TUESDAY 8 JUNE 2004

MR RICHARD THOMAS AND MR JONATHAN BAMFORD

  Q740  David Winnick: I think we will come to our own conclusions, Mr Thomas, after what you have just told us. If I can come to the question I put to you, the government is saying in effect, "Yes, the card is so sophisticated, it is the gold standard of identity. The criminal gangs will not be able to get in on the act." What do you say to that?

  Mr Thomas: I have to be very concerned. The phrase "gold standard" appears many times in the consultation paper and I understand the Government's wish to create a super standard. At the moment the passport is widely recognised as being the most thorough document. The data associated with passports is of a great deal higher quality than, for example, for driving licences. We know from our own experience with the DVLA that there are, inevitably perhaps, large numbers of mistakes and problems. However, the passport is widely targeted by criminals and counterfeiters. Passports have a significant value on black markets. I think that an identity card which is purporting to have the attributes which are intended for it by the Government would be a very attractive proposition for criminals.

  Q741  David Winnick: Even with biometric details?

  Mr Thomas: Even with those. We are yet to see the technology in practice; this is largely untested technology. I have some anxieties about such a comprehensive scheme with over 60 million people perhaps eventually coming on the scheme with technology which has not yet been fully tested. In theory, if the technology delivers that which it says it will deliver then perhaps the risks will be reduced, but there are the risks of people with questionable motives, forging or counterfeiting cards. There are probably even greater risks of mistakes and errors occurring. We see these with every database we come across. However hard organisations try (and they do try very hard) to eliminate mistakes, to keep information up to date, mistakes do creep in. One point I especially want to emphasise to the Committee is the very serious detrimental effect it can have on the individual. Whether there is deliberate identity theft, someone using a stolen card, or whether there are mistakes made there can be some very serious consequences, not just denial of access to public services but a great deal of aggravation and sometimes loss of livelihood and other more serious consequences arising from mistakes made. My anxiety is that this is going to be the gold standard. This is going to be the official document, the scheme with the authority of the state behind it, and that may make people perhaps too credible about the acceptability of the information flowing from the scheme.

  Q742  David Winnick: As regards the final paragraph on page 7 in your very interesting paper to us, on future compulsion, if the situation arises where clause 6 does go into operation on compulsion, you are saying in effect that one could have a situation not only where the public sector organisations would ask for the identity card to be produced but private sector ones as well?

  Mr Thomas: Yes. I would like to say a little more about clause 6 because there are safeguards here as in other parts of the Bill. I acknowledge safeguards which have been put in here. Clause 6 deals with the move to compulsion. I have some doubts about whether this really is a voluntary stage moving to a compulsory stage. As was said earlier this afternoon, it is not really voluntary for those wanting passports or driving licences. There will not be a non-ID version of the passport or the driving licence as we see it, so it will not be genuinely voluntary in that sense. But even if one accepts the notion that one tries out a voluntary scheme first of all, I just question whether it might not be better to have a separate Bill which creates the compulsory stage at some later stage. The Government identifies for its report that the super affirmative procedure will require a report, and the criteria for judging the acceptability of the scheme are set out in paragraph 1.13 of the consultation paper. I would like to go through those because I think they are important. First of all, are we confident that the roll-out during the first phase has delivered significant coverage of the population? Secondly, is there clear public acceptance? Thirdly, is the scheme making a further significant difference to tackling fraudulent access to free public services and to tackling illegal working? Lastly, is the technology working? Those are perfectly respectable and acceptable criteria but I just question whether a single report covering those matters written by the Government and then a yes or no vote in both Houses of Parliament is sufficient. Why not test the acceptability of the scheme on a voluntary basis to see whether the British public take to the scheme, whether it does meet all these tests, and then if the answer seems to be yes there may well be a need for some fine-tuning. We cannot anticipate all the problems at this stage but it seems to me that a Bill putting it on a compulsory basis at that stage may be better. I do have some concerns about clause 6, going back to your specific question. For example, it is said that under the voluntary stages a private sector organisation could not insist upon the production of an identity card. Under the Bill as drafted that particular safeguard disappears when you move to compulsion. There are a number of examples like that where some of the safeguards which are there during the so-called voluntary stage are taken out once an order has been made under clause 6.

  Q743  David Winnick: Some people have said in effect that the term "function creep" is an exaggeration put forward by critics and the rest of it, but what you have said in the last paragraph of your brief would mean that function creep would be paramount. If clause 6 ever comes into being as it now stands what you are saying is that you would find it virtually impossible to go anywhere where some identification is required without having to produce the card.

