=s right to government information had been found to be closely related to the concept of human rights. Because of its importance for democratic society, the public=s right to information was even acknowledged to constitute a third generation of human rights, after the civil and political rights of the eighteenth century, and the economic and social rights of the first half of the twentieth century. As it was stressed in the Council of Europe Recommendation on AAccess by the Public to Government Records and Freedom of Information@: AA parliamentary democracy can function adequately only if people in general and their elected representatives are fully informed@ 2 . The most recent emphasis, however, is on the commercial rather than human rights aspect of public sector information. There is now a widespread recognition by the private sector of the commercial value of much government information. Large data sets, as land registers, company registers, demographic statistics, and topographic information (maps) are routinely produced as a by-product of the day-to-day functioning of public administration. Information is not an end in itself. Sound and comprehensive information is needed if government is to frame workable public policies, plan effective services and distribute resources fairly and equitably. Government information, therefore, constitutes a resource of considerable importance. The potential of such data for exploitation via the digital network was noted and encouraged. 3.2 Impact of Computerisation Over the 1970s and 1980s, when computerisation of public sector information systems in the most developed countries was in its infancy, there were fears that government agencies would use computerisation as a technology of secrecy rather than a technology of freedom. 1 Constitutional provisions relating to a general right of public access to official information are to be found in Austria, Belgium, Estonia, Finland, Hungary, the Netherlands, Portugal, Romania and Spain. _ 2 Council of Europe, Recommendation on "Access by the Public to Government Records and Freedom of Information", 1 February 1979, No.854 (1979). _
In fact, in some countries computerisation of government information had a strong impact on the way the right of public access has been interpreted by the authorities. For example, when new programming was necessary to extract information from computer systems, agencies and courts have sometimes held that such programming is analogous to record creation, and is therefore not required under the freedom of information laws, which only oblige to search for available records. There is a common feature of these laws to grant access only to information which is available or ca be made available through reasonable effort As electronic records became more common, the freedom of information laws proved to be less useful in the new environment. Because the wording of these laws usually provide access to paper records, an authority was not obliged to accommodate a requesters preference for access in an electronic form, for example a copy on computer tape or disk. There are well known, especially in the United States, cases of the Government's agency refusal of making computerised records available to the party concerned in their access Today, in the United States these definitional problems have successfully been solved, with the adoption of the Amendments Act on Electronic Freedom of Information of 1996. the government information maintained in electronic format has become accessible to the public on an equal footing with paper-based documents. Though, there are still some national legislations that do not allow requesters to obtain data in machine-readable format, the process of commercialisation of the public sector information is a present development both in the United States and most countries of Western Europe. Moreover, due to the traditional concept of the right of access, as a right to request the handing out of identified documents, the right to search for documents has so far not been a recognised part of the principle of public In view of the fast growing information networks, the powerful search engines, and, generally speaking, the retrieval possibilities of electronic information increase the significance of search rights as an integrated element of the traditional right of access New developments in hardware and software technology, as relational databases and hypertext, not only computer flexibility and responsiveness to unanticipated form of requests, but also make it easy to compile and information for network access. The cost in money and effort to share information is much lower. As a result, ccess to government information can be enhanced The most recent ever rating the tendency of making legal text databases freely available to citizens is a decision of the Swedish parliament to make its on-line legal information service(Rixlex)available to the public on a free of charge basis via the Internet. sThe Freedom of Information Act in the Electronic Age: The Statute is Not User Friendly", J.A. Grodsky. Jurimetrics Journal, 19, 1990 In the case National Security Archive v CIA, a public interest research group requested an index of previously released records by the CIA under FOIA. The plaintiff group asked for the data on a computer tape or disk so that the information could be scanned electronically more quickly than on paper. The agency refused, and instead it produced a 5,000 page print-out that made a stack three and a half feet, or about a meter, high. while the group argued that the size of the print-out made analysis practically impossible, the court held that the Cia had provided the information in a reasonably accessible form, and dismissed the complaint. The Swedish Act on Freedom of the Press states that an authority shall be under no obligation to make a recording for electronic data processing available in any form other than transcript, a paper print-out. The official reason for this restriction is to prevent the provided electronic copies from ing used for any unauthorised data registration that leads to an invasion of personal integrity
