MR DAVID SMITH, MR LEE TAYLOR, PROFESSOR STEVE PEERS, MS BELINDA LEWIS, MS HARRIET NOWELL-SMITH AND MR PETER THOMPSON

23 JANUARY 2007

  Q260  David Winnick: Professor Peers, could I draw you a little on the question put to you by Mr Russell regarding the Home Office. As part of your work, you study EU justice and home affairs. Is the British Home Office under successive governments—and I emphasise "under successive governments"—unique amongst EU countries in having the sort of difficulties, to put it mildly, that we have been experiencing more recently, as we have in the past?

  Professor Peers: There have certainly been scandals in other countries. There was quite a large scandal in Germany in the last two years about visas which were given to Ukranians and so on without proper scrutiny, for instance, so there have certainly been certain types of problems not always identical to our problems. It is difficult to know, looking at the issue at EU level, exactly what scandals are going on in different Member States because of course the interior ministers or the justice ministers are not too anxious to be showing their dirty laundry to everyone else at EU level and the British media does not always pick up the national scandals going on in other Member States, but certainly there have been scandals of a comparable nature to the Home Office. I am not sure if there have been quite as many high profile scandals as we have had in the UK. Another thing to keep in mind is that I am fairly sure we are unique in having a single Home Office rather than the separate ministries of the ministry of the interior and the ministry of justice. Certainly Canada and the United States and other countries based on the common law have split up their departments as well into several different parts. I do not think they ever had anything that would compare to the Home Office.

  Q261  David Winnick: Some may say it is part of the British way of life to have the Home Office scandals coming out from time to time. To pursue again what Mr Russell said, if it is true—and we have not had any official confirmation, as I understand it—that the recommendation from the Home Secretary to the Prime Minister and the Cabinet is that there should be a split along the lines which have been widely reported, do you really have much confidence that such a split would deal with some of the problems that Mr Reid and his predecessors over a number of years have faced? It is not going to be some sort of panacea is it, by any means?

  Professor Peers: No, a split will certainly not abolish the possibility of serious scandals in what is now the Home Office. I am not absolutely certain that it will reduce it. I think it might. It has the capacity to reduce it. At least each of these two individual departments would be more manageable than the one large department but you still have a risk where the two individual departments should be cooperating. If you go back to one of last year's scandals, which was the failure to keep track of people who should be deported from prisons, that was a failure to keep track of information within one large department. Under the Home Secretary's proposals, we would have one department dealing with prisons and the other dealing with immigration, so what might happen then is that you would get the information lost between the two departments. It might be lost under either model. But at least you would hope that each of the two departments within themselves would be more coherent than they are as part of one gigantic, single department.

  Q262  David Winnick: It is sometimes said that because home secretaries change so often—again under successive governments: they, perhaps, on average, last two years or less—is that the same for interior or justice ministers in other European Union countries? In other words, no one stays as a political head long enough to get a real grip on the situation in the leadership of the Home Office.

  Professor Peers: The answer is that home secretaries or their equivalents, ministers of the interior and justice, as far as I am aware do tend to stay for a little bit longer. That is perhaps because you have a number of coalition governments in the other Member States in which the particular hosts are negotiated between parties. Germany is a particular example where you always have a coalition government and a crucial factor is the negotiation of which parties get which posts and then senior people from those parties tend to hold the posts and you do not have the ease that we have here of the Prime Minister removing people from post and shuffling them around and so on because that would violate the coalition agreement and the coalition government would collapse. If only for that reason, home secretaries and their equivalents tend, as far as I am aware, to stay in office for a longer period. That is due more to the political system of those states, perhaps, than due to the nature of scandals and so on.

  Q263  Mr Benyon: Could I return us to the remit of this inquiry and ask about the pilot project that has been set up between the countries France, Germany, Spain and Belgium. It was mentioned by the Prime Minister last week that the Government here is looking very carefully at how this pilot project is working. Could I ask you first, Professor Peers, what your assessment of the pilot project on the interconnection of criminal records is and whether you detect that there are any plans to roll out the project to other Member States? If so, should the UK be part of that?