  Mr Thomas: I find it difficult to envisage exactly what life would be like then but you are right to say that after that stage, once an order has been made under clause 6, production of the card, the use of the information held on the register, would be a great deal more widespread than perhaps many people have envisaged. The Government does address the issue of function creep in its paper very fully and I am pleased about that, but I am bound to say that to a large extent the Government seems to talk in terms of function creep about the sort of information being collected. We are concerned more about the uses to which the information is going to be put. When I came to this committee last time I tried to elaborate on the various types of function creep and that is one issue which I am not sure is addressed very clearly by the Government. Taking the totality of the Bill, we have counted at least 20 order-making powers in this Bill and each of those if you like can take this a stage further into more detail than currently appears on the face of the Bill.

  Q744  David Winnick: It is said in the Government's draft Bill that it will not be an offence not to carry the identity card, but of course would it not be the situation that if the police stopped somebody and the person did not have the identity card, that in itself, though not an offence, would mean that there would be an inevitable feeling on the part of the police officer of suspicion about why the person being questioned did not have the identity card with them, and that could apply of course to other matters not relating to the police?

  Mr Thomas: That is certainly possible, yes.

  Q745  Chairman: Before Mr Prosser comes in could I ask a question about whether the concern is actually about the issues of principle or the fact that there is not a clarity about what is going to happen if the Bill comes through? Let me put a hypothetical question to you. If one listens to the evidence this afternoon, it might well be the case that the identity register would build up information on the number of times that somebody had travelled in and out of the country, that it might have links to the police national computer which might reveal that somebody had a previous conviction for drug importation and someone says, "There is a lot of information there which is highly sensitive". On the other hand the ordinary member of the public might take the view that analysing that information which enables someone to show that they have made a series of repeat visits to Colombia, stopping off at a couple of Caribbean islands on the way and then coming back to this country, might be the sort of thing that could usefully be interrogated from the use of this information. There are a number of different issues there, are there not? Should that information be stored? Who should be able to interrogate it, if at all, or is that the sort of use of information that in principle should be beyond the pale of this scheme because frankly it just takes us too far into tracking a lot of individuals' information in order to identify some?

  Mr Thomas: No, I am not saying that there is not an inter-relationship with investigation of crime with those sorts of aspects. Those have been brought out this afternoon. I am not saying you can divorce those. What I am saying is that one has to be as limited as possible. Data protection is all about drawing lines. It is a question of where you draw the lines. My concern is that too much of this Bill at the moment as drafted is very open-ended. If we can be precise about the particular purposes; if we say, as parts of the Bill do, that there are exceptions or provisos specifically where there is national security concern or where there is the investigation of either serious crime or other sorts of crime, in particular situations that may be acceptable, but so much of this is written in much broader language. If I can just give you one example in clause 20(5), which is about information sharing, that is, "a disclosure of information not falling within paragraph 9 of Schedule 1"—that is, all the non-audit trail information—"is authorised by this section if it is made to a prescribed officer" of the Secretary of State's department for the purposes connected with the carrying out of any of the prescribed functions of the Secretary of State. Of course, that is very wide indeed. It is the Secretary of State for Transport, for Work and Pensions, for the Foreign Office; every Secretary of State, and it is very easy to make an order to bring a very wide range of information inside this subsection for the purposes of information sharing. We know from our data protection experience that where too much information is shared, where there are not appropriate lines drawn, then individuals can and do suffer serious consequences in particular situations.

  Q746  Mr Prosser: Mr Thomas, you have delivered a robust critique of certain aspects of the draft Bill this afternoon. Can I ask whether you have completed or delivered your formal response to the Bill yet?

  Mr Thomas: No, we have not, Mr Prosser. We have provided this Committee with our initial analysis of it. We are working to the mid July timetable. We have had discussions with some of the officials at the Home Office. One was in my office just yesterday where we were discussing some of the detail with officials, but we will be producing and publishing a full critique nearer the middle of July. We are coming today to give you our position so far.

  Q747  Mr Prosser: This is a curtain raiser?

  Mr Thomas: Yes. I am not suggesting that we have got a great deal more. We will elaborate and perhaps fine-tune our critique but we are giving you where we have got to so far. Of course, we have been looking at this now for nearly two years since this government proposed these particular proposals and my office looked at the previous government's scheme some years ago.

