You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Commons Select Committees > Home Affairs > Home Affairs

CORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 508-ii

House of COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

HOME AFFAIRS COMMITTEE

 

 

A SURVEILLANCE SOCIETY?

 

 

 

THURSDAY 7 JUNE 2007

MR J TREVOR HUGHES and MR RANDAL GAINER

MR MIKE BRADFORD, MR STEPHEN SKLAROFF, MR MARTIN BRIGGS

and MR NICK ELAND

Evidence heard in Public Questions 80 - 178

 

 

USE OF THE TRANSCRIPT

 

1. This is a corrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

 

2. The transcript is an approved formal record of these proceedings. It will be printed in due course.

 


Oral Evidence

Taken before the Home Affairs Committee

on Thursday 7 June 2007

Members present

Mr John Denham, in the Chair

Mr Richard Benyon

Mr Jeremy Browne

Mr James Clappison

Mrs Ann Cryer

Mrs Janet Dean

Gwyn Prosser

Martin Salter

Mr David Winnick

________________

 

Examination of Witnesses

 

Witnesses: Mr J Trevor Hughes, Executive Director, and Mr Randal Gainer, International Association of Privacy Professionals (IAPP), gave evidence.

Q80 Chairman: Thank you very much for coming before us this morning. You have been told that this is one of a number of hearings to explore the suggestion by our own Information Commissioner that we are moving towards a surveillance society and, if true, what the implications are and how government should respond to that. We are particularly grateful to both of you for coming because we know that you have taken time out of a visit to London to do with your work as privacy professionals. Perhaps for the record you would start by introducing yourselves.

Mr Hughes: My name is John Trevor Hughes, Executive Director of the International Association of Privacy Professionals based in York, Maine, in the United States.

Mr Gainer: I am Randal Gainer, an Attorney based in Seattle with the law firm of Davis Wright Tremaine.

Q81 Chairman: Thank you very much for coming and for your evidence. I begin by asking in particular about private sector companies with whom you work. Does the work that you and your members do go beyond trying to help companies not to be caught out by regulators?

Mr Hughes: The very short answer is yes. Let me start by describing the profession of privacy and the people we represent. The IAPP is a professional association representing people who work in the field of privacy. We have almost 4,000 members in 23 countries around the world and do all the things that a professional association would normally do for its members. We educate them, provide opportunities for them to meet and share ideas and also certify them so they can show a credential to the marketplace and be able to demonstrate their skills and knowledge. Over the past 10 years we have seen a migration within the profession of privacy. When I started as a privacy professional I focused on compliance. As an attorney I focused on keeping companies out of trouble, but that is perhaps an older and more antiquated way to approach data protection and privacy issues within corporations today. We find that our members are talking more about trust and engaging consumers in a meaningful dialogue to engender trust. That goes beyond compliance and legislation and regulatory requirements and speaks to a business imperative to create a more meaningful relationship with customers. That is the long answer to your question. We find that these days most definitely companies move far beyond mere compliance to try to attain a higher and better relationship with their customers.

Q82 Chairman: I am sure that is an accurate reflection of the concerns of your members as professionals. Is it universally accepted by the organisations for whom they work that this goes beyond compliance?

Mr Hughes: That is a good question, and certainly privacy professionals are the converted. We believe in the field in which we work and that varies by degree depending on the company. It would be inappropriate to think of privacy professionals as limiting information flows. We find that privacy professionals to varying degrees of sophistication within different organisations try to help maximise the permissible or balanced use of data within an organisation to maximise the value that can be gained from it. It is certainly true that if we want the information economy to grow and flow its currency is data. Data must flow in order to create value. Many of our members and to varying degrees the companies for whom they work focus on maximising the permissible and valuable use of that data.

Q83 Chairman: In your organisation are there as many public sector professionals as private sector professionals?

Mr Hughes: It is not an even split. We have a good number - I would have to check but it is many hundreds - of governmental professionals. We offer certification for the governmental sector. It is notable that in the United States there are requirements placed on government that all federal agencies appoint a privacy liaison. That has led to the appointment of chief privacy officers within most if not all federal agencies. These are distinct from, say, a privacy or information commissioner as may be found in the UK or Europe. They are not regulators but privacy professionals who advise on data protection and its use within an agency.

Q84 Chairman: Is there a difference in the culture of those members? As is always said, we are two nations divided by a common language. The word "privacy" in the way it is used here is often assumed to mean the restriction of the use of data. You have made it very clear that you are talking about properly handled flows of information. Do you find that the public sector professionals have that same understanding of what privacy is about professionally, or do they have a different view because they are in the public sector?

Mr Hughes: I think that public and private sector professionals approach issues differently. Certainly, the issues are different. In the private marketplace professionals are trying to help organisations maximise the permissible use of data so as to create value for their organisations. They do that in ways that are certainly compliant but hopefully also in ways that engender consumer trust so as to engage in a long-term relationship with customers. It is somewhat different in governmental sectors. We do not take positions on these matters, but I certainly hear from our governmental members that they feel perhaps a stronger commitment to protecting citizens and dealing with concerns associated with terrorism or fraud. That certainly changes the approach of some privacy professionals within the public sector.

Q85 Chairman: You have talked about the different legislative requirements in the States. Does that mean that perhaps you have rather fewer public sector professionals in your organisation from this country than you would in the USA?

Mr Hughes: That is certainly the case. We are a global organisation with members around the world but most of our members come from the United States. I would have to check, but I am not sure whether we have any public sector members in the UK.

Q86 Chairman: Let me put a big question but I would be happy with a brief response. In your work you see the culture of discussion about these issues in quite a number of different countries. Where would you say this country was in terms of those countries which are most concerned about these issues and those that have least public debate or concern about them?

Mr Hughes: I should state that the IAPP does not take advocacy positions on privacy issues. I am happy to share with you my personal opinion. Just recently I happened to speak to Richard Thomas, the Information Commissioner. We both remarked on the contrast between a European or even UK approach to data protection and privacy issues and the US approach. One of the remarkable things we noted was that in the UK there seemed to be a greater acceptance of governmental use of data. Certainly, in terms of CCTV surveillance there is a greater willingness to allow those things to become part of communities. Just this week I saw an article about a survey in Norway which suggested that over 70% of citizens were very comfortable with more surveillance being put in their towns. I do not think that is the case in the United States. In the US I think there is greater concern associated with governmental use of data. But the inverse is also true when looking at the public and private sectors. In the private sector in the UK there is concern associated with the commercial use of data; there are concerns about discrimination in insurance underwriting, finance, housing and many different areas. In the United States there is a more sanguine attitude towards the commercial use of data and an acceptance that perhaps if data is misused in the commercial marketplace there are some negative consequences, for example discrimination in certain financial products and things like that, but by and large the damage that can occur is another piece of direct mail marketing which arrives in the mailbox. If data is misused on the government side in the public sector the consequences can be quite severe; one can be arrested. In view of the flip of very strong public concern but less concern in the private market in the US - again, this is just my opinion - the fact that the inverse occurs in the UK is quite remarkable.

Mr Gainer: First, thank you for the opportunity to appear here today. Chairman, you asked about the differences between our countries. One is the regulatory approached typified by the Information Commissioner versus a more litigious approach to these issues in the United States. That has produced a very remarkable focus in government on these issues that is illustrated by the report, to which I believe this Committee is responding. I thought that was a very good report which raised a number of important issues. There is no counterpart to that report of which I am aware in the United States. That is a very good thing and will perhaps help resolve some of the issues that have not been resolved in the United States. The other matter is the approach to these same issues through the work that I do in representing clients who have had data stolen from them and are then sued. They have to defend what they have and have not done in that context. I believe that that is a stark difference from the regulatory approach taken here. We can debate which is more effective, but it is certainly a difference.

Q87 Martin Salter: I was interested in your juxtaposition of public attitudes in Europe, particularly Norway, and the United States about data held by the private and the public sectors. Has the passing of the Patriot Act, which is a fairly severe piece of legislation, skewed or had an impact upon perceptions or concerns about what government could do with data, because it worries the hell out of me?

Mr Hughes: We could probably spend a few hours talking about that. In the United States the debate about the balance between civil liberties and the pursuit of terrorists occurred within 24 hours of 9/11. That discussion had already started in the news with politicians, and I think the Patriot Act was a very strong response. Just recently we have seen a retrenchment from the Patriot Act. It is ironic and coincidental that Attorney General Alberto Gonzales was a keynote speaker at our conference in March which had 1,200 attendees, all of whom were privacy professionals. That happened to be the day that the Inspector General's report came out and documented how the Attorney General's office and the FBI had been misusing National Security Letters (NSLs) basically in the form of a subpoena/warrant-free mechanism to gather data from the private sector. That has created great consternation in the marketplace. I think there was a very strong response to the Patriot Act and a bit of a pull-back as some of those tools are considered by the marketplace to be too strong.

Mr Gainer: It has also affected some of my clients who have international data and are reluctant to have data resident in the United States because they feel it may be accessed inappropriately through those NSLs. It has affected some commerce. For example, I have clients in Canada who have decided not to continue US operations for fear that the data on Canadian residents will be misused.

Chairman: On Tuesday of this week we published a report on European Union issues. It referred in passing to issues to do with the sharing of passenger record data and European banking data with the US authorities. We have made a contribution to that debate in the past few days.

Q88 Mrs Dean: In which countries do individuals have most control over how their personal information is used and for how long it is kept?