In fact, in some countries computerisation of government information had a strong impact on the way the right of public access has been interpreted by the authorities. For example, when new programming was necessary to extract information from computer systems, agencies and courts have sometimes held that such programming is analogous to record creation, and is therefore not required under the freedom of information laws, which only oblige to search for available records3 . There is a common feature of these laws to grant access only to information which is available or can be made available through reasonable effort. As electronic records became more common, the freedom of information laws proved to be less useful in the new environment. Because the wording of these laws usually provide access to paper records, an authority was not obliged to accommodate a requester=s preference for access in an electronic form, for example a copy on computer tape or disk. There are well known, especially in the United States, cases of the Government=s agency refusal of making computerised records available to the party concerned in their access4 . Today, in the United States these definitional problems have successfully been solved, With the adoption of the Amendments Act on Electronic Freedom of Information of 1996, the Government information maintained in electronic format has become accessible to the public on an equal footing with paper-based documents. Though, there are still some national legislations that do not allow requesters to obtain data in machine-readable format5 , the process of commercialisation of the public sector information is a present development both in the United States and most countries of Western Europe. Moreover, due to the traditional concept of the right of access, as a right to request the handing out of identified documents, the right to search for documents has so far not been a recognised part of the principle of public domain. In view of the fast growing information networks, the powerful search engines, and, generally speaking, the retrieval possibilities of electronic information increase the significance of search rights as an integrated element of the traditional right of access. New developments in hardware and software technology, as relational databases and hypertext, not only enhance computer flexibility and responsiveness to unanticipated form of requests, but also make it easy to compile and format information for network access. The cost in money and effort to share information is much lower. As a result, public access to government information can be enhanced. The most recent event illustrating the tendency of making legal text databases freely available to citizens is a decision of the Swedish parliament to make its on-line legal information service (Rixlex) available to the public on a free of charge basis via the Internet. 3 "The Freedom of Information Act in the Electronic Age: The Statute is Not User Friendly", J.A. Grodsky. Jurimetrics Journal, 19, 1990 4 _In the case National Security Archive v. CIA, a public interest research group requested an index of previously released records by the CIA under FOIA. The plaintiff group asked for the data on a computer tape or disk so that the information could be scanned electronically more quickly than on paper. The agency refused, and instead it produced a 5,000 page print-out that made a stack three and a half feet, or about a meter, high. While the group argued that the size of the print-out made analysis practically impossible, the court held that the CIA had provided the information in a reasonably accessible form, and dismissed the complaint. 5 _The Swedish Act on Freedom of the Press states that an authority shall be under no obligation to make a recording for electronic data processing available in any form other than transcript, a paper print-out. The official reason for this restriction is to prevent the provided electronic copies from being used for any unauthorised data registration that leads to an invasion of personal integrity
To facilitate this tendency, government information should be exempted from the copyright protection. For instance, the United States Copyright Act of 1976 explicitly provides that copyright protection is not available for any work of the United States Government. Article 4 of the Polish Copyright Act of 1994 excludes legislative acts, their official drafts, and other official documents and materials from the copyright protection. A number of other countries have adopted similar regulations'. The significance of the limitation on copyright for government information policy was not always appreciated, but its importance became clearer in recent years as digital data became commonplace. It simply implies that government information is public domain. Anyone may reprint a government document in any way d at any price. Any government data made public also may be used in any on-line information service without restriction 3.3 Openness vS Secrecy Public access to official information does not prevent the Government from protecting information from disclosure for their legitimate aims as stipulated by legal provisions In the United States, nine exemptions permit the withholding of records to protect legitimate government or private interests. Thus, national security information, trade secrets, law enforcement investigative files, personal data, pre-decisional documents, and other categories of government records can lawfully be denied to a FOIA requester. The early experience under the Act on Freedom of Information shows some negative consequences of this legislation for effective law enforcement. It was estimated that only 7 percent of the 30,000 FOIA requests received annually by the Department of Justice came from media and other researchers. Many requests came from persons who were obviously seeking improper personal advantage, including convicted offenders, organised crime people, drug traffickers, and persons in litigation with the United States who are attempting to use the FOla to circumvent the rules of discovery governments to combat crime was thought to be affected, mainly by a decline in the number of informant nd local contained in the rules of criminal or civil procedure. Consequently, the ability of the federal, state, an a highly detailed Swedish Secrecy Act contains 16 chapters and more than a hundred articles. They