UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 508 -i

House of COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

HOME AFFAIRS COMMITTEE

 

 

A SURVEILLANCE SOCIETY?

 

 

Tuesday 1 May 2007

MR RICHARD THOMAS, MR DAVID SMITH and MR JONATHAN BAMFORD

Evidence heard in Public Questions 1 - 79

 

 

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

 

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

 

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

 

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

 


Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 1 May 2007

Members present

Mr John Denham, in the Chair

Ms Karen Buck

Mr James Clappison

Mrs Ann Cryer

Mrs Janet Dean

Gwyn Prosser

Bob Russell

Mr Gary Streeter

Mr David Winnick

________________

 

 

Examination of Witnesses

 

Witnesses: Mr Richard Thomas, Information Commissioner, Mr David Smith, Deputy Commissioner and Mr Jonathan Bamford, Assistant Commissioner, Information Commissioner's Office, gave evidence.

Q1 Chairman: Good morning, Mr Thomas. May I thank you and your colleagues very much indeed for coming this morning. As you will know, this is the first evidence session of a new inquiry for the Home Affairs Committee with the title: A Surveillance Society? We are very pleased to have you with us today to open the evidence session. I think it is probably quite rare for this Committee, and probably many other parliamentary committees, to take as the title of an inquiry, the theme of an inquiry, a single report produced by somebody in your sort of position. We felt that the issues raised by the report you published a few months ago were sufficiently interesting and challenging that we should give greater attention to them ourselves. We are very grateful to you for that; and also for sharing a little in advance with the Committee the report I know you have published this morning. I wonder if we could start with you introducing yourself and your colleagues for the record, and then I will open the questions.

Mr Thomas: Thank you very much, Chairman. I am Richard Thomas, the Information Commissioner; on my left is David Smith the Deputy Commissioner; and on my right is Jonathan Bamford, Assistant Commissioner specialising in this particular area. May I start by just saying how much we really welcome the inquiry which this Committee is launching. Above all, when we published our report last year we called for public debate, and I think this Committee is exactly the right place for that debate to take place. We have provided the Committee with an updated version of that report, with a new chapter which we published today. I think that has been sent to the Committee in advance. That is the report of the Surveillance Studies Network which we commissioned. It is not our report - we commissioned it. We have supplied you with a memorandum for this morning's session setting out some views of our own. I would be happy to elaborate on those during the course of this morning. What I would say is that, to a large extent, we were trying to create a wake-up call: the march of technology; political imperatives; commercial impetuses; a whole raft of drivers moving towards greater surveillance of the population. The report contains examples of what surveillance meant in the year 2006, when it was written. It also rolls forward to 2016, ten years on, looking at technology in the pipeline; looking at various developments, all of which were sourced in that report. This is not science fiction. This goes into factual situations. It is also a lot more than CCTV. People focus on cameras in the street and think that is what surveillance is all about. We are very keen to talk about the electronic footprint which people leave in their daily lives: the collection; the sharing; the use of personal information. Every time you click your mouse, you make a phone call, use a payment card, drive your car or whatever, there is potential surveillance there. The report and certainly I, as Commissioner, are very keen to emphasise the benefits of surveillance. This is not a one-sided debate; this is a debate about balance and where lines should be drawn. We are very clear, in our own submissions to you and the report we have published, that each individual initiative may well have very well intentioned benefits in terms of the security and the safety of the public; and in terms of improvements to public and private services providing quicker, cheaper and a wider range of benefits to the public; so there are very clear benefits. Also, and I am sure we will be elaborating this, this morning, we believe it is important to recognise that there can be risks. There can be risks to individuals, and we will elaborate on that; and there can be risks to the fabric of society as a whole. Again, we would like those to be explored. I think the fundamental question which we posed in our report, and your inquiry is now posing, is: are we moving towards some sort of surveillance society, where technology is extensively and routinely used to track and record our activities and our movements? We would say, yes, there is a growth in such activity; and therefore there is a need for the public to be aware of what is going on; there is a need for a rigorous debate, particularly where these techniques are not obvious - they are invisible, or people are not aware of what is going on. We need to move towards some sort of political consensus as to where the lines should be drawn; what safeguards are needed; and how they should be applied in practice. I hope that gives you an oversight, Chairman, of the issues we are addressing. We are very happy to take the questions you would like to put to us.

Q2 Chairman: Thank you very much indeed. Can I start by asking you a very straightforward question about what it is that we should be concerned about? Is it the practical effects of the misuse of data; or is it the more philosophical objection that just, in principle, having so much data held about ourselves in some way infringes our sense of being free citizens in a free society?