Mr Hughes: That is a very good question and I think it speaks to the different approaches that various countries have taken. Certainly, we can look to the European Union and the Data Protection Directive and all of the implementing laws that have been introduced in Member States. We can say that there is certainly a lot of law in Europe on data protection issues. One may argue that that equals a significant amount of control for consumers. It is also possible to look at market forces and say that there have been very positive developments not really in any country but around the world through the web. Many of the tools that we have available today online give us great power to manage through our internet browser how data goes back and forth. There are cultural differences country by country which result in different approaches and different responses. It may be difficult to say who has the most. Possibly one interesting question that we can answer is: are consumer expectations, sensitive to cultural norms and societal demands, in those countries being met?

Q89 Mrs Dean: Are you able to say who has the worst protection of data?

Mr Hughes: You cannot plead the fifth in the UK.

Q90 Mrs Dean: I will move on. Are breaches of privacy through accident or disclosure of personal data less common where regulators have strong powers to inspect and audit systems to protect information?

Mr Hughes: I hope I am responsive to your question. I answer by describing the notice of security breach standards in the United States because I think it is a very interesting comparative law analysis in which we could engage. In California three or four years ago a very simple state law was passed; it was a page and a half, or not much longer than that, which said basically that if in respect of any unencrypted database in which certain data elements were being held you knew or suspected that any unauthorised access had occurred you had to provide notice to all of the data subjects within it that such breach had occurred. Since that time we have seen over 30 states pass very similar laws, some going beyond the California law originally passed, to offer free creditor monitoring services or other mechanisms to help protect consumers after the fact. These are very small laws; they are not very lengthy or big in scope; they do not provide a regulatory structure and it is not really a compliance-driven law but a disincentive to have sloppy data protection practices, because if your database is breached you do not have to go to a regulator or necessarily have to pay a fine, although that exists in some states; you have to go to your customers. For most organisations in the private sector that is a far more painful proposition. Certainly, in terms of the growth of the IAPP we have found that notice of security breach has led to the hiring of many privacy professionals. One can only expect and hope that dedicated people focused on issues of data protection and privacy within an organisation will do something while they are there and it will be for the good of data protection within those organisations. We have seen budgets expand and a growth in concern over data protection. I think that a strong legislative move like that has had a very effective response in the marketplace.

Mr Gainer: In our meetings with German and French officials we asked them if they were aware of the extent of such accidental disclosures in their country. Typically, they were not. I think that is because they do not have a data breach notice requirement in those countries or here, although I understand that EU commissioners are considering the adoption of one. I think that it is an effective mechanism to motivate some companies to do more than they have in the past, but, as I mentioned in my written testimony, I do not think it is sufficient because it is very expensive to deploy adequate security both for electronic and paper records. The fear of disclosure pursuant to a data breach law has caused some businesses to do some work but in my experience it has not been enough. More needs to be done and new laws are being considered in the United States that would encourage businesses to do even more. Those models may be some that you would like to consider.

Q91 Mrs Dean: In terms of the powers, how wide is the variation between regulatory schemes in those countries in which the IAPP has members or contracts? Do you see a variation of those powers in those countries where you have members?

Mr Hughes: In terms of regulatory powers?

Q92 Mrs Dean: Yes.

Mr Hughes: Certainly, we see a broad range of regulatory approaches. As an example, in the United States there is no data protection commissioner. We have many federal agencies that deal with privacy from many different perspectives. The Federal Trade Commission (FTC) is very active in enforcement activity. Close to weekly, if not a couple of times a month, we see an enforcement action emerging from the FTC on identity theft, spam and privacy protection itself. They have been very active in guiding the marketplace by making a very strong example of bad practices in the market place. But that is not all. We also have health and human services that looks after our major healthcare privacy law. There is a whole host of financial organisations and agencies - the Securities and Exchange Commission (SEC), Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency - that look after financial privacy law. There are a number of agencies all of which have varying degrees of enforcement power. We work and live in an enforcement and compliance culture in the United States. By contrast, in Canada Privacy Commissioner Jennifer Stoddart has the ability to engage in inquiries, but I do not believe that she has the ability to assess fines or enforce. She can refer cases to the public prosecutor but does not have the ability independently to enforce Canada's privacy law (PIPEDA). Between those extremes we see varying degrees of ability to enforce and ability to inquire. We were with our French colleagues in Paris yesterday to hear from the French data protection agency CNIL. The staff of CNIL expressed frustration that they had to ask permission of a data controller of a company before they were allowed to come in, review databases and make sure the practices were in place. There is a great degree of variation as to how those enforcement abilities are documented and provided.

Q93 Mrs Dean: We frequently hear about how personal information is disclosed when computers or disks containing data are lost or stolen. What does this tell us about attitudes towards personal information?

Mr Hughes: The first thing we need to note is that the loss of a disk is not necessarily an identity theft. Disks and laptops are lost and stolen every single day. Today there is a great deal of concern with flash drives that can take an entire database of a million-plus names on a device smaller than a keychain. I think we need to recognise that there is a distinction between loss of data or a device containing data and harm. That said, it exposes that data to greater risk of harm if it is lost. Things like the notice of security breach requirements in the United States change our attitudes towards personal data, as my colleague described; it is changing behaviour in corporate America. I can testify to that merely on the basis of the amount of educational content and programming that we now offer our members on securing databases, training employees so they know how to do the right thing and the number of people we certify. It is certainly changing behaviour.

Mr Gainer: I do not believe that it has changed it enough. In the United States about 10% of lost and stolen data is reportedly used for fraud. In the last reporting period 10% of 73 million Americans were told there had been a data breach. Therefore, 8.3 million had some sort of fraud on their accounts. There is still a lot of work to be done and as a policy matter new approaches must be considered to encourage those who hold data to do more to secure it.

Q94 Chairman: Recently we had a case where one bank sent 60,000 customers' names on a disk through the ordinary post. Does that sort of thing still happen in the States?

Mr Gainer: No, it would not. At times there are losses by bonded carriers, but I have no clients who would make the mistake of sending that kind of protected data through the open mail.

Mr Hughes: I would draw the distinction that large, sophisticated organisations are not making those mistakes, but we always need to remember that small and medium size enterprises are perhaps not as engaged in these discussions and dialogues. I would not be surprised to hear that a small regional bank or operation of some sort was sending a disk through the mail.

Q95 Martin Salter: Of the security breaches that arise, what proportion are deliberate, targeted and criminal activity and what is just straightforward corporate or public negligence?

Mr Gainer: In my experience most are criminal actions. Typically, it is the smash and grab of laptops out of cars, or even desktop computers from office buildings. Sometimes it is electronic penetration of wireless, or even wired, networks among large organisations. There are other times when people just lose disks or other back-up tapes and so forth.

Q96 Martin Salter: Or send it in the post like one of our banks?

Mr Gainer: Exactly. It is perhaps negligence. But the people I have counselled are responding basically to thieves who target either the hardware or data itself.

Mr Hughes: I do not think that for the most part the laptop thefts that we see are one of the key sources of security breaches. They are not really focusing on the data; they want the laptop. Whilst it is a crime it is not necessarily one associated with the data. In the United States we have had two major cases in the past few years related to sophisticated social engineering exploits where people have got in and gathered data. I think that in the case of both ChoicePoint and TJ Maxx - I understand that it has a different name in the UK but it is also a US company - criminals managed to infiltrate their systems, one through just a human exploit, saying they were people they were not and getting data, the other by sitting in a parking lot and catching wireless data on a device as it was going from store to store. In those cases the intent was harm; it was identity theft. They were trying to get credit card data in order to run up charges, but those are two of probably a few hundred notices of security breaches that we have seen in the past couple of years.

Q97 Martin Salter: We have had recent reports of criminal gangs infiltrating call centres to access data. What protection do you have in the United States to stop that kind of activity?

Mr Gainer: Of course there are criminal laws and when those people are caught they are prosecuted and sentenced, but to prevent that kind of intrusion you need a well thought through and implemented security organisation. It has to be tested, revised and upgraded constantly. It is a challenge that many organisations are just now signing up for and have not yet mastered.

Q98 Martin Salter: Is it fair to say that there is an inherent risk of out-sourcing call centres to countries in the developing world in order to cut labour costs, because one could end up with considerably less sophisticated systems of protection to guard against that level of infiltration?

Mr Gainer: There is a requirement in the United States that if those industries that are regulated, because they are financial, medical or whatever, out-source their data they have to ensure that the contractors meet those standards. It has also happened in the United States that out-sourced transcriptionists in India, for example, have got hold of personal data and threatened blackmail unless they are given what they want. But a sophisticated organisation can and should vet those contractors to comply with those requirements, including doing whatever due diligence and on-site review is necessary to make sure that they are dealing with people who will not steal and misuse data.

Mr Hughes: Again, in an information economy data needs to flow in order to create value, but that flow of data creates inherent risk whenever it occurs. We see it as the job of privacy professionals to manage, mitigate and reduce those risks as often as possible. A lot of our programming in countries is focused on auditing, screening and maintaining out-sourced call centres, data processing centres and things like that.

Q99 Martin Salter: In my initial question I asked you to comment on which sectors in the States in the public or private sector were more at risk of infiltration and penetration of data misuse.

Mr Gainer: I do not think the fault line can be drawn between public and private because there are numerous public organisations that have very high security, for example the defence and intelligence sectors and many others. There are now federal requirements. The Federal Information Security Management Act of 2002 (FISMA) is being enforced in the public sector. There are many state and local agencies with no security practices, so there is a huge variation across the public sector and the same across the private sector. There are private institutions that have gone above and beyond the state of the art; they are building new models for the protection of data. Some of my hospital clients are doing that. On the other hand, there are small organisations that just do not have the budget or focus to do very much at all. I view the difference in that way.