provide a specific requirements of damage to the interest concerned, as well as a maximum period of time during which secrecy applies. For example, where the protection of personal circumstances of individuals is concerned, usually a term of 50 or 70 years is applicable. With regard to secret information on matters of national defence or foreign relations a maximum period of 40 years has been established. In principle the restrictions laid down in the Secrecy Act mandatory in nature, ie if a restriction applies the authority involved must refuse access The legal nature of the restrictions based on secrecy interests differs among the various jurisdictions. In the United States of America, Denmark and France for example the limitations are not mandatory as is the case in Sweden and the Netherlands but are discretionary in nature. This means that if a restriction is applicable, the public authority concerned is under no obligation to give access to the information, but is nevertheless entitled to do so United States Copyright Act, 5105(1994). The prohibition on copyright protection for United States Government works is not intended to limit protection abroad. Thus, under the Copyright Act, the Federal Government can seek copyright for its information of other countries. or a not copyrighted as far as they are published officially( Law on Intellectual and Artistic Works, No 5846, art. 31). Speeches are not copyrighted in the scope of mass communications, otherwise they are copyrighted(art. 32). All other governmental works, such as reports, plans, maps, drawings Report of Attomey General's Task Force on Violent Crime of 17 August 1981. United States Department of Justice
To facilitate this tendency, government information should be exempted from the copyright protection. For instance, the United States Copyright Act of 1976 explicitly provides that copyright protection is not available for any work of the United States Government6 . Article 4 of the Polish Copyright Act of 1994 excludes legislative acts, their official drafts, and other official documents and materials from the copyright protection. A number of other countries have adopted similar regulations7 . The significance of the limitation on copyright for government information policy was not always appreciated, but its importance became clearer in recent years as digital data became commonplace. It simply implies that government information is public domain. Anyone may reprint a government document in any way and at any price. Any government data made public also may be used in any on-line information service without restriction. 3.3 Openness vs. Secrecy Public access to official information does not prevent the Government from protecting information from disclosure for their legitimate aims as stipulated by legal provisions. In the United States, nine exemptions permit the withholding of records to protect legitimate government or private interests. Thus, national security information, trade secrets, law enforcement investigative files, personal data, pre-decisional documents, and other categories of government records can lawfully be denied to a FOIA requester. The early experience under the Act on Freedom of Information shows some negative consequences of this legislation for effective law enforcement. It was estimated that only 7 percent of the 30,000 FOIA requests received annually by the Department of Justice came from media and other researchers. Many requests came from persons who were obviously seeking improper personal advantage, including convicted offenders, organised crime people, drug traffickers, and persons in litigation with the United States who are attempting to use the FOIA to circumvent the rules of discovery contained in the rules of criminal or civil procedure. Consequently, the ability of the federal, state, and local governments to combat crime was thought to be affected, mainly by a decline in the number of informants8 . A highly detailed Swedish Secrecy Act contains 16 chapters and more than a hundred articles. They provide a specific requirements of damage to the interest concerned, as well as a maximum period of time during which secrecy applies. For example, where the protection of personal circumstances of individuals is concerned, usually a term of 50 or 70 years is applicable. With regard to secret information on matters of national defence or foreign relations a maximum period of 40 years has been established. In principle the restrictions laid down in the Secrecy Act are mandatory in nature, i.e. if a restriction applies the authority involved must refuse access. 6 United States Copyright Act, '105 (1994). The prohibition on copyright protection for United States Government works is not intended to limit protection abroad. Thus, under the Copyright Act, the Federal Government can seek copyright for its information of other countries. 7 In Germany and Switzerland, for instance, legislation and jurisprudence is not copyrighted. The Italian law explicitly bars statutes, regulations, rulings and the like from being copyrighted by Italian Government, local authorities or a foreign one. In Turkey, legislation and jurisprudence are not copyrighted as far as they are published officially (Law on Intellectual and Artistic Works, No. 5846, art. 31). Speeches are not copyrighted in the scope of mass communications, otherwise they are copyrighted (art. 32). All other governmental works, such as reports, plans, maps, drawings etc. are copyrighted. 8 _Report of Attorney General=s Task Force on Violent Crime of 17 August 1981. United States Department of Justice. The legal nature of the restrictions based on secrecy interests differs among the various jurisdictions. In the United States of America, Denmark and France for example the limitations are not mandatory as is the case in Sweden and the Netherlands but are discretionary in nature. This means that if a restriction is applicable, the public authority concerned is under no obligation to give access to the information, but is nevertheless entitled to do so. Under
