Here, the term “consultancies” applies to a wide range of enterprises, from law firms to lobbyists, strategists, media advisers and researchers. Consultancies are an interface between industry and regulators and represent a stakeholder group that does not get much visibility. Consultancies primarily serve the interests of their clients, who may have vested interests in introducing technologies, products, services or other practices that are surveillant in nature.
Furthermore, consultancies are often required to exercise professional judgement in their advice to clients who are introducing new information systems, or modifying or extending old ones that have a surveillance capability. As a matter of responsibility and risk reduction, consultancies can help increase resilience to surveillance by reflecting on its harmful consequences and by advising clients accordingly. Not only are consultancies responsible for providing ethical advice, but also they should know what to do if they are subject to scrutiny themselves: they need to consider how they manage their own information-processing practices.
- Does the consultancy provide advice that respects and does not infringe the rights and freedoms of individuals? Does the consultancy adhere to a specific code of practice? Could the code of practice be used to consider the likely impact of new or existing surveillance practices?
- Has the consultancy fostered engagement with other stakeholders? If so, how?
- Has the consultancy conducted a surveillance or privacy and data protection impact assessment? Did it recommend engaging with stakeholders as part of the PIA or SIA process, publishing the report and submitting it for independent, third-party review?
- If the consultancy’s advice to its clients were to be made public, would it withstand public scrutiny?
- Does the consultancy draw to the attention of its clients the need to comply with legislation and to consider other privacy or ethical risks?
- Does the consultancy contact regulators with the consent of its clients in order to have a view from the regulator with regard to any potential regulatory issues relating to the use of surveillance?
- Does the consultancy advise its clients on how civil society organisations or the media might react to its clients’ plans to develop a new surveillance system?
- Does the consultancy consider the potential harms and consequences of its advice regarding a surveillance system?
- Does the consultancy counsel its clients about measures that they could take to avoid or minimise the privacy and other risks that could arise from the proposed surveillance system?