Mr Hughes: It is notable that one of the biggest security breaches we have seen in the US so far occurred with the Department of Veterans Affairs where two laptops that contained records were stolen. There was great consternation in the media and marketplace over that. I also think it is notable that the Office of Management and Budget, the oversight body for federal agencies in the United States, just this week extended notice of security breach requirements to federal agencies. Therefore, much like the private marketplace in the 30 or so states that have notice of security breach laws which require customers to be notified if data is compromised, now the federal government will be required to provide notice to citizens in the event their data is compromised.

Q100 Mr Clappison: You mentioned the way that the law operates in the United States. I want to ask about criminal penalties that are available for abuse of personal data where the type of misuse you described to us occurs. In this country the Information Commissioner has called for a couple of penalties to be available. The courts can in certain circumstances already impose short sentences of imprisonment, but the Government has said that it is looking at the strengthening of those penalties. What is your experience of this? Do you think that penalties such as imprisonment work as a deterrent? What sorts of penalties generally do you think would be appropriate?

Mr Gainer: As I mentioned in my written testimony, one of my clients had some data stolen and that particular thief was caught and sentenced to four years as a result of a federal prosecution. I do not see those types of criminal sanction as being very effective because unfortunately the criminal element never thinks that it will be caught and seems willing to take those risks. I do not think you can do away with them because you need that backstop to deter those who can be deterred. I do not believe that that is the answer.

Q101 Mr Clappison: You are saying that you need both the greater likelihood of detection and the tough penalty at the end of it?

Mr Gainer: You need detection and basically a strong defence to prevent the theft in the first place. I think a degree of prevention is called for here.

Mr Hughes: I reinforce that point. The IAPP cannot take any positions on these matters, but I am happy to share my personal thoughts. It is one thing to go after the actual fraudster who is trying to get the data to create credit card accounts and steal from people. By and large, in the United States we already have criminal law that covers all of those practices. It is another thing to create law through what some may call inspired public policy that drives better data protection and data security standards at the corporate level for those holding the data. It does not prescribe what you have to do but creates consequences, so if there is a breach it is quite painful for you and perhaps it gets you where it hurts most, that is, with your customers.

Q102 Chairman: I should like to pursue two elements of that. It has been argued to us that in the private sector the impact is the potential loss of business because customers lose confidence in a company and that hurts, but is there any evidence of companies that have experienced serious data breaches suffering a serious loss of customers? One wonders sometimes whether this is just something that is easy to say as a way to reassure the public but it does not necessarily deliver.

Mr Hughes: I think it is a bit early. We have had these laws for only two and a half to three years, so the notices have been in the marketplace and consumers have been receiving them only for the past two years or so. ChoicePoint and TJ Maxx were the two that seemed to have the most direct connection to consumers being hurt. ChoicePoint was not a business-to-consumer business. Its business model was to sell data to other businesses and so it was difficult for consumers to have a reaction to ChoicePoint. It will be interesting to see how TJ Maxx will play out. There is a significant amount of litigation. A class action law suit has been announced and I think there will be consequences. I can offer one small personal anecdote. Earlier this year I got a gardening catalogue. As I do every year, I picked out all the vegetable seeds that I wanted to plant in my garden. About a month later I got a letter from Johnny's Selected Seeds in Maine that there had been a breach in its database and my credit card information might have been compromised. They did not know how the breach had happened, but they needed to notify me under state law. I do not think I will use Johnny's Selected Seeds again; I will use a different seed catalogue next time.

Q103 Chairman: Mr Gainer, I gather from your evidence that you suggest the focus of new regulatory powers and penalties should be on those who hold the data and allow it to be taken rather than on those criminals who steal it?

Mr Gainer: Yes, and not just an arbitrary penalty. One approach that Minnesota has adopted and other states are considering is to shift the cost of other merchants and banks that have to respond to these thefts to the business that could have done more to stop the theft instead of merchants upgrading their security, which is the only way to beat this very extensive plague of data theft. Once there is a data breach law, as there may be, we will see that just as in the States there is a huge uptake in the number of reported crimes.

Q104 Mrs Cryer: Can you talk to us briefly about the case for introducing privacy impact assessments? I understand that in the Canadian provinces of British Columbia and Ontario and also in New Zealand these have been up and running since the late 1990s. I also understand that Canada was the first national government to make such things mandatory. Take us through whether you believe these have had a measure of success and have been useful in those countries.

Mr Hughes: I can describe to you what they are and how we have seen them work in the United States. Privacy impact assessments (PIAs) in the United States have been a requirement for the past two and a half years. All federal agencies are required to have a privacy impact assessment for any programme or technology which uses personal data, and it is tied to budget so they need successfully to submit and have approved a privacy impact assessment prior to their budget being released for whatever programme or technology they are looking at pursuing. I think that if you were to talk to the people engaged in these private impact assessments, as I have in the past few days, they would be very supportive of and enthusiastic about such measures as a transparent tool not only for government to understand exactly what it is doing with governmental data but for privacy professionals who use this tool to assist in the development, deployment and design of these products and services and allow citizens a way to look into the operations of their government to see how things are working. I have heard from members in the United States who engage in privacy impact assessments that the process is not a point-in-time snapshot; it is not a picture of something as it passes your office door and that is it; it is an iterative process where you work on the early design stage and later you come in to work on the deployment stage. You are part of the programme throughout its lifecycle so as to ensure that not only the original design is satisfied but new issues and challenges can be addressed throughout the programme. That creates significant resource demands largely in the form of people who are expert in issues of data protection and privacy. We have found great growth in privacy professionals in the public sector in the United States who are engaged in privacy impact assessments. Even so, the Office of Management and Budget just last week reviewed the Department of Homeland Security and its efforts at engaging in privacy impact assessments. It was laudable that the department had doubled the number of privacy impact assessments that it had done in 2006 over 2004 but the numbers had gone from 11 in 2004 to 25 in 2006. In the three years it has been up and running it has done only 70 and there is a backlog of something over 100 in 2007. It is therefore a significant resource challenge for it.

Mr Gainer: One other aspect of those assessments is their impact on civil liberties groups who try to monitor what surveillance programmes are being deployed by government and how they may impact our privacy rights. When those impact assessments are done they have been used by organisations such as the Centre for Democracy and Technology (CDT) and the American Civil Liberties Union (ACLU) in the United States to find out what is on schedule for those new types of surveillance systems. When they are done they have an important benefit to the civil liberties community at least to have some window on that kind of planning.

Q105 Mrs Cryer: Do you have any information about countries that have gone down the voluntary rather than the mandatory route for PIAs? Do you know of them and, if so, how successful have they been?

Mr Gainer: I do not know.

Q106 Gwyn Prosser: Mr Hughes, with all the focus and attention on privacy-enhancing technologies, do you think there is a danger of creating a stark privacy divide between the rich and powerful who can afford privacy protection and the rest of us who have to endure surveillance and perhaps intrusion?

Mr Hughes: Certainly, I think that it is a reasonable concern and issue to look at. I would point to the fact that in a similar way to privacy impact assessments the private marketplace has largely begun privacy-sensitive development and deployment technology so that privacy-enhancing technologies are frequently baked in as opposed to bolted on; they are part of a programme or technology as it comes out of the box as opposed to something that you have to purchase after the fact. A good example of that is the Internet Explorer browser. 90%-plus of the world uses the Internet Explorer browser. I am sure there are many arguments about whether or not that is appropriate, but the fact is that it has very strong privacy protections within it. Many of the technologies within the browser that are of concern to consumers and privacy advocates - things like cookies - are incredible tools to manage those functions that are built right into the Internet Explorer browser. Privacy professionals are now very active not only in demanding compliance with law from their organisations but also working their way into design and development teams so that those designs are built with privacy at the very start baked into the DNA of the product or service.

Q107 Gwyn Prosser: Do you think that legislation and regulation can keep track of the acceleration in new technologies on both sides of the argument with respect to both the use of information for criminal purposes and the protection of privacy where you come from?

Mr Hughes: Again, that is a very simple question that could lead to a very long and protracted discussion. As a personal opinion, I think we have seen examples where laws that try to target a specific technology find that the technology shifts, or the fear associated with that technology or its misuse goes away because the law covers it up but fraudsters just move to another technology that is right next to it which has not been covered in the original law. One thing I am certain of is that technology changes very quickly. We see that every day and every month and it is very challenging to try to approach privacy protection in a post facto way, always chasing the latest technological development. As privacy professionals we struggle with getting our heads around how data is used in every new technology that emerges. I think it is even more challenging to try to think of legislating or providing regulatory controls round all those things. For that reason we have seen many jurisdictions focus not so much on the technology itself but the use or misuse of the data and defining what data should be within scope and then putting parameters on uses or misuses of that data.

Q108 Mr Benyon: Recent reports in the media in the UK have highlighted concerns about the capacity of companies such as Google to use data to create profiles of their customers. Reacting to that, Google has said that, for example, it would anonymise information it had gathered from searches after 18 to 24 months. How much confidence do you as privacy professionals feel we can have in decisions to anonymise or reduce the amount of data that organisations such as Google hold on us?

Mr Gainer: You can have some because, first, it is in their interests to avoid regulation about discarding data. The reason that Google's search engine works so well is that it uses those saved searches at least in part to refine the algorithms for that search engine, so it needs to retain some data for that purpose and also for other marketing work. If anonymisation permits them to retain that without the fear many people have that those types of personally identifiable searches will be misused then they have an incentive to do the anonymisation.