  Q748  Mr Prosser: Earlier on this afternoon you said that one of the reasons you were concerned and why you have consolidated your concern is to do with what the Bill is about. Is it primarily about terrorism or access to services or illegal working or asylum abuse or whatever? Is there not justification for an identity card and a database if it addresses all of those and perhaps in good measure? What is wrong with that?

  Mr Thomas: The concern is the absence of any clear rationale for it. If you were to identify particular functions we could then look at a scheme and say whether or not it is appropriate for that scheme. In the written submission we gave to the Committee we gave you details of a government committee in the early 1950s looking at the Second World War national identity card. That was introduced in 1939 with three stated purposes: for conscription, for national security and for rationing. By 1950 the government committee of the day found that in those 11 years that scheme had grown to 39 stated purposes. The debate at the time the committee reported in the early 1950s was that the main rationale for identity cards was the prevention of bigamous marriages. One has to draw lines somewhere, I am afraid. One cannot just say, "All these are fine. We are not too concerned about the detail". I think the interests of individuals do require absolute clarity as to the purposes.

  Q749  Mr Prosser: Just dwelling on that for a moment, if consecutive Home Secretaries are receiving reports, first of all from the police, who say that a big problem with organised crime is proving identity, an identity card would help matters, and then if immigration officers send reports back to the same department saying that the illegal working system is almost impossible to crack properly unless they can have assurance of identity, and if the CID report back and say that organised crime is running rampant because of the theft of identity,—and we have heard the stories of people found with 57 different identities in their possession—and there can be other examples, of course, all the way down to terrorism, if all those lines of investigation are all coming back to the Home Secretary or to government and all of them are saying that one major sensible practical way of addressing this could be a secure identity card, that is a rational way to proceed, is it not? There has not got to be one overwhelmingly compelling reason to drive forward a Bill.

  Mr Thomas: Not a single reason, but we have not had that rationality spelt out. We have not seen how identity cards are going to be used in these various examples. We have not seen precisely why the entire population needs to provide so much information in order to deal with illegal working or with organised crime. Yes, they are particular problems. Yes, we may need to have more information about those engaged in those activities, but that is not necessarily a rationale or justification for the entire population.

  Q750  Chairman: If I can bring you to the Bill, if the government with its resources has assessed these problems and decides, as the Home Secretary said to us not long ago, that this makes a contribution to solving those problems as a matter of policy, and we are now dealing with the Bill, what is it exactly that you would like to see on the face of the Bill that ensures that the ID card scheme does what the government has said it wants it to do, because, with respect, it is probably not for the Information Commissioner to assess the effectiveness of measures against illegal working or drug trafficking or whatever; it is about the use of the information? What would need to be on the face of the Bill to address the fundamental concerns you have about that?

  Mr Thomas: My greatest disappointment is clause 1 where we talked a lot in the past about the need for clear statutory objectives and I do not see that in clause 1 as drafted. Clause 1 is very general, very unclear and does not give us clarity as to the purposes, to use the statutory language of data protection, for which this information is being processed.

  Q751  Mr Prosser: I want to turn now to some of the many elements of concern that you raise. First of all, you talk about the possibility of people who are not really eligible to have an identity card being entered into the register. How realistic is that, bearing in mind that without a biometric it would not be much use to anyone, would it? What is the problem there?

  Mr Thomas: Is this the issue of those being entered onto the register without their own knowledge?

  Q752  Mr Prosser: Yes.

  Mr Thomas: This was a novel feature. It is in the consultation paper. We had some anxieties. Some of these were voiced by others earlier this afternoon. Being on a register with such powerful consequences without knowing that you are there I think is serious. The very least one might expect is to have a notification to the individual saying, "You are now on the register. Here are the details we have about you", and people would be able to check the accuracy and the up-to-dateness of that information. That would be one thing which is not in the Bill at the moment.

  Mr Bamford: This is again one of the problems with the inter-relationship between an ID card and a central register. Essentially you could have a situation where although there is a prohibition on having to produce an ID card there is no such prohibition on somebody checking the register as long as it is authorised by somebody. We often authorise people to do checks on criminal records when we apply for jobs, not expecting there to be anything there. In theory an individual could have found their way onto the register without their knowledge and somebody could be checking that in terms of service delivery and that could have severe consequences for the individual if that information was wrong. The sources where this may come from are not specified. I know that previous evidence has implied, "It is so that we can deal with asylum seekers and others", but the wording of the Bill does not limit it to that. It could in theory come from other government databases, such as the ones that are proposed at the moment, for example, the Children's Bill. We need to understand that the way this all hangs together can mean that there can be detriments to individuals as far as the identity register is concerned if you end up there without realising you are on it.

