A few months ago I was fortunate enough to travel to New York for a few days’ holiday. Sheltered soul that I am, this was my first visit to the USA.
The whole trip was fabulous, but you’re not here to have my holiday snaps inflicted upon you. The only down point really, as many others have found in recent years, was trying to get into the country.
I’d already had to complete my ESTA (electronic entry visa), and on the plane I was given a Customs Declaration form to fill in. On arrival I stood in line for about an hour whilst we were herded through the cramped arrivals hall and towards one of the immigration officials, sat in their cubicles of bullet-proof glass. Despite the posters promising friendly and courteous staff, when the time came for me to stand in front of one of these officials, he glowered at me suspiciously (fair enough, some might say), barked instructions and interrogated me as to my intentions. I’ve never been on trial, but my first experience of the US made me feel a little like I suspect I would as a defendant in the dock.
Things improved immeasurably from that point on. But the point is that throughout the process of entering the US, I was asked for a great deal of personal information. Now, it may cause you to roll your eyes heavenwards, but I found myself entertained during my long wait in the queue by contemplating a passage of small print on the back of the Customs Declaration form. It read:
“PAPERWORK REDUCTION ACT NOTICE: The Paperwork Reduction Act says we must tell you why we are collecting this information, how we will use it, and whether you have to give it to us…The estimated average burden associated with this collection of information is 4 minutes per respondent or record keeper depending on individual circumstances. Comments concerning the accuracy of this burden estimate and suggestions for reducing this burden should be directed to US Customs and Border Protection…”
This was in exactly the position that UK or European forms would place a Data Protection notice. What I thought was interesting is this. Here in the UK (and across Europe) we are increasingly concerned with what government and other organisations do with the data that they hold about us. We reacted with horror when HMRC lost two CD-ROMs containing details of 25 million families. It seems not a month goes past without the ICO issuing press notices about the latest NHS Trust data breaches, and they can now fine organisations up to half a million pounds in the worst cases. And the metaphorical and political blood that has been spilt over proposals for ID card and NHS patient databases could fill the country’s blood banks for the next decade.
Yet in the US, the equivalent concern is for bureaucracy. All very well and good, we’d all like to see less of that (yes, even us public employees). But that’s apparently the concern that takes priority over privacy. Of course, in limiting paperwork, a side effect may well be that less personal data is collected, but this or the protection of that data, is not the driver over there.
I was reminded of my post-plane perusals this week when I happened across a news article about a US court case reviewing an FOI appeal. In the US they don’t have an Information Commissioner, so anyone appealing against a public authority’s decision has to take the case to court.
The request was from a civil liberties group who wanted to have copies of the images taken by airport scanners. This has become quite a concern of late in the US (as here), as the latest scanners are reputed to reveal in intimate detail the contours of the human body. The judge in the court case upheld the authority’s decision not to disclose the images.
Now this in itself didn’t surprise me. I’d have assumed that if the images really do allow the sort of insight that most people only allow their intimate partner, then there’d be a reasonable argument to withhold the information on personal data or privacy grounds. But the story appeared to suggest that they’d been refused not for those reasons, but on the grounds of national security, as potential terrorists might be able to find ways to fool the scanners through analysis of the images.
This looks like another example to me of where US culture, law and politics is subtly, perhaps significantly, different to ours. They don’t have data protection laws. UK organisations are only allowed to exchange data with US businesses because of something called ‘Safe Harbor’. This means that US businesses can register with the US authorities promising to handle personal data in line with principles similar to our Data Protection Principles. But the only reason they do this is because otherwise they wouldn’t be able to do business with European bodies, public or commercial. Importantly, it’s voluntary. It’s a completely different mindset.
So why is this significant? And why am I talking about Data Protection on a blog about FOI?
Well-known freedom of information campaigner and freelance journalist Heather Brooke has a new book out called The Silent State. I’ll be up front and say that I haven’t had chance to read it yet. But by all reports it repeats something that she has said on many occasions before.
Heather is from the US and began her journalistic career there. One of her biggest complaints about public authorities in the UK is that they are secretive about the names and contact details of public employees. Apparently, in her native state the names, job titles, contact details and salaries of all public employees are published on-line. Not just senior executives. Everyone, from the street sweepers to the Chief Executive.
Her argument is that the UK’s culture of secrecy makes it inefficient and bureaucratic. That people hide their ineptitude behind the high crenellated walls of their particular public employer. And of course that things are much better in the US where they are open about who is doing what.
Conservative commentator Peter Oborne has written gushingly about Heather’s agenda. He comments that her connection of secrecy and inefficiency:
“…is a Tory insight and if David Cameron has real courage he should make Heather Brooke’s radical agenda his own.”
I don’t doubt that some public authorities are too secretive, and should be prepared to make more information available (and be less defensive when they receive FOI requests). And personally, I have no problem with my details being made available on my organisation’s website (they are). I could even accept my salary being published.
But I equally understand that some people don’t feel comfortable with that. Perhaps they resent the idea of such a degree of openness. They may see this as yet another ‘punishment’ for the ‘crime’ of taking a job in the public service. But they also may have very good, personal, reasons. Should the individual who has moved on to a new life after escaping an abusive relationship be forced to work in the private sector because they don’t want their former partner to track them down? Should anyone who fiercely defends their privacy be restricted in this way?
Most would agree that publishing details of the most senior and public facing officials is a good thing. But in reality, why would you want to know the name of the street cleaner? If you’re not happy with their work, your local council presumably provides a mechanism to report that. Is the idea that you should be able to directly confront them, vigilante style, if you find a cigarette stub on the pavement outside your house?
We have a tradition in this country of respecting individual freedoms. Our culture and our law recognises the importance of privacy and particularly of how personal data should be handled. There may well be virtue and value in publishing more details about public officials. But before we start to bash public authorities over the head with their perceived secrecy over their employees, we ought to consider what it is that we really want. Do we want our current model which balances the need for government openness with the need for individual privacy? Or do we want to make a significant shift to a US model where protecting personal data is much lower down the agenda?
There are so many unfounded assumptions and factual errors in this post I don’t know where to start.
Perhaps with the biggest howler: “They don’t have data protection laws.” The US has a Privacy Act, older and not too dissimilar to the European Data Protection Directive, from which the UK Data Protection Act is derived.
Two key differences 1. The US Privacy Act doesn’t apply to non-US citizens. 2. The US Privacy Act doesn’t apply in the private sector.
I’ll leave it at that. I could be here a long time, particularly because the premise of your article appears to be based on a notice you read in an airport.
Thanks DMR for commenting. I’m glad if people want to correct/add detail – that’s one of the reasons I do this blog – to provoke discussion about FOI issues. Sometimes I change my mind. And perhaps I should have included a health warning – I’m not an expert in US law and neither do I claim to be.
However, this post was about my perception of the situation, and I still think my main point – that the UK and US have different attitudes to personal data and what can reasonably be disclosed – is not unreasonable.
To take your criticisms – OK, fair enough, the US does have a Privacy Act and I defer to your greater knowledge of it. However, you point out yourself that its coverage is nothing like the UK/European legislation. The EU presumably doesn’t view it as having parity or otherwise ‘Safe Harbor’ wouldn’t be required.
Yes, the premise of the article is based upon a notice I read in an airport. But that was the point. This wasn’t meant to be a detailed analytical comparison of legislation, and I think that is pretty clear from the tone.