Anonymisation is a very good tool in many contexts to protect the privacy interests of all of us who are subject to this exploding technology. I do not think it is enough to say that it is moving so quickly we cannot regulate it. As policymakers, it seems that it is a choice of how to regulate because it affects privacy rights so significantly. I think that Google will anonymise its data. I think that it could be imposed on companies so they anonymise data to ensure that those kinds of personally identifiable and very sensitive searches are not misused.

Mr Hughes: I have great confidence that Google will do what it says it will do. I should note that Google's privacy officer, Peter Fleischer, is on our board of directors. One of the reasons I have great confidence that Google will do what it says it will do is that it has privacy professionals on its staff and the consequences of them failing to live up to the promises they have made to the marketplace are dire indeed. In the United States we most definitely have a compliance culture and a statement unilaterally made through a privacy policy can be used against you under the FTC Act. We have seen that in many circumstances.

Q109 Mr Benyon: So, if the company says something in the form of self-regulation and does not achieve that it can be found to have broken the law?

Mr Hughes: Most assuredly, yes.

Mr Gainer: And not only by the FTC but often in private litigation. We face a lawsuit where one of our clients made a representation in a privacy statement. The plaintiffs claim that it was not carried through and they seek damages for that failure to comply.

Q110 Mr Benyon: It would be interesting to know whether there is similar rigour in our compliance, but for the sake of time I will move on. You have described how privacy professionals work. I think that you have described it as being part of the DNA of the project from start to finish so advice can be given as to whether a company is likely to be over‑intrusive into people's private lives or to be at risk of breaking the law. But in your experience how many companies have a designated board director responsible for privacy? What influence does a privacy officer have, for example over a CEO of one of your client companies?

Mr Hughes: It varies. I am not aware of structures where a member of the board is given specific responsibility for privacy. I am aware of a limited number of situations where the chief privacy officer has the ability or is required to report to the board directly, but also report from a management perspective through the CEO. Chief privacy officers, like chief compliance officers, general counsel, chief risk officers and many others in organisations, work within a management structure. Sometimes they have to work by influence, strategy and cajoling and sometimes they have to have a backbone and stand up for what is right within an organisation. I think that in the United States we have a compliance culture, which is particularly driven by Sarbanes-Oxley, where organisations are very concerned about compliance issues that may not be resolved within the organisation because under that Act they would have to report those in their public reporting. That may be a mechanism that has reduced the need for privacy officers and professionals to have direct board access, because if there is a problem then theoretically that goes to the board anyway.

Mr Gainer: My one client who has done the most in imposing new security measures did so because the head of the audit committee on the board required it. Therefore, it became a top-down mandate that was monitored by the audit committee. That kind of interest and leadership by the board of the organisation, which was a state hospital with hundreds of facilities, has done a remarkable job of improving its security.

Q111 Chairman: Many British companies would regard themselves as dangerously exposed legally if they did not have a board director responsible for health and safety compliance. Given the importance of the issues that we have been talking about this morning, do you see a point in future when companies would routinely have a board member with direct responsibility for these issues?

Mr Gainer: That is a natural outgrowth of the audit committees which are saddled with important Sarbanes-Oxley reporting requirements. If the organisation is not complying with privacy laws then that becomes a matter that may need to be reported by private companies in their statements to the SEC. I think that is a natural progression.

Chairman: Gentlemen, thank you very much. You have been enormously helpful and also very clear this morning.


 

Examination of Witnesses

 

Witnesses: Mr Mike Bradford, Director of Regulatory and Consumer Affairs, Experian, Mr Stephen Sklaroff, Director-General Designate, Finance & Leasing Association, Mr Martin Briggs, Corporate Affairs Director, Loyalty Management Group, and Mr Nick Eland, Legal Services Manager, Tesco, gave evidence.

Q112 Chairman: Gentlemen, thank you very much for coming. This is part of an inquiry to explore the Information Commissioner's claim that we are moving towards a surveillance society and, if true, how we should respond to it. Perhaps each of you would introduce himself for the record and then we will get the questioning under way.

Mr Sklaroff: I am Stephen Sklaroff, Director-General Designate of the Financing & Leasing Association with which I have been for a total of three weeks. I am very pleased to have the opportunity to come along to this hearing.

Mr Briggs: I am Martin Briggs, Corporate Affairs Director for Loyalty Management Group, the holding company of the group which owns and operates the Nectar loyalty programme.

Mr Bradford: I am Mike Bradford, Director of Regulatory and Consumer Affairs at Experian, and President-elect of the Association of Consumer Credit Information Suppliers, a European body of credit reference agencies.

Mr Eland: My name is Nick Eland, the Legal Service Manager at Tesco. I have also spent a fair amount of time doing data protection management within the business.

Q113 Chairman: I am sure that a number of our questions would be of interest to each of you, but we will try to direct questions to the particular individual concerned; otherwise, we will duplicate quite a lot of areas and not get through all the issues that we would like to cover. I begin with a general question to Mr Bradford. When you produce credit files which contain information from lots of different sources - the electoral roll, county court judgments and so on - what is the process by which the data from those different sources is drawn together in compiling those credit reports?

Mr Bradford: If I may start by explaining what a credit reference agency does and how the information is compiled that will probably put it into context. Experian as a credit reference agency sits between the lender and the consumer. The consumer will be looking for speedy access to goods and services at a competitive rate and equally a lender needs to make a responsible lending decision. The information that Experian or a credit reference agency holds is effectively very often the information that has been provided by the consumer himself by direct consent to Experian and other publicly available data sources such as the electoral register and county court judgments. Therefore, within the credit bureau the information is held either because it is publicly available or because through a lender or third-party source the consumer has given his agreement for that data to sit in a credit reference agency. A consumer may come to Experian and ask to see his or her credit report. Interestingly, there is a lot of awareness of this because part and parcel of our consumer affairs function is to ensure that consumers are aware of their rights and how they can look at their credit information. Therefore, the credit reports that we produce - we produce more than a million consumer credit reports every year for consumers in the UK - will consist of details of credit agreements that they have with lenders and any organisation that has searched their credit file, so they have an audit footprint. Again, for transparency if an organisation has looked at a consumer's file the consumer will see that recorded on the file. They will see any relevant information relating to county court judgments, the electoral register and so on. If there is a financial relationship with their partner - perhaps they have a joint mortgage or credit account - they will see the name of the person with whom they have that relationship but not that person's data because that data belongs to that other person from a privacy point of view. That is basically what a credit file looks like. We have statutory turn-around times to produce that information. As a credit reference agency, we have statutory obligations to deal with consumers' queries about their credit reports. I believe that last year we had about 900,000 or so consumer interactions on that basis. We employ 200 people who are dedicated to servicing the consumer part of credit referencing.

Q114 Chairman: Mr Sklaroff, for whose benefit is all of this done - for me as a consumer or you as a lender?

Mr Sklaroff: I think that in this case it is for both. This is one of those instances where the interests of the consumer and the lender are the same in the sense that the lender wants to be in a position to lend responsibly to a consumer. It is not in the lender's interests for consumers to become over-indebted and even further stretched. It is in the consumer's interest that the lender should have access to relevant information which bears on that point. By the same token, the information allows lenders to intervene with consumers and talk to them if it appears that the consumers are, to employ an expression used in the industry, at the tipping point, that is, in a situation where they have what appears to be a manageable amount of debt but may be trying to contract for too much which will take them into a situation of over-indebtedness. There are things that the lender can then do. Therefore, the data that my colleague has just talked about is crucial to that process. The other two reasons why the lenders are interested in the data are the prevention of fraud and money-laundering. The same data serves those three purposes. Therefore, one is concerned on the one hand with responsible lending on the other with the prevention of crime.

Q115 Chairman: You make it sound quite benign when it is put like that, but if government came along and said, "We are going to look at your bank account and see if you are getting into too much debt", there would be absolute outrage and reference to the nanny state. Is it acceptable for a private sector company to have such a paternalistic view?

Mr Sklaroff: I believe that in this case "benign" is the right word, because this technology and the existence of CRAs has come about because the credit market is now very different from what it was perhaps 30 years ago. Then one's only way of getting credit in the legitimate regulated market, to put it that way, was to go to the local bank manager who would bring to bear to his decision whether or not to lend any personal knowledge he might have about the applicant or his family. The bank might have known you for some time and so could judge whether or not you would be a good credit risk. There are huge advantages to the consumer in the situation we now have where it is not reliant on that kind of immediate personal knowledge; it is a little more anonymous. But in order to make that system work one has to have reliable data on which the lender can draw in order to make a decision. I think that it is benign in the sense it benefits the consumer.

Q116 Mr Winnick: Is not the criticism somewhat of the opposite kind, namely, that people whose financial situation is pretty dire get hold of credit cards? For example, we read in the press that people go into bankruptcy having messed around with one or another card and built up huge debts. Therefore, the accusation could simply be that not enough care is given before issuing a credit card. Do you accept that criticism as justified?

Mr Sklaroff: I think the point is an extremely important one. In some ways this was exactly what I was trying to say. In order to detect when that kind of situation occurs this data, properly controlled with the right kinds of checks and balances, needs to be shared so that a prospective lending company when presented with a customer who says he would like another credit card or take out further credit for the purchase of a car or whatever it is, can be in a position to say that on the basis of the information available he believes the consumer is getting himself into trouble. There are then things that the lender can do in conjunction with the customer to try to put that right.

Q117 Mr Winnick: That is all very well. The inevitable question is: how does a situation arise in which people with a good number of debts go from one card to another accumulating five or six accounts, despite the fact that clearly their financial situation is as I described in the previous question?