the Canadian Act on Access to Information the general rule is that exemptions are discretionary. There are, however, five mandatory exemptions in the Act that require the public authority involved to claim an exemption for certain types of records. The mandatory exemptions relate to information that was obtained in confidence from the government of a foreign state or from an international organisation of states, personal information as defined in the Privacy Act, trade secrets of a third party, financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party, and information the disclosure of which is restricted by or pursuant to specific other statutes The mandatory nature of these exemptions is set aside in certain circumstances, in which the public authority may disclose the information. First, this applies if the organisation from which the information was obtained or the person to whom the information relates consents to the disclosure. Secondly, personal information under the control of a government institution may be disclosed even without the consent of the individual to whom it relates if the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure. Thirdly, financial commercial, scientific and technical information that is confidential, may be disclosed if such disclosure would be in th public interest as it relates to public health, public safety or the protection of the environment and, if such public interest in disclosure clearly outweighs in importance any financial loss or gain to, prejudice to the competitive position of or interference with contractual or other negotiations of a third party. The exemptions concerning international affairs defence and national security, law enforcement and investigations, safety of individuals, economic interests of Canada, and deliberative documents are discretionary From the above review it becomes clear that the right to access public information remains in conflict with othe ocial values and interests such as the efficiency in Government and the right to privacy. The reconciliation of these opposing values and interest should be provided by the legal instruments and can take different procedural forms, depending on the legal and constitutional system of the country concerned. Among legal tools available to protect privat terests in confidentiality there are data protection laws that appeared in most western legal systems in response to new challenges to privacy caused by expanded possibilities for personal data processing by new technologies 4. Data Protection in Computerisation in Criminal justice Computerisation of criminal justice has far-reaching implications for human values that are involved in the automatic processing of personal data. The fears that computerisation of criminal justice is able to induce are mainly related to the potentials for over-control of individuals, including the possible breaches of their privacy through misuse of sensitive data about them recorded in computer files 1. An application of increasingly sophisticated information gathering devices for surveillance ctivities may reduce the individual's sense of security and liberty I Accumulation of personal data in various databases connected throughout computer networks would make possible the creation of personality profiles or so-called computer shadows of the data subject i Susceptibility of computerised information systems for an unauthorised access to data stored and their possible abuses have constituted another cause of concern I Use of information provided by centralised computer systems or sectors of the population who have no opportunity to inspect the accuracy of the info affect the legal position of the data subject in a way being harmful for their civil liberties 4.1 Data Protection Legislation and International Standards with information technology an individual may become transparent for the data controllers. To prevent such a possibility data protection legislation has been initiated in several countries. For the first time in Sweden(1973), and subsequently in over 20 other countries of Western Europe, North America and Australia. The underlying idea of nake it possible for the individual to ex over the one's own data that is collected and used by others. There is a positive feedback between the national legislation
the Canadian Act on Access to Information the general rule is that exemptions are discretionary. There are, however, five mandatory exemptions in the Act that require the public authority involved to claim an exemption for certain types of records. The mandatory exemptions relate to information that was obtained in confidence from the government of a foreign state or from an international organisation of states, personal information as defined in the Privacy Act, trade secrets of a third party, financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party, and information the disclosure of which is restricted by or pursuant to specific other statutes. The mandatory nature of these exemptions is set aside in certain circumstances, in which the public authority may disclose the information. First, this applies if the organisation from which the information was obtained or the person to whom the information relates consents to the disclosure. Secondly, personal information under the control of a government institution may be disclosed even without the consent of the individual to whom it relates if the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure. Thirdly, financial, commercial, scientific and technical information that is confidential, may be disclosed if such disclosure would be in the public interest as it relates to public health, public safety or the protection of the environment and, if such public interest in disclosure clearly outweighs in importance any financial loss or gain to, prejudice to the competitive position of or interference with contractual or other negotiations of a third party. The exemptions concerning international affairs, defence and national security, law enforcement and investigations, safety of individuals, economic interests of Canada, and deliberative documents are discretionary. From the above review it becomes clear that the right to access public information remains in conflict with othe social values and interests such as the efficiency in Government and the right to privacy. The reconciliation of these opposing values and interest should be provided by the legal instruments and can take different procedural forms, depending on the legal and constitutional system of the country concerned. Among legal tools available to protect private interests in confidentiality there are data protection laws that appeared in most western legal systems in response to new challenges to privacy caused by expanded possibilities for personal data processing by new technologies. 