  Professor Peers: I am not familiar with the details of the implementation of that project. I suspect that if the perception is that it is successful, this is something that perhaps the form of the EU proposal on criminal records will now start to take. It might be restructured and rethought to take the form that, rather than follow the Commission's proposal, we are now going to extend this pilot project to other Member States if it turns out to be correct that this is working efficiently and effectively from the point of view of the law enforcement services. But, of course, we should also consider whether it is working effectively from a civil liberties perspective; whether or not, for instance, rules on rehabilitation of offenders are still being observed within a cross-border context, for instance, and how often the wrong person with the same name, for instance, is being identified as having committed a criminal offence in another Member State. You still have to be aware of that perspective, whether it is working well from that point of view.

  Q264  Mr Benyon: Great emphasis has been placed on the interoperability of diverse EU databases. There seems to be a problem within the pilot project of this scheme whereby a crime may not be a crime in an individual's own state. If, for example, an individual commits a crime in France which is not a crime back where he comes from in Germany, the Germans will not enter than on its database, and there may be further manifestations of that, if, for example, we were to enter it. We may have a different approach to that particular crime and the reporting system could be an almost impossible one to create such a database. What happens if a number of systems become inoperable? What rules would apply? Are there adequate safeguards within that?

  Mr Thompson: On the broad point about the pilot project—and this takes me back to my opening remarks—these are operational matters which are the responsibility of the Home Office. It would just not be appropriate for me to comment on them.

  Ms Lewis: I could say a few words, if it would be helpful, about the data protection rules that would seem to be relevant when we are looking at EU data systems becoming interoperable. As Peter said, we are not familiar with that particular pilot project at the moment but, in general, the sorts of complications that we would expect in those circumstances would be if the systems being brought together or the information that was being pooled originally had different bespoke data protection rules attached to it. This might give rise to technical issues. For example, if you had information originally from database A coming into this interoperable system that would normally be deleted after just three years and then you had information coming from database B that could be retained for, say, six years, there would need to be some way of rationalising those differences. Generally, it would seem sensible to go with the highest standard of data protection but that would need to be looked at on a case-by-case basis.

  Mr Smith: There is a framework decision under discussion within the European Union on the exchange of criminal records. Our understanding is that this is making rather slow progress. It may be that is linked in some way with the Data Protection Framework Decision. The idea of having a framework decision on data protection is that you put in, if you like, data protection measures across the board under which all these other information sharing initiatives can operate, including criminal records, without having to re-address the data protection questions each time a new initiative is developed. That is why we are very supportive of the framework decision. The DCA representatives are quite right, there are some real difficulties in bringing together information from different sources together in a common database. As a general rule, where you are talking about sharing, and sharing of criminal records here, we would prefer linkages between systems rather than the setting up of a new central database, if that makes sense. Setting up a new database brings real problems as to how you interpret the information to common standards. If you are interrogating a French database, you know it is French information, they are French categories of crime and so on. There are some difficult areas. In the earlier evidence session, Chairman, reference was made to murder and that murder is always a terrible crime. What is murder in the UK may not be murder in some countries which allow euthanasia. It is illustrative of how easy it is to think you can compare things which appear to be the same but in fact are not. The cross-border comparison of DNA gives us particular difficulties because I think there are very different approaches in Member States to this issue. As you probably know, the DNA are retained in the UK of anybody not only who has been convicted but of anybody who has been arrested for a possible offence; whereas in Germany, for example, DNA are only taken where serious crimes are involved. The use that is made of DNA is very different. I do not know whether you are familiar with the concept of familial searching, where if the police find a DNA sample at a scene of crime and they try to match it against the DNA database and they do not find an exact match, they can look for close matches because those close matches might be members of the blood line of the criminal. I am not familiar with German law, but when I talk to my data protection colleagues they say that sort of approach is unthinkable in Germany. It would be too much of an invasion of the privacy of family members who are not themselves suspects. That is not the view we have taken in the UK. We have taken what we would consider a more measured view, of saying, "This is appropriate but only for serious crime and only where you can reasonably narrow down the number of suspects." To say, if you like, that German information on DNA is then available in the UK and could be used for familial searching I think raises all sorts of difficulties. Some of these things sound very encouraging in theory but there are a lot of practical problems of trying to get different approaches to work across borders.