Mr Sklaroff: What you describe there is a symptom of the fact that there are still things that we need to do to make the data exchange process more efficient, accurate and contain more information that is relevant to the lender.

Q118 Mr Browne: When people apply for loyalty cards and such like what information about them do you collate? For example, do you know what they buy and in what combinations and when they buy it so you can track whether or not they purchase things in the middle of the night? For example, if the customer is a lorry driver you will be able to track his or her movements around the country, or even abroad if you have stores overseas? Is that true? Do you collate all of that information on each individual?

Mr Briggs: It may help if I outline exactly the information that Nectar collects. When consumers register for Nectar for the first time we take basic contact information so we can operate the account and issue points and redeem them when consumers want to use them. We also collect some fairly basic lifestyle information including how many adults and children there are in the household, how many miles might be driven in a year and information like that. We also ask for security information so that the account can be operated securely by way of, say, a memorable word or password. That is the information we collect when people register with the programme. When people use their cards we collect the following information which is not as detailed as you have just outlined. We collect information as to where somebody has shopped, the date and time they have shopped and the total amount they have spent. We do not collect information as to exactly what that money has been spent on. To give an example, if I went to the Westminster branch of Sainsbury's this morning before coming here you would know that I had gone to that branch on 7 June at 9.30 in the morning and had spent ₤10 and so I should be issued 20 points but we will not know what I have bought.

Q119 Mr Browne: I would not know that you had bought incontinence pads and Horlicks; I could not draw a conclusion that you would shop for products that would be likely to be bought by older people, for example?

Mr Briggs: Correct. We do not take that information.

Q120 Mr Browne: Is the same true for Tesco?

Mr Eland: It is very similar. There are two main routes by which we collect information.

Q121 Mr Browne: Would you know that a person had bought chocolate bars?

Mr Eland: We do collect transactional data of each customer. The main routes by which we collect the information are the application form - the key thing is the name and address - and, when they use their Clubcard in store, we can see what they have bought whilst they have been in the store.

Q122 Mr Browne: I assume that that is the crucial information because you can use that information to build up a profile about different categories of consumers who are likely to buy goods in different combinations and then market things accordingly?

Mr Eland: Indeed. It is crucial to the programme. It is a loyalty scheme which obviously customers choose to join. It offers them benefits, but to offer them we need a certain amount of information to ensure that the way we communicate with them and market to them fits what they want to hear and see.

Q123 Mr Browne: Therefore, the example that I gave a moment ago, which was not particularly sensitive, would apply in your case. You might want to come up with another example, but it still holds true that you would build up a profile of the type of person. You could probably make some fairly safe assumptions about the individual based on his or her buying patterns?

Mr Eland: Yes. We collect all their data and create profiles about those customers better to understand their behaviour, again to ensure that when we do contact them we do so for the right purposes and in relation to products that would be of interest to them.

Q124 Mr Browne: For how long do you hold this data? Let us say somebody has bought something they consider embarrassing or he would rather people did not know about it, albeit it is a legal product in one of your stores. Would it be possible that five or 10 years later that would still be known about?

Mr Eland: We keep the data for a maximum of two years so we have full transactional data on our customers.[1]

Q125 Mr Browne: Are there any circumstances in which you might considering sharing it? One would have to be a fairly slow-witted fugitive who went round the country using a loyalty card, but nonetheless I am sure that some would have those features. If the police said that they were trying to track someone and it would be helpful to have a sense of where they might have been in the country over the past month, or perhaps to test alibis - for example, somebody who has given his assurance that he has not been anywhere near the West Midlands in the past six months - would you be willing to impart information showing that that individual had used one of your cards in a Coventry store?

Mr Eland: We do. There is a clear legislative requirement in terms of how that information would be provided under the Data Protection Act and RIPA. It is probably worth putting it in context. We have 30 million active customers and I believe that in the past year we have had fewer than 200 total requests. The majority of those are from customers themselves under the subject access process.

Q126 Mr Browne: Would you give details of individual items? Let us say it is relevant to a court case. Assume somebody has denied being on a certain diet or has been of a certain weight. I am trying to think of a good example. Let us assume the person has bought some pornography, or whatever else it may be. You may disclose not just the location. If the individual items the consumer has bought are relevant to the case you will be willing to share that with the police, subject to the criteria that you explained?

Mr Eland: I think the process is that a request is made by the police and we will respond to that. There is no obligation to provide it, but my understanding is that in the long term they can acquire it ultimately through a court order. The approach we take is to ensure that the request is justifiable and, more importantly, that it does not require more data than is necessary for the purposes they require it. We will then make a decision as to whether we think it is appropriate to pass on that data.

Q127 Mr Browne: It is an interesting distinction. The previous witnesses said they thought that the difference between the United States and most of Europe including Britain was that here we were reasonably relaxed relative to the Americans about the state having information about us but we were relatively guarded compared with Americans about private companies having access to information about us. Perhaps their suspicion of big government looking at information was the other way round. You are saying that people should not assume there is a wall dividing the two and you are willing to co-operate with the state, maybe for very good and laudable objectives, but when people use your cards they should not think that that is entirely about commerce, vouchers and all kinds of bits and pieces like that; it will potentially go on the other side of the divide and be used by the police or other authorities if need be?

Mr Briggs: To clarify that, I think that the statutory requirements are slightly more limited than you suggest. The Data Protection Act includes a specific exemption to enable organisations to disclose information for very limited purposes, including the detection and prevention of crime and catching a suspect. There are various restrictions imposed on that particular process on which the Information Commissioner's Office has issued very helpful guidelines. First, it requires that request to be validated so as to ensure it is coming from the purported source. The request must be seen as a specific one, not just a fishing expedition. Therefore, in terms of the example you have just given where people may have been touring the country that request would probably not be met. Once those requirements have been met the holder of that data must decide whether or not it would be prejudicial for the purposes of the prevention or detection of crime to disclose that data. This applies in very limited circumstances, which would basically be the investigation of criminal activities. It is not just a general permission to disclose everything that we have to any government agency that may wish to receive it.

Q128 Mr Browne: On a similar note, because Nectar cards have different outlets and different companies band together as part of the whole scheme, how much data is interchangeable between them? For example, if I never buy petrol from BP because I have some reason not to do so but I often shop at Sainsbury's would BP still have the information about my shopping patterns in case they wish to entice me to buy petrol from them, knowing that the nearest petrol station to Sainsbury's that I go to regularly does happen to be a BP station and I am missing out by not using that garage?

Mr Briggs: The purpose for which we collect consumer data is basically to be able to track people's shopping behaviour and to be able to market offers that they will find acceptable.

Q129 Mr Browne: So, BP would have information about my buying patterns, despite the fact I had never bought anything from BP ever, if I bought something from Sainsbury's or one of the others involved in this scheme?

Mr Briggs: No; that is not the way our programme works. Clearly, at a commercial level no major organisation will allow its valuable customer data to be given over to a whole number of other companies just because they happen to participate in a programme like Nectar. The way we operate is that the Nectar database is owned and operated by Nectar. The information that we collect on, say, a BP customer is clearly available to BP and maybe we will carry out analysis on that data to enable BP to send offers that it may wish to give customers.

Q130 Mr Browne: Perhaps I am being slow-witted. To go back to your earlier example, Westminster Sainsbury's will know that you went there at 9.32 in the morning, or whatever. Only Sainsbury's - no other company - would know that you went there at that time and used your Nectar card?

Mr Briggs: That is correct.

Q131 Mr Browne: As far as concerns Tesco although it is increasingly diversifying into areas like insurance people tend to think of it as a traditional grocery retailer. If they know that I am buying broccoli at the same time as I buy a Mars bar it does not matter greatly, but people may have slightly different views if it is about financial services. Is all of that kept and collated in the same way?

Mr Eland: They are very much stand-alone systems. The bottom line is that with the broader retail services that you refer to - take Tesco personal finance - the majority of data in relation to Clubcard is the flow of information from TPF to Tesco for the purpose of running the Clubcard scheme. One can obtain points through using a Tesco credit card, for example, and those points would need to flow to Clubcard so we can reward our customers.

Q132 Mr Browne: But they are not cross-referenced. Let us take an insurance form that I have to fill out with my health details, for example whether or not I smoke. Would you be able to cross‑reference that against my buying patterns which show that I buy endless packets of cigarettes from your stores?

Mr Eland: We would not, and "would not" is the key point.

Q133 Mr Browne: You could but you would choose not to?

Mr Eland: The scheme relies on customers trusting us and valuing the scheme. In our view, those kinds of actions would massively reduce that trust and, therefore, would not make the scheme effective. It is there to reward our customers primarily and, therefore, the concept of that sort of exercise would just damage the trust of the customers that shop in our stores.

Q134 Chairman: Why not just do green shield stamps, which was what you were accused of doing when you first introduced the Clubcard? Why not have a loyalty system that does not require millions of customers to give their names and addresses?

Mr Eland: The name and address is fundamental to us to be able to run the scheme. We need to be able to send out statements quarterly with the information attached. The application form itself can minimise that to the name and address so that all we have is the name and address and the information we collect in relation to the actual transactions. Wherever possible we try to minimise the data that the customer has to give us to be part of the scheme.

Mr Briggs: We find that a lot of customers wish us to have their name and address. Strictly speaking, in Nectar you do not have to provide your name and address. Obviously, we wish people to do so because we want them to benefit from the programme, and consumers know that to benefit from the programme they need to provide contact details. To give an example, every year our customer service team receives about two million letters, phone calls and emails. Last month about 30% of those were people basically telling us about changes to their details so they could be contacted properly. It is something of which consumers see the benefit and in which they wish to participate.

