BAA backed down over plans to take four fingerprints and a photograph of passengers arriving at Heathrow’s Terminal 5 after the Information Commissioner warned that the proposed procedure might breach data protection laws. The initial plan was to fingerprint passengers at the security checkpoint and later at the boarding gate in order to ensure that the person who checked in was the same as the person boarding the aircraft.
A statement from BAA said the introduction of fingerprinting technology would be ‘temporarily delayed’ following a meeting with the Information Commissioner and the Border and Immigration Agency. In the meantime, BAA will open the new Terminal 5 using photographic identification technology already in place – assuming of course that anybody succeeds in checking in at all.
A BAA statement said: ‘We will be working closely with the Information Commissioner and the Home Office over the next few weeks to agree the best approach going forward.’
The ICO involvement arose because Privacy International alerted them. In a letter to the ICO, they stated:
‘On the face of the circumstances that we have assessed, it appears to us that the practice will substantially violate UK Data Protection law, and we request that your office institutes an investigation without delay. We also ask that you intervene on behalf of European nationals to seek the immediate suspension of the proposal pending the outcome of this investigation. A Freedom of Information Act request is also contained in this document.
We are fully aware of the security justification advanced by BAA in defence of this technology. We are also aware that there exists a general acceptance that airport security must be instituted. However there are a number of troubling questions of law and practice that Privacy International believes must be clarified before such a programme can even be considered. Until these questions have been satisfactorily answered, we believe the BAA scheme presents a number of substantial dangers for customers.
Privacy International believes that the acquisition of fingerprint data carries with it significant implications for privacy and security, and any such arrangement must be accompanied by stringent protections and in accordance with the dual tests of necessity and proportionality. It is for this reason that we have taken the decision to lodge this complaint.’
The ICO then contacted BAA about the fingerprinting system after these concerns were raised, wanting reassurance that the implications of the proposals had been fully addressed. An ICO statement said: ‘It is essential that before introducing new systems and technologies, which could accelerate the growth of a surveillance society, full consideration is given to minimising the impact on privacy and that data protection safeguards are in place to limit any risks.’
Simon Davies, Director of Privacy International, had a short response to news of the suspension of the scheme: ‘So much for BAA’s brash certainty about the legality of fingerprinting. BAA has clearly taken legal advice and concluded that it is acting unlawfully. We predict that this illegal system will never again see the light of day. Within a few weeks BAA will be flogging the technology to
We asked Beverley Whittaker, a partner at Stevens & Bolton: ‘Is the DPA really a problem for the BAA?’ Her comments are set out below.
‘The ICO has expressed concern that BAA’s holding of fingerprint data at the new Terminal 5 building, as part of enhanced security measures, may infringe the Data Protection Act 1998. The ICO has repeated its view that we are moving towards a surveillance society and that the latest move by BAA is a part of that.
One of the cornerstones of the DPA is that information must be processed “fairly”. To do this any organisation has to bring themselves within one of the grounds the DPA sets out for processing data. This may need some consideration by BAA. It is always permitted to process data with the consent of a person, but that consent has to be freely given. There must be some doubt here whether any consent to the holding of their fingerprint data has been freely given when the only alternative is simply not to use Terminal 5.
It will be interesting to hear what BAA’s grounds for processing the data are if they are not relying on consent. It may be that the processing of fingerprints is “necessary for the performance of a contract” – ie the use of the airport facilities or perhaps that the processing is in BAA’s “legitimate interests” and there is no unwarranted prejudice to a customer’s interests – this latter is a common ground for justifying processing of data where members of the public have not consented.
The ICO has said that BAA users should ask why prints are being taken, what will happen to them and how long they will be kept. This is all part of the “fair processing” issue and it is a requirement of the DPA to provide this sort of information when collecting personal data. However, no doubt, BAA are able to create notices or terms of use regarding their facilities that would spell all this information out without this being too much of a hurdle to them.
BAA will have to comply with other data protection principles as well – such as ensuring data is kept no longer than is necessary and is kept securely. From what we know, BAA are intending to encrypt all this data and to destroy it after 24 hours (which does seem quite swift) – if this is right, then, again, compliance with these principles does not seem to cause any real problem.
It is a further principle of the DPA that data should not be “excessive” in relation to the purpose for which it is held – in this case, airport security. It does seem quite unlikely in our current heightened security landscape that an airport could be criticised for introducing this kind of enhanced security arrangements and it may be a brave ICO that will seek to challenge these arrangements on the grounds that they are “excessive”.
SCL members are encouraged to contribute to the debate on the issue. E-mail lseastham@aol.com with your views.