  Q265  Mrs Dean: I understand the issue about operational matters, but, if the UK might be getting involved in the pilot project, are DCA going to be consulted on possible data protection issues?

  Mr Thompson: Certainly. We have a very close working relationship with the Home Office and that broad schema I set out roughly divides how the department might lead on an issue and another may support. The important point is that we have this very close working relationship and the Home Office will discuss with us any particular data protection policy issues.

  Q266  Mrs Dean: Have you been consulted up to now?

  Mr Thompson: I am not aware.

  Ms Lewis: I am not aware of any approach but I am not sure where the Home Office is in terms of looking at and proposing that the UK signs up to this sort of database.

  Q267  Mr Benyon: I would like to turn to the European Index of Offenders. Professor Peers, in the light of information that was revealed to this Committee a week or so ago, the Home Secretary has announced a review of databases carrying details of criminal convictions as well as the way in which information is shared and exchanged between the EU countries and non EU states. Do you see added value in a European database of offenders?

  Professor Peers: If you have a single database it would probably be much easier to search that individual database than searching the national databases of all the individual Member States. Even if that were permissible, it would be difficult to do. You would probably have to do it by a series of separate searches and it would be technically difficult, perhaps, to have a single search of them. Setting up the single database would be easier but then you have some serious problems with that, not only the problems I identified before of potential confusion of identity for people with similar names and so on but also the question as to whether or not we should be taking into account a criminal conviction for something in another country which either would not be criminal in the UK or would be considered as spent in the UK by now if it had happened here or for which we would perhaps have acquitted even if it were a criminal offence. Similarly, the same questions arise in regard to all the other Member States. That fundamentally is the problem: the purpose for which that data is going to be used and the complications that arise from the inevitable differences in criminal justice systems of the Member State as well as the data protection concerns.

  Q268  Mr Benyon: Mr Smith and DCA, you may feel you have already answered this, but the possibility of an index would seem a good idea in the light of the systematic failings that were exposed last week. Are there any other data protection issues you feel it raises and under what conditions would you feel that an index would be worth supporting?

  Mr Smith: I think I have covered some of the points, Chairman. I am not entirely sure what is meant here. An index suggests, if you like, that it may simply be a name and identifying information which is held centrally.

  Q269  Mr Benyon: Our understanding is that it is simply a name and that if further information is required there is an agreement that they can then go to the nation state and get full details of the criminal record held in that country. That is my understanding.

  Mr Smith: I do not see any intrinsic data protection problems in going down that route. That is a preferable route from a data protection point of view to a central database which contains all the conviction information. I am not sure if I can add greatly to what Professor Peers has said about the difficulties of ensuring identities are correct. There are challenges there. But, no, it is not an insuperable problem.

  Ms Lewis: I think we would agree with the comments made by ICO. It would certainly seem to be safer to have that index of names, rather than having a whole host of information, including some personal data that sits behind it. The issues we would be interested to consider from a data protection point of view would be those that would be attached to any large electronic database. There would be issues such as access. How could you control access to that database? How could you restrict the use to which the information in it was put? Obviously that is less of a concern if it is just somebody's name, but there are also things like: How long would you keep the data? How long would you keep the names that were entered into the database for? How could you make sure it was deleted after the proper amount of time? In line with comments people have already made, it would seem to be a useful step forward if it would promote better, more effective, safer data sharing and improve law enforcement cooperation between EU Member States.

  Mr Smith: In practical terms, Chairman, it may make sense to limit it, at least to start with, to some categories of serious offences. That very much limits the number of records and the scope of the task that is taken on and this is really the crux of the problem. We really do have difficulty with things like shoplifting convictions which were incurred 30 years ago being available. We have problems with them being available in the UK, if you like, let alone being available throughout Europe.

  Q270  Gwyn Prosser: There will always be a tension between the law enforcers who want to have increased data sharing and the guardians of data protection who want restrictions. Has there ever been a balanced impact study comparing the advantages of one with the risks of the other?