Q135 Mr Winnick: There seems to be concern about data sharing between the private and public sectors for the apparent purpose of tackling crime. To what extent do you say that consumers and borrowers are aware that this data-sharing is taking place?

Mr Sklaroff: There is a very interesting issue about the general level of education of the public about individual's rights and responsibilities under both the Data Protection Act and more generally with regard to the whole set of issues that we are discussing today. I think that more can be done sensibly to ensure that people are aware not just of what the data they have provided is being used for but also that they understand what they can do to check that data, get access to it and make sure that if corrections need to be made they are made. In response to your general point, I think there is more to be done. For example, I know that the Information Commissioner is doing work on this at the moment. Leaflets for consumers are already available. My own association produces such consumer information, but I think more can be done. On the same point, at the moment there is a great and laudable push on the part of the Treasury, the Financial Services Authority and others to raise the general level of financial education in the population at large. There may be lessons to be learned from that process with regard to owning and being aware of one's own data and understanding what it is being used for.

Q136 Mr Winnick: The truth is that the organisations which you represent have as much information about all of us in this room as state agencies such as the Department of Social Security and the rest. Is that not the case?

Mr Sklaroff: The truth is that the data that is gathered is different for different purposes. As you say, there is a very legitimate debate to be had about the overlap and interchange between public and private databases, but, to pick up the discussion we just had, the rules which govern the interchange of information about credit reference agencies whom Mr Bradford represents are absolutely clear that that data may be requested for two purposes only: to ensure that people do not become over-indebted and to prevent fraud. On the point about cross‑marketing, it is expressly forbidden.

Mr Bradford: In the hope of putting your mind at rest, the private sector does not hold the same amount of information that perhaps the public sector holds. If I look at what a credit reference agency holds in the UK, it is effectively your credit information that you will have known is going into a credit reference agency and some publicly available information like the electoral register and county court judgments. We certainly do not have access to DSS-type social security information and so on. To go back to the previous comment about public/private sector data exchange, one thing perhaps we need to be very aware of from the commercial perspective is that we rely very much on trust and transparency. I am sure that there could be legitimate purposes for exchanging information between the public and private sectors, subject to the very strong caveat that the consumer is aware of what is going on, why it is needed and that it is only for legitimate purposes. I know that Richard Thomas is very concerned in some public sector data-sharing about purpose creep. You provide information for one purpose and suddenly it finds itself doing something else. From a private perspective we literally cannot do that. When it comes to public/private data-sharing that same caveat must apply very much. Consumers need to be aware of what happens.

Q137 Mr Winnick: The Information Commissioner has expressed doubts about the benefit of increased information sharing in view of the dangers to individuals' privacy. Are you having meetings with him to discuss this?

Mr Bradford: A critical part of my team's role within Experian is to meet with Richard Thomas and his commissioners usually about three or four times a year to discuss what we do to ensure that they are comfortable with what we are doing with personal information. As to private sector/public sector data exchange, at this stage it is not something about which we have had a specific discussion.

Q138 Mr Winnick: Mr Eland, in the paper that you have circulated you refer to the analysis of Tesco Clubcard being managed by Dunnhumby. You explain why and so on. In the course of that document - this is related to some extent to the questions put by Mr Browne - you write: "At no stage do we ask Dunnhumby to analyse information on individuals. This information is accessed only at the request of the Home Office or the individual customer." Leaving aside the individual customer, what is the relationship between the information that you collect and the Home Office?

Mr Eland: The information that we collect is for the purposes of running our scheme and to ensure that we are marketing customers properly and getting a better understanding of customer behaviour within our stores so we can improve the service we provide to them. In terms of that statement, the point we try to make is that Dunnhumby does a lot of analysis on anonymised data; it is not looking at individuals but trying to look at broad ranges of customers as a whole better to understand their behaviour and enable us to achieve the goals of the scheme. The comment about the Home Office arises simply because in relation to subject access requests and the requests by the police that we talked about earlier Dunnhumby might need to provide some information back to Tesco for the purpose of meeting those.

Q139 Chairman: If I buy a lot of wine from Tesco will you try to sell me more wine?

Mr Eland: We would probably send a wine coupon, if it was relevant.

Q140 Chairman: In view of the Government's alcohol strategy this week, is it a good thing that you analyse somebody's consumer patterns? What if I eat a lot of Turkey Twizzlers? Would you like to sell me more? This is a serious issue. Mr Sklaroff is very keen to tell us that this data is used in order to benefit the customer and prevent him getting into debt. I do not quite see why Tesco should be trying to raise the consumption of high-fat, high-salt or alcohol products because those are the things that somebody is already buying. Beyond selling as much as you can of whatever harmful product it is the consumer is buying, where is the level of responsibility to stop?

Mr Eland: I think the answer is that we constantly contact and speak to our customers to understand whether what we are sending is appropriate to them. If we fail to do that our customers would let us know by not using the scheme.

Q141 Chairman: I may be an alcoholic. It may be that to send me wine vouchers is not a particularly benign thing to do.

Mr Eland: We recognise that there are certain areas of concern. We would never promote tobacco or baby formula or those kinds of areas. I appreciate the point you make, but we are running a loyalty scheme and ultimately we have to rely on our customers to make the decision in relation to the information and the offers we provide to them.

Q142 Mr Winnick: As far as concerns the information collected by Dunnhumby, is the position that the Home Office may at some stage, perhaps for very good purposes, say to Dunnhumby that it has collected information from Tesco customers for the purposes of the Clubcard and the department requires such and such information from that company? If not, I do not understand - perhaps it is my misreading - "This information is accessed only at the request of the Home Office or the individual customer." There must be some sort of relationship, otherwise you would not have put that in the document with which you have supplied us, between Dunnhumby and the Home Office.

Mr Eland: I reiterate the point. I believe that the point we were getting at was that Dunnhumby analyses data at a non-personal level. It holds information and ultimately if a request is made by the police or customers we can provide that to them in accordance with a subject access request process. I do not believe that that suggests in any way that there is some kind of wholesale sharing of information with the Home Office.

Q143 Mr Winnick: If not wholesale, some information?

Mr Eland: No, there is not, other than the subject access process and the occasional police request.

Q144 Gwyn Prosser: Mr Briggs, I am tempted to ask you what you did buy at Sainsbury's this morning. I take you back to what the Information Commissioner shared with us when we talked about our concerns about the security of information kept on us by the private sector. He said that there were enormous commercial self-interest pressures in the private sector to hold that information to itself because it is so valuable. That seems to be a commonsense response, but what evidence is there that that commercial pressure is sufficient to keep that evidence safe and secure?

Mr Briggs: The trust of consumers is absolutely fundamental to programmes such as ours. Our programme is a voluntary one. People register for the programme because they wish to benefit from it. They have the choice of deciding how much information they provide to us; they have the choice of deciding whether or not that information is to be used for marketing purposes and how it is to be used for marketing purposes. They can choose if and when they use their card to collect points and use them. They can opt out of marketing at any time. All of these things are hard-wired into the system. The trust in our complying with all of those requests is absolutely fundamental. If people did not believe that we were fulfilling that correctly they would vote with their feet. Another question that came up this morning was whether or not data had responsibility at board level. I can say that in our company it absolutely does. A director on the main board has responsibility for data issues. Data is our business; it is what we do. It is absolutely fundamental to getting it right that the trust of the collector is enhanced. In terms of security of data, data is held securely in a number of ways: there are IT and system measures; there are policies and procedures which are requirements within the business; and there is also the cultural issue of how we train people in the business. I can go into all those in more detail if you wish, but all of those matters are absolutely hard-wired into the way we do business. We are a commercial organisation and if we do not get it right we do not make money.

Q145 Gwyn Prosser: Mr Eland, what impact study has Tesco carried out into the effect on the company of losing this detailed personal information?

Mr Eland: What do you mean by "impact study"?

Q146 Gwyn Prosser: Have you looked at the impact it would have on your business if the information that you hold on consumers, including in your case details of purchases, became available to others?

Mr Eland: Our focus is to ensure that that data does not become broadly available.[2] I reflect the comment - I know we say this time and again - that trust is key. Part of that is our customer feeling secure in the knowledge that his data is used by Tesco for the purpose of running its loyalty scheme. Any failure to do that obviously would damage the scheme. On top of that, we have in place the security measures to which my colleagues have referred to ensure that that data is physically secure. I am not aware of any intention to release that data in any way in a broad sense, so if that ever did arise due to a requirement by way of legislation perhaps we would have to revisit that point and consider it.

Q147 Gwyn Prosser: In terms of safeguarding personal information, do any of the witnesses have any strong ideas in which areas the Government could learn from the private sector?

Mr Bradford: Very much so. The private sector has run secure, trusted data-sharing protocols now for 30 years in the UK to the consumer's advantage. As to the security issue, I am sure that any data controller including a government department is aware of its obligations and, hopefully, of what good data security protocols are in terms of encryption, ISO standards, BS standards and so on, which are certainly matters to which Experian subscribe. I think that perhaps the more private and public sectors can meet to discuss and review these areas the more it is to the mutual advantage of both sectors and, at the end of the day, the consumer.