  Q753  Mr Prosser: On that point, the interchange with the citizens' database, if that ever comes in, and the children's register, do you want no relationship at all between these various databases or do you want to limit the relationship and interchange between the databases?

  Mr Bamford: Again, what is the purpose of having it? If anybody wanted to have a citizens' information project database what is the real benefit for that for this particular register, about which a lot has been said about how it is going to be collated from scratch, it is not going to be based on existing databases but there appears to be provision to allow information to flow from existing databases with all the flaws that may be there without having the chance to clear those? Similarly with the Children's Bill database, you can do it under clause 8 of that, which will be a powerful database if it comes to pass because it will have details of all our children in the UK on it: what is the idea behind that? Is it, as the minister said, that one of the things that people might get on their 16th birthday might be their national identity card essentially, so that they can spot rising 16s? If that is the case people should be aware that that is happening. It certainly is not then an application as such and people doing it voluntarily. The question is, with the other information flowing there what are the real aims for doing that? If there are no real justified aims then it should not flow there. That goes back to one of the issues about the National Identity Register and what is it there for. Is it there for its ostensible purpose under clause 1, essentially to have a register of registrable facts, or is it there to deal with service delivery issues ultimately? A lot of the points have been alluded to as service delivery issues in terms of checking people who may be going backwards and forwards to Colombia or whatever rather than just being an issue about, is that Jonathan Bamford?, is that Richard Thomas?, so again we have to be very clear what its real use is and whether the information is relevant or not.

  Q754  Mr Prosser: We took evidence on the work done so far on the Citizens' Information Project and that database and we were told that it was first thought of in 1908. Our view on the Committee was that you wait a hundred years for a database and two come along at the same time.

  Mr Thomas: Possibly three or four because we have mentioned the children's database. There is also the NHS one. We have some concerns and we are frankly in the dark about how all these inter-relate.

  Q755  Mr Prosser: You also complain about clause 5 which you say is another open-ended problem, and you say it is "the open-ended requirement on an applicant for registration to provide such information as the Secretary of State sees fit to require". It is open-ended. How would you want to restrict and limit that to make it more practicable?

  Mr Bamford: There must be an idea already what sort of information the Secretary of State might reasonably require. Is it a birth certificate or those sorts of documents that we are really familiar with that could be set down in a statute without too much pain where we could be clear about that? What are the limitations there on the retention of that information? In Schedule 1 there is the issue about the application process and documents as part of the validation process and it says that information that is used for validation can be kept, so when you think about a birth certificate, are the details that are on the birth certificate going to be kept—who somebody's mother or father was, their occupations at the time of birth? We have to have some limitation to make sure that the only information there is that which is required to establish identity and that we do not end up with a lot more collateral information being retained for no apparent purpose relating to that individual's identity.

  Q756  Mrs Dean: You are concerned that the Bill does not specify the details that might be legible on the face of the card. What do you think would be appropriate?

  Mr Thomas: This is one of those issues again going back to purpose. For a driving licence it is acceptable that the address should be on the face of our paper or plastic driving licence as it is now. I am not at all comfortable with the idea of the address being on an identity card. I would not like to see the address on a passport. I do not want to go through airports or see others using my card around the world knowing I am away from my home. That creates a range of risks and problems. I would be very unhappy with the national insurance number being on the face of a card. I would be pretty unhappy I think with the national identification number, as put forward under this scheme here, being on the face of the card. I am talking at the moment about what is printed on the face of the card. There is then another set of questions about what is on the chip because it is clear that there will be some sort of microchip on the card which will only be readable by appropriate machines. We want safeguards and controls there. We have made points to you that that should be encrypted. That is not currently contemplated but we think that safeguards are required so that electronic eavesdropping, which does go on, could not take place in this area to download information improperly. We need to look at the detail of this as we move forward when—and I am sorry to repeat the point—we are clearer as to the purposes of the scheme.

  Mr Bamford: One of the possibilities that now appears to have been blocked off is that you can have a non-ID card version of your passport or driving licence, so we will have two ID cards potentially with increased information over the primary purpose of that document, ie, a passport or a driving licence. In some instances individuals might choose not to have an ID variant of that because they have to produce their driving licence in lots of circumstances around the world so they do not want the collateral impact of the ID card information being captured by car hire companies or others who might not look after it quite as well as it would have been if it were the original service provider for ID card purposes.

