Privacy International complaint poised to shut down Heathrow passenger fingerprinting
March 31st, 2008Privacy International’s recent complaint to the UK Information Commissioner has threatened to bring a halt to an imminent plan to fingerprint all domestic and international passengers departing from Heathrow’s Terminal 1 and Terminal 5, due to begin business on March 27th. The British media is reporting that in response to PI’s complaint, the Information Commissioner has advised that passengers should only accept fingerprinting “under protest” until our complaint is resolved.
The prospect of a complete shutdown of two Heathrow terminals has emerged since Privacy International’s complaint about passenger fingerprinting. The complaint, lodged with the UK Information Commissioner on March 9th 2008, argues that the scheme breaches the fundamental tests of necessity and proportionality under the UK Data Protection Act.
The complaint states: “We believe the BAA solution is disproportionately intrusive. Even if it were to be established that passenger switching (if indeed such a problem exists) was a terrorist threat (rather than merely a breach of airline terms and conditions on transferability) then the photo option would be less invasive and would involve fewer intrusive procedures and less personal data.”
The complaint alleged that the design of Terminal 5 was intentionally created to ensure that passengers, both domestic and international, were exposed to retail outlets to the maximum possible extent. It noted: “We are troubled by BAA’s justification that the new procedure will ensure that “all our passengers will enjoy the same great facilities and wide choice of shops and restaurants”. To diminish privacy rights in order to achieve greater sales revenue is a disquieting development in the evolution of thinking with regard to data protection.
Privacy International alleges that there is no basis in UK law for the establishment of mandatory fingerprinting, and that the claims made by the British Airports Authority (BAA) were based in fantasy or deception. “BAA’s claim that these measures are “required by government” appears to be of dubious substance. There certainly appears to be no legislative requirement for fingerprinting in these circumstances, and so we assume that the scheme is based on an informal arrangement with government. Indeed a spokesman for BAA is quoted in the Evening Standard (March 11th) saying: “the fingerprinting scheme was introduced in cooperation with the Home Office”.
The Information Commissioner’s Office has confirmed to Privacy International (see below) that it has never been approached by the Government, British Airways, BAA or any other party about this scheme.
This PI claim received further weight when the British newspaper, the Mail on Sunday, reported that the Home Office denied that it had set any requirement for passenger fingerprinting.
If the Information Commissioner is not satisfied that the fingerprinting scheme is justified he has the authority to present a cessation order, breach of which would be a criminal offence. If BAA is found in breach of UK law its contractual terms could then be in jeopardy.
See here for the complaint and the response from the Information Commissioner’s Office. Here are some excerpts:
Privacy International believes the Heathrow fingerprinting scheme breaches the fundamental test of Necessity for compliance with Data Protection. We are not aware of any published evidence indicating that passenger switching has become a significant security issue, nor are we aware of any evidence that it could be in the future.
BAA’s claim that these measures are “required by government” appears to be of dubious substance. There certainly appears to be no legislative requirement for fingerprinting in these circumstances, and so we assume that the scheme is based on an informal arrangement with government. Indeed a spokesman for BAA is quoted in the Evening Standard (March 11th) saying: “the fingerprinting scheme was introduced in cooperation with the Home Office”.
[…]
We are troubled by BAA’s justification that the new procedure will ensure that “all our passengers will enjoy the same great facilities and wide choice of shops and restaurants”. To diminish privacy rights in order to achieve greater sales revenue is a disquieting development in the evolution of thinking with regard to data protection. We would have hoped that the planning of Terminal 5 and its associated security procedures would have taken account of compliance with law. We would be interested to learn whether a Privacy Impact Assessment was conducted or whether due diligence was instituted with regard to the DPA.
We do not believe this scheme will be in any way voluntary or opt-in. Most passengers will have little or no choice over which terminal they use, and even where such an alternative exists it may be costly. We do not believe in these circumstances that passengers should be compelled to undergo fingerprinting.
We refer you to the advice provided by your office on the subject of fingerprinting of children in schools (23rd July 2007):
In view of the sensitivity of taking children’s fingerprints, schools should respect the wishes of parents and pupils who object to their (or their children’s) fingerprints being taken in school.
We see no reason why this “sensitivity” should not extend to the adult population, particularly where some people feel vulnerable or anxious about the procedure, or where strong convictions are held about such procedures.
[…]
It is, in our view, not acceptable for BAA to institute an intrusive system merely because of a “state of heightened alert” over airport security, particularly where no evidence is offered to justify fingerprinting. Nor in our view is it acceptable to advance architectural determinism or poor planning as a justification for the necessity for intrusive practices. The decisions that are made with regard to Terminal 5 will resonate across the travel industry, and so it is crucial to ensure that the justification, the legal compliance and the procedures are positioned properly in these early days. Vague claims of government requirements are not appropriate under these circumstances.
Nor, in our view, is it acceptable to define necessity and proportionality in a minimal or casual manner when the environment in question offers so much scope for the development of privacy friendly alternatives to fingerprinting.
This is a properly drafted response, from an organization that is actively working to solve problems.
Well done Privacy International, your cheque is in the post.
This is the sort of organization that is worth donating to and joining. They will not fob you off with cranky emails, admonishing you to not ‘pester them’ with matters like this, whilst on the surface, pretending to be working against these outrageous and Orwellian measures.
They also get things done, and actively attack problems instead of endlessly appearing on TV and in the newspapers, decrying all that is going wrong.
Send your checque to:
Privacy International
6-8 Amwell Street
London, EC1R 1UQ
GB
Lest we forget, here are our other posts on this subject:
ID Cards, the NIR and Heathrow Terminal 5
http://irdial.com/blogdial/?p=982
Richard Rogers: Architect of The New Authoritarianism
http://irdial.com/blogdial/?p=771
Heathrow Terminal 5: Architectural Disaster
http://irdial.com/blogdial/?p=767
More BBQ Biometric Propaganda: Terminal 5
http://irdial.com/blogdial/?p=825
Terminal 5 fingerprinting; the howls begin
http://www.irdial.com/blogdial/?p=1015