4. Data Protection in Computerisation in Criminal Justice Computerisation of criminal justice has far-reaching implications for human values that are involved in the automatic processing of personal data. The fears that computerisation of criminal justice is able to induce are mainly related to the potentials for over-control of individuals, including the possible breaches of their privacy through misuse of sensitive data about them recorded in computer files: 1. An application of increasingly sophisticated information gathering devices for surveillance activities may reduce the individual=s sense of security and liberty; I Accumulation of personal data in various databases connected throughout computer networks would make possible the creation of personality profiles or so-called computer shadows of the data subject; I Susceptibility of computerised information systems for an unauthorised access to data stored and their possible abuses have constituted another cause of concern; I Use of information provided by centralised computer systems on large sectors of the population who have no opportunity to inspect the accuracy of the information held, may also affect the legal position of the data subject in a way being harmful for their civil liberties. 4.1 Data Protection Legislation and International Standards With information technology an individual may become transparent for the data controllers. To prevent such a possibility data protection legislation has been initiated in several countries. For the first time in Sweden (1973), and subsequently in over 20 other countries of Western Europe, North America and Australia. The underlying idea of protection of personal data is to reverse the above tendency and make it possible for the individual to exercise control over the one=s own data that is collected and used by others. There is a positive feedback between the national legislation
in privacy and protection of personal data and the number of international and regional instruments in this field. A recent document, that has addressed these issues to the entire international community, is the 1990 United Nations General Assembly resolution 45/95 on Guidelines for the Regulation of Computerised Personal Data Files The Guidelines contain eight principles which apply to handling those files, and constitute the minimum standards to be provided in national legislations I Principle of lawfulness and fairness, I Principle of accuracy I Principle of purpose-specification, I Principle of interested-person access I Principle of non-discrimination, I Principle of security I Principle on sanctions and supervision of the observance of the above principles, I Principle on transborder data flows The following section seeks to explain as how the above principles may apply to the operations of the criminal ustice authorities 4.2 Data Protection Principles in the Administration of Justice 4.2.1 Principle of lawfulness and Fairness The principle of lawfulness and fairness in the collection and processing of personal data for criminal justice purposes implies that data must be obtained in a lawful way, i.e. in compliance with procedural rules which define the limits of permissible intrusion by agents of the state against private interest of the citizen It is not easy to comply with this requirement in the information age. Legal provisions on the inviolability of telephone communications may not provide sufficient basis for the protection of confidentiality of an e-mail and other forms of electronic communications. The rise of electronic surveillance and the use of computers to data matching and for instance, conversation intercepts have developed so fast, that the legal system may not be able to respond adequately to situations created by these new techniques y has been recognised by the United Nations Universal Declaration of Human Rights(art 12), the European Convention for the Protection of Human Rights and Fundamental Freedoms(art. 8), and the Intemational Covenant on Civil and Political Rights(art. 17). Privacy protection by of data protection is dealt with, at the international level, by: Recommendation with Guidelines on the protection of privacy and transborder flows of personal data adopted by the Council of the Organisation for Economic Co-operation and Development on 23 September 980: Council of Europe Convention No. 108 for the protection of individuals with regard to automatic processing of personal data, adopted 28 anuary 1981; Directive 95/4EC of the European Parliament and of the Council of Europe of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(EU-Data Protection-Directive) General Agreement on Trade Services, stating in Article XIv that Member States are not prevented by this world wide agreement to adopt or enforce regulations relating to the protection of privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts
in privacy and protection of personal data and the number of international and regional instruments in this field9 . A recent document, that has addressed these issues to the entire international community, is the 1990 United Nations General Assembly resolution 45/95 on Guidelines for the Regulation of Computerised Personal Data Files. The Guidelines contain eight principles which apply to handling those files, and constitute the minimum standards to be provided in national legislations: I Principle of lawfulness and fairness, I Principle of accuracy, I Principle of purpose-specification, I Principle of interested-person access, I Principle of non-discrimination, I Principle of security, I Principle on sanctions and supervision of the observance of the above principles, I Principle on transborder data flows. _ The following section seeks to explain as how the above principles may apply to the operations of the criminal justice authorities. _ 4.2 Data Protection Principles in the Administration of Justice 4.2.1 Principle of Lawfulness and Fairness The principle of lawfulness and fairness in the collection and processing of personal data for criminal justice purposes implies that data must be obtained in a lawful way, i.e. in compliance with procedural rules which define the limits of permissible intrusion by agents of the state against private interest of the citizen. It is not easy to comply with this requirement in the information age. Legal provisions on the inviolability of telephone communications may not provide sufficient basis for the protection of confidentiality of an e-mail and other forms of electronic communications. The rise of electronic surveillance and the use of computers to data matching and sort, for instance, conversation intercepts have developed so fast, that the legal system may not be able to respond adequately to situations created by these new techniques. 