  Ms Lewis: It is a very important question. Perhaps I might relate my answer to the Data Protection Framework Decision, which is the area that was the core part of my work. We held a comprehensive stakeholder consultation process where we contacted all of our stakeholders: the people it would have a direct impact on, such as the police, the agencies, the prosecutors, the customs authorities. We sat down with those people over a series of days for several hours and worked through the proposal line by line, article by article, looking at the implications for their business and the kind of data sharing they needed to be able to carry out in order to fulfil their statutory functions. As part of that consultation process we also involved the ICO, which is one of our very important stakeholders, in order to represent the views of the data subject. We also contacted academics and we contacted rights agencies, such as Justice and Liberty, and sought views from those people as well, to try to achieve the balanced view that you have mentioned about the operational side, where people need to be able to share data to fulfil their functions properly and effectively but also to make sure that the views of the data subject are represented and to make sure that we balanced the needs of the end-users with effective data protection.

  Q271  Gwyn Prosser: Do you think we have the balance right in present legislation with regards to the subject we are discussing this morning?

  Ms Lewis: In terms of the Data Protection Act, which is the UK national legislation, I think the balance is right. In terms of the Data Protection Framework Decision it is much harder to answer that, because, as has already been mentioned, it is essentially a moving target. The UK would negotiate to make sure the final version of that text had appropriate data protection safeguards in it, but what we have at the moment is probably not what we would end up with, so it is harder for me to answer that.

  Q272  Gwyn Prosser: Given that many third pillar information systems have their own data protection regimes, do you think there is a need to have a more general data protection measure built into the third pillar?

  Ms Lewis: I think there is. In the third pillar this would be the Data Protection Framework Decision. That sets an overarching minimum standard of data protection. I think we still need to have the flexibility to add in extra bespoke, specific data protection measures in other instruments. For example, if instruments deal with very specialised types of data or if they are for a very precise and narrow purpose, it would seem sensible to build those extra provisions into the individual instruments instead of trying to have an enormous minimum standard that tried to cover every single eventuality. We would expect the Data Protection Framework Decision to add value by avoiding working groups from reinventing the wheel every time data protection was discussed. If we have a sensible, more detailed minimum standard to which people can refer, then we would not need to start negotiating more basic data protection provisions in third pillar dossiers. I think the freedom needs to be there for those extra, more precise data protection safeguards to be built in if they are needed. If you do not mind, I will ask Harriet if there is anything she would like to add.

  Ms Nowell-Smith: I suppose we could just note for the Committee that there are some minimum standards already throughout the EU in the form of European Convention on Human Rights and also the Council of Europe Convention 108 which has provided some protection in this area since 1981. We do understand from the European Commission that all Member States have in fact implemented the Data Protection Directive outside the first pillar. That is something that we did in the UK. We only had a duty as a matter of European law to implement the directive in the first pillar areas of life; we chose to implement across the piece and to cover police information handling as well, as a policy matter, and we have learned that all of the other Member States have done something similar. We do not know exactly what provisions they have, though, in the third pillar, and, as Belinda said, the Data Protection Framework Decision would harmonise provisions in this area.

  Mr Smith: I wonder if I might add something on that point. The Data Protection Framework Decision and the data protection measures in the other areas like Europol and Eurojust are essentially forms of regulation. We are the UK regulator. I think we are very keen to keep in mind the purpose of the regulation. It is a form of regulation to protect the rights of individuals. We are keen that the regulation is, as far as possible, clear, simple and consistent, so that police forces and others who have to follow it know what they have to do and so that individuals who want to exercise their rights, whether it is access to data or to get data corrected, can do it simply and easily. When you have a proliferation of different measures—different ones applying to Europol, different ones to Eurojust, a framework decision, a first pillar instrument—it becomes extremely complicated. That is one of the reasons why we favour a framework decision for the third pillar, to give one overall standard which is hopefully clear, simple and easy to follow. It is also why we favour, as far as possible, that the framework decision in the third pillar is comparable to the Data Protection Directive which already exists in the first pillar. One of our concerns is that, as negotiations are going on on the framework decision, in some areas it is drifting further away and there is a risk we will lose that harmony.