  Mr Thomas: The complete answer to your question is, no more information than is necessary for the intended purpose.

  Q757  Mrs Dean: Turning to the contact chips, is it realistic to expect ID cards to have contact chips or encrypted contactless chips?

  Mr Thomas: I do not see why not. Technology is moving in that direction and the technology, as I understand it, is more straightforward than biometric technology so that is not a particularly difficult area. There may be some incompatibility with the international travel documentation being proposed by the ICAO, the International Civil Aviation Authority, but do bear in mind that they are having to deal with the entire world, including remote parts of the world where they have not got the sophisticated equipment to read encrypted data, and do also bear in mind that when your travel documentation is being scanned at an airport that is a fairly secure environment. When you are producing your card in a very wide range of environments going from the doctor's surgery to the social security office to the local town hall, there is much less control over the circumstances in which that card is being read. That is one argument, we feel, for having a much tighter regime here.

  Mr Bamford: To be fair, clause 8(2) does say that an ID card must record prescribed parts of it in an encrypted form, so there is a step in that direction, but we would go further and say it all should be in an encrypted form because there is this real prospect with contactless chips that they can be electronically eavesdropped when the transaction is taking place.

  Q758  Mrs Dean: What restrictions would you like to see on the requirement to notify changes to information on the register? Are you concerned about the possibility of charging for updating the register, and also, as was mentioned earlier, do you have concerns about vulnerable groups not changing that information that should be on the register?

  Mr Thomas: One of the data protection principles is that information should be kept up to date, so in principle with a scheme like this it is important that systems are involved in making sure that they provide up to date information and that they are able to check the current accuracy of their own information, so in principle that must be a good thing. However, I do recognise the point that on the one hand if there were to be a charge for it that may be a deterrent. Of course, ironically, if you do not do it you may face a fine, so you may have to pay one way or the other. I do understand that when you notify a change to the DVLA you do not pay anything at the moment and maybe any scheme would have to be designed with that same principle in mind.

  Q759  Bob Russell: Talking about clauses 14, 15 and 20-24, disclosure of information on the register, in particular 14(4), you have given us quite a catalogue of reasons for significant concern. Under 14(4) you say that the "potential for disclosure with consent to be manipulated by others should not be underestimated". Would you like to see clause 14(4), which you say removes the right to see an audit trail, taken out of the Bill?

  Mr Thomas: This is a very strange clause. You touched upon it earlier this afternoon. We are very puzzled by it. It cuts right across the so-called subject access right in the Data Protection Act, which is expressed to be notwithstanding the terms of any other statute. That flows from the European directive, the principle that people can see their own records. This appears to undermine that principle and we are not at all clear what is intended here, whether the Home Office intends that people should not see their own information. We are rather doubtful that that was the intention so it may just be the drafting which needs to be put right. There may be some national security concerns but the Data Protection Act recognises that, because the subject access there is subject to national security and investigation of crime limitations. There is a wider point which was touched on in your question, Mr Russell, which is, can people be manipulated into seeking their own information? In the jargon we call this enforced subject access where people are effectively required to search out and get details of their own record, and we find that objectionable, and indeed it is outlawed by section 56 of the Data Protection Act, although that section has yet to be brought into force. The principle we find unacceptable.

  Mr Bamford: Can I add a couple of points of detail to that? To deal with the last point first, again, I am sorry to harp on about the relationship between the register and the card, but there is a provision which deals with people being required to produce their identity card at clause 19. Normally that will not be the case unless it becomes compulsory and then that falls away. That deals with the card being produced but there is no requirement there to stop an organisation saying, "If you authorise us you can have this service better", so there is not the same safeguard with the information on the register being consulted at clause 14, and the two go hand in hand and should have similar provisions. As the Commissioner has mentioned, we should have public information data protection systems which should stop enforced access and deal with that point, but again there is a disparity between the register and the card. There is a safeguard in one instance; there is no safeguard in the other. The two need bringing completely into line. In connection with this confusion over clause 14(4) and somehow overriding an individual's right of subject access, as has been mentioned, we do believe that all legislation has provisions which may again override that, though that is a debatable legal point. I did note from earlier evidence from the minister, Mr Brown, that when he was asked about video stores and others checking the central register he said that the fact that an individual had a right of access to see who checked their register entry in the National Identity Register would be a great safeguard for them. We need this point clarifying because either that is a safeguard or it is not a safeguard. The way things stand at the moment it would appear that an individual would not be able to check who had accessed their details, whether it was a video shop or whether it was the security services.