9 The right to privacy has been recognised by the United Nations Universal Declaration of Human Rights (art. 12), the European Convention for the Protection of Human Rights and Fundamental Freedoms (art. 8), and the International Covenant on Civil and Political Rights (art. 17). Privacy protection by means of data protection is dealt with , at the international level, by: Recommendation with Guidelines on the protection of privacy and transborder flows of personal data adopted by the Council of the Organisation for Economic Co-operation and Development on 23 September 1980; Council of Europe Convention No. 108 for the protection of individuals with regard to automatic processing of personal data, adopted 28 January 1981; Directive 95/46/EC of the European Parliament and of the Council of Europe of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU-Data Protection-Directive); General Agreement on Trade in Services, stating in Article XIV that Member States are not prevented by this world wide agreement to adopt or enforce regulations relating to the protection of privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts. _
Nevertheless, the encroachment on privacy which these investigative methods and procedures involve and the possibilities for abuse inherent in their use require that they be closely defined As to telephone tapping, or other forms of electronic monitoring, the balance between the interest of crimin ustice and the privacy protection of individuals requires that the use of technical surveillance should be explicitly vided by lav I As an exceptional measure, employed in certain restricted, most serious crimes I Targeted only on the person who is suspected, on reasonable grounds, of having taken part in a crime I. Provided that the monitoring has been duly authorised by the court or an organ of judicial investigation Specific provisions should also govern the duration of monitoring, the manner it is carried out, and essing of the information obtained a detailed regulation of conditions on the use of surveillance provides necessary grounds for the subsequent supervision over the police undercover activities. In several democratic states such a supervision is carried out by an independent public body(e.g. special parliamentary commission), appropriately empowered to check, in any case involving monitoring, whether the police is acting in a lawful way. This, however, requires that the police be obliged to report regularly on such cases to the supervisory authority, which should also be entitled to look into the cases at its own initiative or at the request of individuals who believe they are under surveillance Once monitoring is over, and unless this would not prejudice the outcome of the investigation, the person examine the recordings made without his or her knowledge as well as to take legal action thereupon opportunity to concerned should be informed that monitoring has taken place. Then, he or she should be given an The report on the monitoring and recording should be destroyed if irrelevant, or no longer relevant, to the Investigation 4.2.2 Principle of the Purpose-Specification 4.2.2.1 General obseryation The principle of purpose specification impose two kinds of limits on processing of personal data I. It prohibits the collection and processing of data for undefined purposes; I. It permits to keep only personal data files that concern the legitimate objective of activity of the data controller It also implies that the purpose justifying the creation of a file should not only be specified before it is set up, but also made known to the supervisory authority(Personal Data Inspector/Commissioner) in order to enable him registration of the file A notification of supervisory authority should concern so-called permanent files(databases), which are used by the police for their routine purposes. This notification may not apply to ad-hoc files set up for the purpose of particular investigations. The supervisory authority should be informed by the police agency about the nature of each file declared, the body responsible for its processing, its purposes, the type of data contained in the file and the persons to whom the data are communicated The notification procedure makes it possible, at any time, to check, whether: 1. The collected and recorded data are in keeping with the purpose sought I. The data are not used for a purpose other that for which the file was set up I. The data are held on file no longer than is normally required for the purpose for which they were collecte