Q148 Martin Salter: My question is probably best directed to Mr Briggs and Mr Eland. I should like to pick up the Chairman's question about whether you should just sell green shield stamps. It seems to me that you could interpret your need for identity effectively as buying names and addresses for your customers, and the bi-product is that the incentive for people to hand over that information is that they can shop at a cheaper rate. How far do retailers go down the road of saying to people that there are limits to the information that they have to hand over, though obviously for commercial reasons you want them to hand over as much information as possible so you can develop market profiles? I know that the Information Commissioner has expressed some concerns about this. Do you have any plans to make it much clearer - in other words, in type slightly bigger than eight point - that when people sign up for a loyalty card there are a number of boxes they can tick to prevent personal information being shared with you as undoubtedly responsible organisations?

Mr Eland: For me, an example would be the time we relaunched our application form. At that time we talked to customers about what concerned them in terms of understanding what Tesco did with the information. As a result of that, our application form has primarily optional fields. We collect only the key information that is necessary to run the scheme. We also talked to them about the data protection statement in order to get a better understanding of that. The example that comes to mind is that at one particular customer question time we made reference to aggregated data and a customer asked whether that had something to do with concrete. We try to make sure that our wording and the way we set out our statements is much clearer to customers so they understand what we are doing with the data.

Mr Briggs: That is absolutely the case with Nectar as well. When customers sign up for the programme there is a clear statement as to the data that is collected, to whom it will be disclosed and how it will be used. For example, we do not sell data outside the Nectar programme; it does not go to companies that buy and sell lists. We make that absolutely clear. It is not just a legal requirement; it is a commercial requirement in terms of building trust with the customer. Slightly implicit in your question is that somehow consumers are required to give this data. This is a voluntary programme. If people wish to benefit and receive offers they have to tell us where they are so they can receive them.

Q149 Martin Salter: Is it correct that you can have money off your grocery bill as a result of participating in a store card scheme but only if you hand over your name and address?

Mr Briggs: Yes, but there are so many things from Nectar other than money off your supermarket bill.

Q150 Martin Salter: For most of my constituents, to save some money by signing up for a store card is a fairly strong incentive.

Mr Briggs: Absolutely.

Q151 Martin Salter: If you do not hand over name, rank and number you do not save money, basically.

Mr Briggs: But you can get far greater value out of Nectar by using your points for things other than supermarket shopping, for example having days out at Thorpe Park, free cinema tickets and that sort of thing. You get much more value out of your points than just taking them along and getting money off your shopping.

Q152 Martin Salter: I am sure that it is a life-enhancing experience, but what proportion of your customers choose to redeem their points financially, as opposed to those who decide to have a day out at Thorpe Park or take advantage of the other goodies that you have on offer?

Mr Briggs: In general terms, seven out of every 10 of our collectors have used their points. We have provided back over ₤800 million worth of value to collectors since we launched the programme four and a half years ago.

Q153 Martin Salter: That is not my question. My question is how is that ₤800 million split? How much is accounted for by people seeking money off their grocery bills and how much by them taking advantage of the other goodies that you have on offer?

Mr Briggs: I do not have that-

Chairman: We are moving slightly away from surveillance and into a commercial area.

Martin Salter: I will put one further question and then stop. Some of the products that one buys at stores can be intensely personal, for example medical or contraceptive devices or whatever. All that information becomes available. If somebody wants to opt out of providing that information to you how can he do so?

Q154 Mr Benyon: Pay cash.

Mr Eland: Or not join the scheme.

Q155 Chairman: To pursue one further point, somebody wants these benefits, but, as I understand it, certainly Tesco and possibly Sainsbury's or Nectar may use the information to identify where there is a large group of Tesco customers but no local Tesco store. Is that right? As a customer I may not want my shopping patterns to be used to have my own district shopping centre put out of business by a new superstore. First, if somebody signs up for a card does he know that that information may be used for strategic planning purposes by the company? Second, can that individual opt out of having that information used in that way? Is there anything explicit that says it can be used in that way?

Mr Briggs: That is not something that applies to Nectar. Sainsbury's may have its own data and use that for its own purposes. All Nectar is concerned about is having information about shopping behaviour so it can market offers to customers.

Q156 Chairman: Sainsbury's does not draw on the Nectar card data to know the locations of its customers and how much they spend?

Mr Briggs: They will know from our data what a consumer has spent at a particular time at a particular place.

Q157 Chairman: Therefore, it could use it for strategic planning purposes?

Mr Briggs: If it wished to do so, yes.

Q158 Chairman: And Tesco?

Mr Eland: Because of the nature of the data we can certainly use that to understand local demographics. One point I raise is that where one uses customer information customers have already shown a preference for Tesco.

Q159 Chairman: I may well want occasionally to stop at a supermarket and also want a local district shopping centre. My point is that it is never explained to me that this may be used to put my local district shopping centre out of business and how I can opt out of my data being used in that way if I want to do so.

Mr Briggs: That is not something for which the data would be used under our Nectar data protection policy. If Sainsbury's uses data information it received by virtue of its point of sale it may do that; I do not know. You will have to ask Sainsbury's.

Q160 Chairman: Sainsbury's could not retrieve a geographical analysis of its Nectar card users' home addresses in order to use that for its strategic planning purposes?

Mr Briggs: Our data protection policy says that the information will be shared so as to market goods and services which may be of interest to the consumer.

Q161 Chairman: Tesco Clubcard information could be used in that way?

Mr Eland: The answer is that Clubcard information is used primarily for the running of the scheme and for the benefit of customers. That applies across the board. I cannot give you further detail about how our insight units may use it in the ways you suggest.

Chairman: If after this session there is any further information that you want to provide to the Committee on how this data is used and whether the customer has any control over it that will be very useful.

Q162 Mrs Dean: Mr Sklaroff, can you say how accurate the data used by credit reference agencies is, and has it become more accurate over the years?

Mr Sklaroff: I believe that it has become more accurate over the years because more effort has gone into ensuring that it is captured and transferred in ways that are less prone to error. This is something which the industry is keen to improve constantly because there is a clear commercial interest for the industry as well as the concerns that we are discussing today to ensure this information is accurate. If it is not, the very purpose of gathering it in the first place from a commercial point of view is undermined. If one is not getting a sufficiently clear picture of one's potential clients' credit situation, for example, one may very well end up making the wrong kinds of decisions which commercially is not an attractive situation in which to be. It is a continual process of improving the quality of the data and is something about which the industry is very concerned.

Mr Bradford: Looking at it from a credit reference agency point of view, the data we hold is effectively gathered from a number of sources, one of which is lenders. From the point of view of credit reference, we have seen significant improvements over recent years in the quality of data that comes in from the industry and third parties, for example the voters' roll and so on. There are two drivers for that: one is the commerciality of it, because at the end of the day the data needs to be as accurate as possible to be of optimal value; the other is the realisation under the Data Protection Act in particular that there is a stringent requirement for data to be accurate and up to date. Over recent years with the Information Commissioner's Office we have done a lot of things to improve both the accuracy and amount of information. The Information Commissioner's Office has a requirement that when a record goes into the credit bureau it is not just "M Bradford" with a postcode; it must be fully populated with the title, full forename, surname, date of birth and so on so that accuracy is guaranteed as it comes into the bureau.

Q163 Mrs Dean: Is one of the problems the source of income? If somebody pays off a credit card debt you do not know whether that money has been borrowed for that purpose. We all know that if someone does pay off a credit card debt he or she will be offered even greater credit. Is one of the problems that you are not able to assess where someone's income comes from?

Mr Sklaroff: You have put your finger on a very important issue. This goes to the point on which we touched earlier about the quality of the data. The better the coverage of the data in terms of the financial status of the individual the more useful it is for these purposes and the better able is the lender to say that from the information available it appears that the consumer should not really be contracting the credit agreement, or whatever it is. I very much agree that what we in the industry are trying to do in conjunction with credit reference agencies and in discussion with the Information Commissioner and others is ensure that we have access to the right and relevant kinds of data to help us do that. There are categories of data which at the moment are not available to the industry. We have welcomed recent consultation issued by the DTI on the subject of historical data which predates the introduction of the current system of fair processing notices and letting the customer know that his data will be used for this purpose. There are about 40 million transactions out there that we know exist but which are not part of the sharing process. It seems to us that, in precisely the way you suggest, this is relevant information if used properly for the restricted purposes we are talking about. Therefore, we are keen to get access to that.

Q164 Mrs Dean: Mr Bradford, you mentioned earlier that there was an increase in awareness of credit reference agencies. Would you welcome or resist moves to require credit reference agencies actively to inform people what data was held about them?

Mr Bradford: To use Experian as an example of what we do and the interest in what we do, even without that mandatory requirement over the course of a year we will probably issue 1.5 million credit reports. We will interface with 900,000 to one million consumers. We have a number of leaflets that we ensure are distributed through citizens advice bureaux and so on. The awareness of what we do from that source is phenomenal. I think that people are far more aware than they used to be of what a credit reference agency does. It is not Big Brother where data sits there and there are black lists with all the other very emotive things over which at one point there was concern. We have a strategic imperative in our business to work on consumer education and awareness. I think that we are doing it anyway.

Q165 Mrs Dean: Would you support the idea that there should be a positive way to advise people what is held about them?

Mr Bradford: Obviously, we would without fail support it. All I am saying is that clearly there is already a lot of awareness. We try to go beyond our basic statutory requirements to inform, if they ask, but to take it out there through citizens advice bureaux and working on various government committees, like the Over-indebtedness Task Force and so on, to try to work as a public/private sector partnership to educate consumers in the round about their financial management, not just the bit that sits in a credit bureau. It is a far bigger issue than just a credit bureau; we are just part of it. That is why we try to tackle it very much on a holistic basis.

