TUESDAY 13 FEBRUARY 2001

MRS ELIZABETH FRANCE AND MR JONATHAN BAMFORD

  220. Are you happy that no-one—someone always could be are you reasonably confident—could hack into the system?
  (Mrs France) No, of course I could not state that was not the case. Hacking is actually, might I say, rarely our problem. Hacking is a technical issue where somebody actually tries, using technology, to get into computer systems. That is not normally where we find the problem. In our experience the problem usually arises from people deceiving others into providing information or people being careless with the information. Clearly those handling this sort of sensitive data have been doing so for some time and all I can say is that we have not had brought to our attention, that I am aware of, breaches which have caused concern in this area. I am, however, worried, when information gets into the hands of those not used to holding it, which is why I am concerned that employers should not hold it for too long. I am concerned that the CRB itself and this is where we are working with them, are well aware of security standards and staff training standards. However good your technical security, the way in which we are seeing leakage of personal data, particularly from public bodies, is by the clever use of deception, which will inevitably, if the information is available to staff, beguile them into parting with it if there is not very good training.

  221. Would you like to see Parliament introduce regulation if that is possible within the Act through statutory instruments or whatever to control the number of weeks or days perhaps by which an employer holds this information?
  (Mrs France) That should not be necessary in that there are powers under the Data Protection Act, if we find they fail, we might have to come back to Parliament. I do have a statutory duty to promote good practice and to interpret the Act. The Act talks about information being held no longer than is necessary and it is for me to interpret that in context. If I think it is necessary, then we could issue a code of practice. There are already two relevant codes of practice, the CRB's code of practice itself, which will set out how CRB will deal with it. We have commented on that and that is an enforceable code of practice. For CRB it is reasonably ringfenced. For employers, as it happens, I am currently consulting on a code of practice for employers generally on the use of personal data. It has attracted a lot of media attention and interest simply because it happens to cover the area of monitoring of e-mails, but that is only a small part of the draft code, which we hope will address the whole area of the holding of personal data and the use of personal data by employers. That code of practice is not directly enforceable but it is a code of practice which will be issued under the Data Protection Act and if there were alleged to be a breach of principle I would use that in order to decide whether enforcement was necessary. The short answer to your question is that we should try to see whether the Data Protection Act provides what is necessary and if not come back to Parliament in due course.

  222. May I seek clarification? Is the Criminal Records Bureau meant to cover the whole of the United Kingdom or just part?
  (Mrs France) My understanding is that it does not cover Scotland.

  223. Northern Ireland?
  (Mr Bamford) My understanding is that the CRB has a separate version available in Scotland which will be through the records of the Scottish Criminal Records Office essentially and in England, Wales and Northern Ireland the CRB applies.

  224. So the CRB is an England, Wales and Northern Ireland operation. We are looking at a one-stop shop for checks. What are the issues which have to be overcome to enable bodies which operate across the whole of the United Kingdom to apply for checks on employees or volunteers, soft information which is currently held in Scotland? How are you going to bring all those aspects together?
  (Mr Bamford) Some of those points are more correctly addressed to the people who will be running the Criminal Records Bureau. Clearly from the extent of the data available some details are still made available through the PNC from the Scottish forces and find their way onto the core criminal records collection. You might well draw a parallel with the availability of local force information, whether it be Strathclyde Police of Norfolk Constabulary and the fact that in some instances you may have to access other more locally held information, either on the Scottish Criminal Record system or on local forces' systems to be able to undertake certain levels of check.

  225. Is the United Kingdom dimension something which the data protection people have looked at?
  (Mrs France) From a data protection point of view my responsibilities cover the whole of the United Kingdom, the Data Protection Act covers the whole of the United Kingdom and the standards we set would apply throughout whether it was the Scottish Criminal Record Office that was instrumental in providing information or whether it was through the CRB.

  226. You are confident that soft information north of the border would find its way to the south.
  (Mr Bamford) May I say that I am not absolutely confident that any soft information in any force system will find its way to the right people because that largely depends on the systems which are established with the CRB and the forces, and the extent to which the forces take the matter seriously. In some ways in Scotland matters are helped in terms of soft information. My understanding of the Scottish Criminal Records Office computer system, which essentially holds Scottish criminal records, is that it has a flag for local force intelligence data on its records, which I do not think is generally present on PNC data. It is easier to know there is another record available there. We have had separate discussions with the Scottish Executive about the codes of practice and other elements in Scotland.

  Bob Russell: I am very grateful for that last reply. I think we shall need to re-visit the whole United Kingdom Criminal Records Bureau operation when we come to consider the evidence.

  227. This Committee 11 years ago, and more lately ACPO, saw the sense in court clerks inputting records onto the Police National Computer. That hopefully could speed up the process and restrict the area for mistakes. Is that something which would give you any problems?
  (Mrs France) Done properly, anything which makes the information available in a more timely manner and encourages accurate reporting is to be encouraged. I know that it has been a long-term aim to achieve that and we would all be pleased to see progress made as part of the integration of the criminal justice system.

  228. I think it was the File on Four programme broadcast on 5 December last year which revealed there is a discrepancy between 15 days and 430 days which courts are taking via the present routes to get this information in. You have been closely involved with a number of the key players in the establishment of the Criminal Records Bureau. Is it your impression that enough resource is being attached to getting this right?
  (Mrs France) It is always difficult when you talk about resources to know what is enough. Following our contact with those setting up the new Bureau—and it is Mr Bamford who has had most of the primary contact with those who are doing that—we would say they are well aware of the priorities and the issues that they need to address in setting up systems that focus on the identity of the person seeking the certificate, the security arrangements to put in place and so on. There is a distinction between the setting up of the CRB and addressing the problems of the historic data that will feed it. They are two distinct things. You are looking at a new project, with new resources, where we have had good contact with those setting up the office, who will do their best to see that it is set up in a way that will operate effectively. The problem which they cannot handle alone and which goes back historically a long way, the difficulty at the end of the day, is whether the data feeding through will be fit for purpose. That is the key question which has to be addressed.