  Q273  Gwyn Prosser: For my part—and it is no criticism of the witnesses—I do not find the discussion we have had this morning at all easy to follow, but I will have a look at the transcript later on. We have had this quite long discussion about the complexities and even the niceties of data protection versus enforcement versus data sharing. Given the massive increase in the risk of terrorist attack and the incidents we have seen in the United States and more recently in London, have we got the liberty and the luxury to discuss these matters in such detail? Should we not just be concentrating on bringing the criminals and the terrorists to book?

  Mr Smith: In simple terms, no, but I understand the point you are making. We are protecting a whole range of different rights. There is the right to the protection of your life but there is also, under the Convention of Human Rights, the right to the protection of your private life. There is no doubt that, in some areas, in the interests of preventing terrorism we have to give up some aspects of protection of our private life and our privacy. We see that all the time. I saw it coming into the building today when I was searched. That is understandable but we do not have to give it up completely. There is a balance to be struck. I understand your comment that this is a very complex area—and I am sorry. I find it complex as well.

  Q274  David Winnick: He is being the devil's advocate. He does not really believe that.

  Mr Smith: Maybe I could start with where we were in the first pillar and why we introduced the Data Protection Directive in the first pillar. The Data Protection Directive in the first pillar was not just introduced to protect privacy; it was introduced as part of developing the single market in the European Union to enable the flow of personal information, if you like, without borders around the European Union by saying, "We have common data protection standards, so no one can put up data protection barriers to the flow of information." Essentially, it is the same thing we are trying to do in the third pillar, saying, "Yes, you are absolutely right, we need to exchange more information to prevent terrorism and other criminal activities, but data protection does not stop. What it does ensure is that that is done in a way which respects individuals' rights." If I have a right of access to my data, that does not stop the prevention of terrorism but it is important that I preserve that right.

  Gwyn Prosser: I agree. Thank you.

  Q275  Martin Salter: I would like to follow up with some questions on the Data Protection Framework Decision. David, you referred to the problem of the definition of a crime in one country or another. For example, Austria does not recognise Holocaust denial.

  Mr Smith: Yes.

  Q276  Martin Salter: Euthanasia, as you have said, has different interpretations.

  Mr Smith: Tax as well. Some things are taxation matters and not criminal offences in some member states.

  Q277  Martin Salter: That is right. In parts of America, as I understand it, tax is seen as a crime in itself! Does the Data Protection Framework Decision make any provision for offences which are not crimes in both states?

  Ms Lewis: I do not believe it does. The Data Protection Framework Decision is about data that is used in conjunction with prevention, investigation, detection or prosecution of criminal offences. In the UK, if something was not a criminal offence I am not sure that the Data Protection Framework Decision would apply.

  Ms Nowell-Smith: That is correct. There is not yet an EU definition of crime. You can look to the jurisprudence of the Strasbourg Court under the European Convention of Human Rights and that has some guidelines about what areas of life one should expect certain kinds of trials and certain kinds of legal proceedings to follow, but there is no EU definition of crime.

  Q278  Martin Salter: Why does the EU need to define crime? Surely crime is defined by what is a crime as determined by the parliament in the sovereign state.

  Ms Nowell-Smith: That is the basis on which the framework decision operates. It does not attempt to define crime.

  Q279  Martin Salter: Why does it need to define crime? Surely one could establish a framework whereby, for crime A, which might not be a crime in France, the data could still be shared because it would be of use to people wishing to monitor potential criminal activity in another Member State. There does not need to be an EU definition of crime, does there, beyond what is determined as a crime in individual countries?

  Ms Lewis: I think that is right. I think we would agree with that. As Harriet mentioned, the Data Protection Framework Decision is not driving at trying to have a definition or list of things that are commonly recognised criminal offences. If we were in a situation where perhaps the UK was asked for personal data which related to a criminal offence in another EU Member State which was not recognised as a criminal offence in the UK, that would seem to fall outside of the scope of the Data Protection Framework Decision and I think it would be judged on a case-by-case basis. Whether it was the UK police or UK customs or whoever in the UK was approached about that, they would need to consider, given the circumstances of the request, whether or not it would seem appropriate for the UK to cooperate. As far as I am aware, there is not any obligation on the UK to cooperate with requests like that.