Q166 Mrs Cryer: Mr Bradford and Mr Sklaroff, do you believe that the constant introduction of new technology is making compliance with data protection regulations more complex or simpler?

Mr Bradford: We operate credit bureaus throughout the world and so see various challenges. Interestingly, the European Data Protection Directive as enacted in the UK under the DPA is very technologically agnostic. The point was made earlier that as technology moved on the same basic data protection principles applied. That is probably one of the strengths of European data protection. We are not overtaken by technology. If one looks at, say, the encryption standards that organisations adopt now - 126-bit encryption algorithms, ISO standards and heaven knows what - those have all moved on in the time since the introduction of the Data Protection Act in 1998. If it was very technologically based we would have had iterations and amendments. I think that the fact the Act itself is concerned with very high level key principles means that it can be a piece of dynamic legislation that moves with the times.

Mr Sklaroff: The self-regulatory machinery which sits alongside the statutory machinery is similarly set up with a number of principles which are technology neutral. They are called the principles of reciprocity and the industry body which looks after them and makes sure that data is shared only for legitimate purposes is charged with ensuring that those principles rather than any particular detailed technological specification are applied.

Q167 Mr Clappison: Following on the question of the legitimate use of data, there is concern about the criminal use of illegally obtained data. Are you confident that your member companies are doing all they can to prevent criminal access to your databases?

Mr Sklaroff: I am confident. Our member companies take this very seriously. No system is ever perfect and more always needs to be done, but it is another area where they have not only a public responsibility to take this very seriously but, picking up an earlier point, a clear commercial interest in taking this matter seriously. Therefore, continual efforts are made on that front and I believe that the situation continues to improve.

Q168 Mr Clappison: You may have heard the earlier witnesses telling us that as far as penalties were concerned they took the view that very strong measures and appropriate penalties needed to be taken to prevent this happening. We hear that various figures including the Information Commissioner have called for tougher penalties. Do you go along with that?

Mr Sklaroff: We have already made public our view that tough penalties are a very important part of the machinery we have to prevent this kind of breach. We are very much in favour of that. The one proviso is the targeting of investigations prior to enforcement. As with any area of regulation, it is important to make sure that the effort is going into the areas of greatest risk among which would be those people who are quite consciously engaging in criminal activity. That is something on which we would like to see greater focus.

Q169 Chairman: Another comment made by the American witnesses this morning was that, criminals being criminals, penalties did not necessarily deter them and the focus should be on punishing the holders of data who allow it to be stolen. They were talking about the responsibility to contact individual customers but also the financial penalties that one could impose on those organisations. In your evidence you have not been keen collectively on being fined for mislaying data. But there is a logic in the US experience, and the thing that will really focus your minds is not just customer trust but the fact that you have to tell customers and pay a financial penalty upfront should you allow a criminal to get hold of the data, whether by accident or design?

Mr Sklaroff: That is absolutely true. Our point is simply that there needs to be a balance because there are many reasons why data in any given instance may have been released in a way it should not be. It is important when talking of enforcement and penalties that those reasons are looked at. It seems to me that there is a difference in principle between a company that is taking its responsibilities very seriously but makes a mistake and corrects it and a company that is quite consciously cavalier.

Q170 Chairman: Mr Bradford, Experian operates internationally in different regulatory regimes?

Mr Bradford: Yes.

Q171 Chairman: Which regime do you think is most effective? Which worries you most in terms of the cost to you if you get things wrong?

Mr Bradford: Those are two different questions. I would argue that the most effective one is the geography that provides our clients, predominantly lenders, and consumers in that country with the best balance of safeguards for data but also the ability to do business as clients and obtain goods and services as consumers. I will embellish that in a minute. If I look at the UK as an example, the World Bank, which is in the news but is fairly independent as an arbiter, rates the UK as one of the best countries, if not the best, in terms of the balance of privacy rights and the ability for data-sharing and so on. I think the UK probably has it right. The Information Commissioner in the UK adopts a very pragmatic stance to the benefit of the individual and the commercial benefits. If I look at other countries, for example Spain, it is altogether different. It has higher penalties not necessarily for data breach but for breaking its data protection legislation. If I look at France, that has a completely different regime which is very consumer-oriented, almost paternalistic. The consumer is perhaps not able to make a decision for himself and so the state must protect. When one has that type of approach to privacy one ends up, unlike the UK which has a very healthy and supportive credit industry, with a different type of regime. I think the most important question is the balance rather than privacy for privacy sake, because privacy should not be viewed in a vacuum; it is there to protect the consumer but also to enable the consumer to obtain goods, services and so on. In our experience, we believe that the UK is probably the perfect example of good balance.

Q172 Mr Benyon: Do you believe that the expression "identity theft" is used as a bit of a cop-out by banks and other organisations to shift responsibility from them onto the state, if you like?

Mr Sklaroff: I do not think so. I think it is taken very seriously as a concept and a problem. For example, the industry I represent is actively engaged in discussions with the Government and others at the moment in setting up an identity theft programme which will help consumers who have suffered that to correct the problems which then ensue. It is a very serious problem which goes to the issue of trust, and the industry is very keen that it be addressed vigorously.

Mr Bradford: I very much support that. Certainly, we are working with the Treasury and trade associations, including Mr Sklaroff, on the initiative that the Government is looking at. We have operated our own victims of fraud service within Experian since 2003. This is a real issue. Interestingly, we find that a number of consumers believe that their identity has been compromised but it has not. We receive about 100 calls a week from people who believe that a credit card has been compromised or whatever. It is a real issue but something that the public and private sectors should work on together, as we are with the Treasury. It is a collective responsibility.

Q173 Chairman: I want to turn briefly to Tesco and LMG. Obviously, you work very hard to ensure that people understand the direct benefits to consumers of using loyalty cards. How important is it to you in terms of your business practice that the public fully understands the range of uses to which the data is put? If we have one of these cards do we understand the deal for which we are signing up? We understand what we get from you but do we understand what you get from us?

Mr Briggs: There are two aspects to this, a legal and commercial one. The legal one is a requirement under the Data Protection Act to ensure that consumers are absolutely aware before their data is collected as to what that data will be used for, how it will be used and to whom it will be disclosed. Those are the bare bones of the law, if you like, but, much more importantly, if consumers really begin to distrust us and are not happy with the way we use their data they will cease to use our programme. To ensure our continued viability we must not compromise that trust.

Q174 Chairman: Recently, Google announced that it would anonymise its search engine data beyond a two-year period. Mr Eland, did you say that you kept data for two years?

Mr Eland: Yes.[3]

Q175 Chairman: Have you ever thought of saying to the users of your Clubcard that you will anonymise the data or not use it in a much shorter period than two years?

Mr Eland: I would like to make two points. One is that we keep the data as anonymised as possible so we will ring fence it in a way to ensure that as far as possible profiling and so on occurs at an anonymised level. It terms of the amount of time we keep the data, it reflects the amount of time we need to process it. For example, some customers may shop at dot.com once a year at Christmas time, so two years is a reasonable amount of time to understand their shopping pattern and to reflect that. But we always look at retention periods. I think the underlying point from the legislative point of view is that we will ensure we do not hold data longer than necessary. If we are to hold data longer than that wherever possible it is anonymised.

Q176 Chairman: Mr Bradford, the final question is about profiling which runs throughout our inquiry, for example the use of all sorts of different databases, whether it is to predict which young people will run into trouble with the law or whether it is for the benefit of lenders or whatever. How good is credit profiling now as a real predictor of subsequent human behaviour? I ask the question because one of the issues raised with us is the dangers of profiling, that is, whether it be your organisation or others, to assume that what the profile tells you is a particularly accurate predictor of how somebody may behave. How good is it?

Mr Bradford: To start from the base point, profiling can only ever be as good as the base data that is being used for profiling. Within my own organisation we provide tools to help lenders build their own profiling systems.

Q177 Chairman: How good is that?

Mr Bradford: With that caveat, the UK for many years has been used to risk profiling, by which I mean that Mike Bradford is not a good risk because he has already had some form of default or county court judgment. We have had many years' experience in the UK of refining those score cards. The more important challenge now, which is largely to do with the fact that in the UK we do not have objective income data, is to build profiling around affordability; in other words, Mike Bradford has never been in arrears or had a default or a county court judgment but he has a series of outstanding loans, all of which are performing exceedingly well, but one more type of loan may take him over the edge. That is the tipping point. It is the score cards that we have been developing over the past three or four years which are accurate for what they can do against the data that is there, but in the UK we will have to work against the lack of objective income data which would plug that gap.

Q178 Chairman: What is the danger that you get either a false positive or false negative? You do the profile and say to Mr Bradford that he cannot have a loan, whereas if you have full information about his personal circumstances it is perfectly clear that he can manage it?

Mr Bradford: It is difficult to tell, because with more data now being in credit bureaus there is less likelihood of that happening. But it is the objective piece that is important. What a lender has to do is take the objective, factual and accurate data from the bureau and marry it with, one hopes, the equally factual and accurate data that the applicant has provided. That is the subjective bit of it. One is reliant on two data sources for that decision.

Chairman: Gentlemen, thank you very much.


[1] Note by witness: We only use transactional data of Clubcard customers for a maximum of two years. Beyond this point, the data is anonymised and is not attributable to an individual Clubcard customer.

[2] Note by witness: We work extremely hard to ensure that such data does not become available to any external organisations. We recognise the importance of keeping our customer data secure and confidential and work extremely hard to achieve this.

[3] Note by witness: We hold full transactional data for Clubcard customers that we use for a maximum of two years.