  229. You were saying that for a number of employers this whole area is going to be new. On top of the checks they currently make about people they are considering employing there is this other check system now which is on the one end. On the other end that is going to be a large number of charities, voluntary bodies, outside of the big ones like the guides and scouts who are extremely used to this and they gave us the impression of having very robust systems at the moment, a lot of new players in this particular ballpark. To what extent does your office get involved in the briefing given to these groups about both how to make use of the provisions of the Bureau and the safety of storage of information and the rest of it? Do you talk to the Bureau about what they ought to be saying to these bodies and so on, sit in, offer to conduct seminars?
  (Mr Bamford) We have not offered to conduct any seminars, though we do have a wide range of contacts with the voluntary sector and other bodies wearing our general data protection hats because they have other data protection responsibilities as well. One of the key things as we see it, particularly where we are talking about the standard disclosure and enhanced disclosure, is that there is a provision in the Police Act essentially for a statutory code of practice, a code of practice which the Secretary of State and the guys at the CRB draw up and which will put certain provisions and safeguards around the use of the information. That is the key: how the information provided on certificates is actually used. There is a sanction attached to non-compliance in terms of the fact that the CRB would refuse to issue the certificate information to any bodies in future which do not comply with those standards. From the earliest days of this we have set great store by the provisions which go in the Criminal Records Bureau code of practice for how the information is used. We are very, very keen to try to influence that, to ensure that the right standards of information handling are included, that there are check mechanisms which will allow compliance with that code to be policed and there is a proper sanction which is applied at the end of it all to ensure that people who move away from compliance do not receive the information and are not trusted with it again. That is a mechanism we are very, very keen to see work in practice.

  230. Let us imagine I am a manager in Birmingham Social Services Department and I am responsible, with colleagues, for the appointment of a manager for a children's home. I narrow down the applicants to a short list of five. Prudently I decide I shall ask for an enhanced certificate from the Criminal Records Bureau. What system will you have in place to ensure that after whatever period they are allowed to hold that information after that selection process is over it will then be destroyed? Would it be your advice to the Bureau that they should get a return from the employer that that information has been destroyed? Would you want to be satisfied it has been destroyed?
  (Mrs France) We have not gone so far as to say they would need to return it at this stage, although the code of practice is still in draft. We have not actually said that. Our view is that may not be effective because it would not, from our point of view, stop somebody keeping a copy. We would want to be clear what we thought was best practice and we have discussed the fact that we need to put something in our own code of practice to employers. We would not normally then check up proactively, though we might from time to time use other powers we have to look at a major public body or a major charity, at their data protection compliance generally.

  231. Would you do this instead of or as well as the Bureau?
  (Mrs France) We have our own responsibilities broadly for data protection. CRB have their responsibilities which are narrowly focused on the information given in the enhanced certificate. In data protection terms, we are interested in all the personal data being held by whichever body it is we are looking at. The advice we would give would go beyond certificate information. The advice we would give in our code of practice as opposed to the CRB code of practice would be about the handling of personal data more broadly but would focus in on this as a heading. We would then normally, I have to say, because of the resources available to us and the size of our office, be reactive in looking at what was going on. In other words, we may have the opportunity to be proactive from time to time in studying a major charity or a major employer of some kind, but more generally it would be when somebody brought to our attention a possible breach of the code, either of our code or the CRB code.

  232. In which case that perhaps puts a greater burden on the Bureau itself to check that whatever code of conduct is drawn up is being adhered to.
  (Mrs France) Yes.

  233. Given in a sense very new players, unfamiliar with this territory, particularly at the start of the life of the Bureau, it is something to which they need to pay particular attention.
  (Mrs France) Yes, it is and it is something we will pick up in our wider brief. You asked about training and seminars, we often speak to voluntary sector groups and it will now be something we will always include when we do. So that would be just part of a wider education about handling sensitive personal data.

  234. Twelve or 18 months down the road could you decide to do an audit of the way the Criminal Records Bureau is actually carrying this out?
  (Mrs France) My powers allow me to do something referred to as a study with consent, because Parliament decided that audit powers were not appropriate.

  235. You cannot break down the door, you have to have their consent?
  (Mrs France) I would not be surprised if I were to invite myself to do something of that kind once the CRB was established, if that invitation were not accepted.

  236. It would seem to be sensible, would it not, certainly from the Bureau's point of view?
  (Mrs France) It could be mutually useful at the point when it is fully up and running for us to have a look with them.
  (Mr Bamford) May I add that the Bureau have already suggested prior to commencement of their operations that we do come in and have a look at the systems of work they have put in place? There is a good step in the right direction there.

  Chairman: I take your point about being reactive rather than proactive because of your kind of organisation, but it is all these new bits.

  237. It is not a subject with which I am greatly familiar but a couple of quick questions. Imagine I am the vicar of my local parish and a member of the congregation I do not know very well asks whether they can come and run the Sunday School. Am I at the moment entitled to ring up the police station and ask whether this chap has a criminal record?
  (Mr Bamford) My understanding is that you are not generally entitled to do that.

  238. Under this new system, am I entitled to come to you to find out background about him?
  (Mr Bamford) I am not wearing a CRB hat. In theory you would be able to ask an individual to show you a certificate of the lowest level, a basic disclosure certificate, which would not show such convictions or intelligence.

  239. I cannot come to you as a vicar?
  (Mrs France) We do not have a role directly in this. We are an independent supervisory body. The CRB are the people you can go to.