Nevertheless, the encroachment on privacy which these investigative methods and procedures involve and the possibilities for abuse inherent in their use require that they be closely defined. As to telephone tapping, or other forms of electronic monitoring, the balance between the interest of criminal justice and the privacy protection of individuals requires that the use of technical surveillance should be explicitly provided by law: I As an exceptional measure, employed in certain restricted, most serious crimes; I Targeted only on the person who is suspected, on reasonable grounds, of having taken part in a crime; I. Provided that the monitoring has been duly authorised by the court or an organ of judicial investigation. Specific provisions should also govern the duration of monitoring, the manner it is carried out, and the processing of the information obtained. A detailed regulation of conditions on the use of surveillance provides necessary grounds for the subsequent supervision over the police undercover activities. In several democratic states such a supervision is carried out by an independent public body (e.g. special parliamentary commission), appropriately empowered to check, in any case involving monitoring, whether the police is acting in a lawful way. This, however, requires that the police be obliged to report regularly on such cases to the supervisory authority, which should also be entitled to look into the cases at its own initiative or at the request of individuals who believe they are under surveillance. Once monitoring is over, and unless this would not prejudice the outcome of the investigation, the person concerned should be informed that monitoring has taken place. Then, he or she should be given an opportunity to examine the recordings made without his or her knowledge as well as to take legal action thereupon. The report on the monitoring and recording should be destroyed if irrelevant, or no longer relevant, to the investigation. 4.2.2 Principle of the Purpose-Specification 4.2.2.1 General observations The principle of purpose specification impose two kinds of limits on processing of personal data: I. It prohibits the collection and processing of data for undefined purposes; I. It permits to keep only personal data files that concern the legitimate objective of activity of the data controller. It also implies that the purpose justifying the creation of a file should not only be specified before it is set up, but also made known to the supervisory authority (Personal Data Inspector/Commissioner) in order to enable him registration of the file. A notification of supervisory authority should concern so-called permanent files (databases), which are used by the police for their routine purposes. This notification may not apply to ad-hoc files set up for the purpose of particular investigations. The supervisory authority should be informed by the police agency about the nature of each file declared, the body responsible for its processing, its purposes, the type of data contained in the file and the persons to whom the data are communicated. The notification procedure makes it possible, at any time, to check, whether: I. The collected and recorded data are in keeping with the purpose sought; I. The data are not used for a purpose other that for which the file was set up; I. The data are held on file no longer than is normally required for the purpose for which they were collected
4.2.2.2 Restrictions of data collection Crime data constitute a highly sensitive category of personal information. For this reason, their collection and processing by any private or public body other than the criminal justice agency of the State is usually prohibited in those countries who have adopted data protection laws. Exceptions are only made, if it can be shown that there are special or extraordinary reasons for gathering data about persons who have committed crimes(e. g. for the purpose of scientific research). This implies, inter-alia, that any authorisation may not be given to private investigators or trade companies for setting up data banks on lawbreakers or shoplifters, since the maintenance of such registers outside the criminal justice system has no legal reasoning 4.2.2.3 Data matching According to the principle of purpose specification, the use or disclosure of personal data for purposes other than originally specified is not allowed unless the data subject consents. This requirement reflects the essence of the right to self-determination. It may, however, be exempted in the public interest, such as the prevention and investigation of crime. As the United States Guidelines stress, such departures should be expressly specified in a law or equivalent regulation promulgated in accordance with the internal legal system which expressly states their limits and sets forth appropriate safeguards"(guideline 6) Consequently, the police on-line access to personal databases set up in other sectors of public administration should met this condition. This is the case in some Western European countries (e.g. Denmark, Germany, the Netherlands) where the integration of police files into a network and their combination with existing files of public nstitutions is expressly permitted by the law. Moreover, in most of these countries police investigation by computer screening is subject to supervision and approval of administrative (e.g. Denmark) or judicial (e.g. Germany 4.2.2. 4 Third party access to criminal recor a disclosure of personal data to the third party-not embraced by the original purpose of the data controller is an important issue in the context of third party access to criminal records. The criminal record system is not only intended to assist the judicial authorities in decision-making in individual cases, but also provide information for statistical and research purposes. Furthermore, it may serve as a source of useful information for other parties. The press, professional organisations, licensing authorities and employers are among those parties who most frequently seek to take advantage of information contained in this record. In a number of countries all of these parties are entitled to ask to be given extracts from criminal records, while in other countries only few of them are authorised to do so with a strong emphasis upon rehabilitation of offenders in the modern criminal policy, a visible tendency towards limiting the access of the third parties to the criminal records has occurred in many legal systems. The disabilities flowing from a record of conviction or arrest have been well documented by criminological research. A social stigma involved in these records makes it difficult for the convicted or arrested person to find a job, and this in turn prevents rehabilitation and may lead to recidivisT See: "Special Methods of Investigation for Combating Organised Crime,w. Gropp. European Journal of Crime, Criminal Law and Criminal Justice. no. 1. 1995 By the criminal records is meant any register of criminal decisions made in individual cases in the course of criminal proceedings, espective of what criminal justice authority is responsible for keeping it
