Summary of the impact

Research by Raab (1998-2013) on data protection, privacy and surveillance has influenced political debate and regulatory practice. First, Raab's central role in reports for the UK Information Commissioner's Office and the House of Lords and his advisory work with NGOs have contributed to a more robust regulatory framework for information privacy and have informed media and NGO critiques of the social ramifications of surveillance. Second, his insights about the need to understand privacy as a social good have informed the principles and practices underpinning information processing in several areas of UK and Scottish Government policy, including health, social care, digital public services and ICT, as well as informing regulatory practice in Canada and Australia.

Underpinning research

The research was carried out by Professor Charles Raab, who has been employed by the University of Edinburgh since 1964. Following retirement in December 2007, he retained a close working relationship with the University as Professor Emeritus and Honorary Professorial Fellow, and was then re-employed by the University in February 2012 to work as Co-Investigator on two new EC Framework Programme projects on privacy and surveillance.

Developments in information technology mean that we are now more vulnerable than ever to unwanted surveillance. There is a growing demand for personal information from both the public and private sectors; and new information systems allow organisations to store, analyse and share such information in increasingly complex ways. Academic research has focused mainly on legal, technical and ethical aspects of these developments, and has tended to conceive of privacy intrusions solely in terms of harms to individuals and their rights. Raab and his co-author Colin Bennett pioneered the systematic investigation of the theory, actors and instruments involved in the regulation of privacy by analysing the full range of institutions, roles, processes and tools involved in data protection and in safeguarding the right of information privacy (e.g. Raab 1997; Raab and Bennett 1998; Bennett and Raab 2006).

Raab made the case for a more holistic view of the impacts of surveillance beyond its effects on individual privacy, arguing that lack of privacy protection has a potentially corrosive impact on society as a whole (Bennett and Raab 2006; Raab 2012). He embraced the individual human rights perspective but broadened the canvas to include a variety of social effects of many surveillance and data-sharing practices, such as the discrimination and social exclusion that can result from `social sorting' and the reversal of the presumption of innocence. This involved rethinking and expanding data protection from a technical and legal issue concerning individual rights to recognising it as a form of social policy. As such, data protection necessarily involves evaluation and judgement, rather than the straightforward application of a set of laws.

Raab applied this approach to analyse the practice of privacy impact assessment (PIA), a risk-based analytical process that was becoming recognised as a key instrument for information privacy in many countries (Bennett and Raab 2006; Raab 2007). He argued that PIA should be expanded to involve wider societal values, thus taking into account the broader effects of invasive surveillance and information systems across different social groups and categories who may experience disadvantage and unwarranted suspicion through the use of surveillance and information-gathering.

References to the research

Grants

Selected EC FP7 Grants:

IRISS (Increasing Resilience in Surveillance Societies) (PI Raab) (Collaborative grant of €2.6m), SSH.2011.5.1-2; 2012-2015

PRISMS The Privacy and Security Mirrors: Towards a European framework for integrated decision making (PI Raab) (Collaborative project of €2.99m), SEC-2011.6.5-2; 2012-2015

Selected ESRC grants:

RES-000-23-0158 (with Christine Bellamy and Perri 6), Joined-up Public Services: Data-sharing and Privacy in Multi-Agency Working (c. £223k); 2003-05.

L132251019 under the `Virtual Society?' programme: Privacy Protection in the Virtual Society (c. £113k); 1997-99.

Details of the impact

Raab's research has contributed to a more robust regulatory framework for information privacy through informing (1) public debate and (2) regulatory practice.

(1) Raab's insights have informed political debate on the social risks of surveillance and data-sharing. His contribution to two high profile reports ensured his insights directly shaped political discussion. The first of these was A Report on the Surveillance Society (2006), which Raab and colleagues in the Surveillance Studies Network were invited to produce by the UK Information Commissioner. Raab authored prominent sections on the social effects of public-sector surveillance, and the different options for regulation. The report attracted worldwide media and practitioner attention, triggering a number of impacts from 2008 onwards. It brought into international currency discussion of the `surveillance society' and how it could be controlled. For example, the European Data Protection Supervisor made the report his main point of reference in a December 2008 article setting out data protection trends and implications for the EU (See 5.1 below). The report also triggered the launch of investigations in both the House of Commons Home Affairs Select Committee and the House of Lords Select Committee on the Constitution (2007-9). The then Information Commissioner testifies that this unprecedented level of parliamentary attention would not have happened `without the report produced by Charles [Raab] and his colleagues' (5.2).

Raab played a central role in drafting a second influential report: the House of Lords' Constitution Committee report Surveillance: Citizens and the State (HL Paper 18, Session 2008-09) (5.3). Appointed Specialist Adviser to the Lords' inquiry in 2007, he was able to shape the Committee's investigation, including evidence-taking and witness interrogation. He drafted large portions of the report, including on the effects of surveillance on privacy and broader values; the importance of raising public awareness and utilising PIAs; and the need for a variety of regulatory instruments. The report garnered extensive media attention, including articles in the Daily Mail, Guardian, Observer and BBC Online.

Both reports helped civil-society bodies to draw attention to worrying developments, and Raab contributed directly to this process. He was academic mentor for Liberty's influential report, Overlooked: Surveillance and Personal Privacy in Modern Britain. Published in 2007, the report went on to shape Liberty's campaigning on surveillance issues throughout the REF period. The Director of Liberty notes that it was a `seminal piece for Liberty's policy thinking', and `we continue to draw on it for policy' (interview November 2012) (5.4). Raab also steered Demos' report Private Lives: A People's Inquiry into Personal Information (2010) and co-authored a report for the Equality and Human Rights Commission, Protecting Information Privacy (2011).

(2) Raab's research has also had a more direct impact on the regulation of information privacy, informing specific policies and frameworks in the UK and beyond.

In 2009-10, Raab was invited to contribute to the Scottish Government's Identity Management and Privacy Principles (2010) (5.5). His distinct contribution is evident in principles that warn against discrimination and social exclusion in identification processes; that encourage organisations to raise awareness of privacy issues; and that promote transparency. These principles have been widely cited and applied in Scottish Government policy. For example, they are cited as relevant background to the Scottish Government's Joined-up Data for Better Decisions: Guiding Principles for Data Linkage (2012), which covers statistical and health research, and in Scotland's Digital Future: Delivery of Public Services (2012), where they help to underpin privacy assurance in the strategy for digital public services and ICT that is being developed across the Scottish public sector (see 5.5).

Raab has also influenced the use of Privacy Impact Assessments (PIAs) in the UK. In 2012, Raab (with four colleagues) was commissioned by the Information Commissioner's Office (ICO) to review the practice of PIA. The report and its recommendations have shaped the ICO's subsequent guidance and advisory work on PIA, including its plans to work with business and public sector organisations to build public trust in their data management practices, and to promote the code at European level (see 5.6).

More specifically, Raab's insights on PIAs influenced the Scottish Government's 2010 application of PIAs to its eCare data-sharing programme for social care involving children. According to the Head of eCare Design Authority, a feasibility study commissioned from Raab and a small team of experts in 2004 `was taken on board...influencing and giving us the notion of PIA as a tool and a means of working with stakeholders' (interview, October 2012) (5.7).

The influence of Raab's work on regulation reaches beyond the UK. For example, in Canada the Office of the Saskatchewan Information and Privacy Commissioner's Annual Report for 2010-11 drew on Bennett and Raab's 2006 book (5.8), and in Australia the Deputy Privacy Commissioner for Victoria adopted the same book's analytical construction concerning regulatory roles for his paper at the 2008 Australian Institute of Administrative Law Forum (5.9).

Sources to corroborate the impact

PDFs of all weblinks are available at www.wiki.ed.ac.uk/display/REF2014REF3B/UoA+21

5.1 Factual statement, European Data Protection Supervisor.

5.2 Factual statement, Former Information Commissioner.

5.3 House of Lords' Constitution Committee report Surveillance: Citizens and the State (HL Paper 18, Session 2008-09), available at:
http://www.publications.parliament.uk/pa/ld200809/ldselect/ldconst/18/1802.htm [see Introduction, paragraph 16 for confirmation of Raab's role]

5.4 Factual statement, Director of Liberty.

5.5 Scottish Government, Identity Management and Privacy Principles (2010), available at:
http://www.scotland.gov.uk/Publications/2010/12/PrivacyPrinciples; Scottish Government, Joined-up Data for Better Decisions: Guiding Principles for Data Linkage (2012), available at:
http://www.scotland.gov.uk/Publications/2012/11/9015; and Scottish Government, Scotland's Digital Future: Delivery of Public Services (2012), available at:
http://www.scotland.gov.uk/Publications/2012/09/6272

5.6 Information Commissioner's Office, Response to the Recommendations in the Trilateral Report on PIAs, available at:
http://www.ico.org.uk/about_us/consultations/~/media/documents/library/Corporate/Research_and_reports/ico-response-to-recommendations-in-the-trilateral-report-on-pias.pdf

5.7 Factual statement, Head of eCare Design Authority.

5.8 Office of the Saskatchewan Information and Privacy Commissioner's Annual Report for 2010-11, p.9; available at: http://www.oipc.sk.ca/Annual%20Reports/2010-2011%20Annual%20Report%20-%20FINAL.pdf

5.9 Presentation `The Governance of Privacy: Speak Softly and Carry a Big Stick', given by the Victorian (Australia) Deputy Privacy Commissioner at the 2008 Australian Institute of Administrative Law Forum in 2008; available at:
http://www.privacy.vic.gov.au/privacy/web2.nsf/files/governance-of-privacy/$file/anthony_bendall_speech_08_08_08.pdf