Mr Thomas: I think it is both. There are some real practical issues. There are risks to individuals; there are risks to the nature of society which we are trying to secure in this country. Also I think there are some more philosophical issues about the collection and use of information, and that tends to shade back into the previous debate about what sort of society are we content to live in? The practical risks are probably more in terms of the detriment to individuals which can occur when mistakes are made, for example mistaken identity; where there is false matching and the wrong individual is identified; where there is inaccurate or out-of-date information; where there are breaches of security. These, to a large extent, map on the data protection legislation. You will be aware, I am sure, of the European Directive and the UK Act of 1998, which is my responsibility to oversee. The fundamental principles of data protection match fairly well onto these sorts of risks and, I think, have stood the test of time pretty well. We can debate how well it is being applied. I think there are some wider philosophical questions, partly in relation to why we collect information in the first place. Again, that does map back into data protection, because that does require clarity as to purpose, and limitation of purpose and for people to be told usually why and how information is being collected. I think we see the accumulation of information as having a certain inevitability about it. I do not think we are going to be Canute-like trying to say, "No more collections of information". What we are saying is the importance of organisations, whatever their motivations, being very, very clear about the boundaries of what they are collecting and how they are going to use that, and being aware of the risks that are going wrong.

Q3 Chairman: Is there a danger of over-egging the pudding by thinking up almost every issue you could be concerned about and saying, "Well, this is a product of the surveillance society"? I am struck in the report which you published this morning (and I should say that you commissioned this and these are not necessarily your views) that it talks about the surveillance society and says the results are that all too often police hotspots are predominantly in non-white areas, and supermarkets are located in upscale neighbourhoods, easily reached by those with cars. Leaving aside the debate about the choice of terminology of "non-whites" as opposed "to poor areas", which this Committee has been wrestling with over the last few months in a different context, what they are actually saying there is the problem is, because we have got surveillance, the police concentrate their efforts in the areas where there is most crime, and Waitrose put their supermarkets in posh areas. That seems an extraordinary sort of thing to link up and say, "This is all the product of a surveillance society". Surely we want the police to concentrate their efforts in the areas where there is most crime? Surely ever since Mr Marks and Mr Spencer first opened their market stall they had one eye on where their customers were going to be?

Mr Thomas: Going back to George Orwell and perhaps even earlier, it is easy to build up a picture which can be interpreted by some people as being paranoid or unduly concerned. I am very keen indeed that we should do that. The report we commissioned did paint a fairly comprehensive picture. I think it is a very worthwhile contribution to a debate; but I am not going to be endorsing every last sentence or conclusion of the authors of that report. I think there are some very serious issues there. I talked about some of the risks to society, particularly where computers without human intervention are classifying, are sorting information or processing information. The risks I think can be very real and some of those are spelt out in the report. To take one quite controversial example, the police DNA database, or the database to which the police have access; that has grown really quite dramatically in recent years. There was some parliamentary debate, not a great deal, and I think the public debate followed that - my Office was not consulted as those measures were being brought forward; and we now have a situation where a significant proportion of the entire population has their DNA on that database and there are clearly benefits, and there are clearly risks there. The point I want to make is that the proportion of young, black males having their DNA on that database is 40% of all young, black males now. It could be said that is perhaps because they are involved in criminal activities.

Q4 Chairman: I do not want to intrude too much but we will come back to the issue of the DNA database in further questions. Perhaps you are conceding my point that it may be going a little bit far to say the police use data to concentrate their efforts where there is a lot of crime?

Mr Thomas: I do not think we are going too far, Chairman, but I think there is a risk that some people may go too far.

Q5 Chairman: Can I move on to my final opening question, which follows on from that. There can be a tendency in this debate to suggest that these problems you illuminate are essentially driven by the State or by big private sector organisations; that people are doing things to the public that the public does not want to happen. Is it not the case actually that some of the things that are happening are very much driven by public demand? I gave you two examples, and on the detail of CCTV we will come back to that very shortly; but most Members around this table will say that having more CCTV cameras in our areas makes us more popular and not less popular. More substantively, the outcry after the Soham murders was that allegations about Ian Huntley, not proven convictions but allegations about him, unproven facts, were not made readily available to the school that employed him. The Bichard Inquiry, set up in the wake of a genuine upsurge of public concern, was essentially charged with making sure we had more efficient systems of spreading unproven information about individuals around the country and making that unproven information available to tens of thousands of potential employers. Surely those are two examples, and again I am not necessarily asking you at this stage to go into great detail of that particular case, of where actually the public are saying to politicians and saying to Government, "We expect you to put these systems in place; and if you don't put these systems in place you are letting us down"?

Mr Thomas: If I could answer your first question on CCTV and perhaps David, who is very close to the Bichard Inquiry, could pursue the second point in more detail.

Q6 Chairman: Particularly on where the impetus is coming from. The technicalities of it we can go into, but the impetus is not coming from the public.

Mr Thomas: I will start with the general proposition that, by and large, people value their own privacy very significantly indeed. They want their own personal information safeguarded to a great extent - we have research demonstrating that. They are rather less concerned about other people's privacy and other people's personal data. I think that is probably one of the dilemmas we face. Secondly, I fully accept that there is and has been for some time strong demand for CCTV. Our own research confirms that; and we are very mindful of that. When it gets on to even more extensive use, our report demonstrates we are already the most watched nation in the world in terms of numbers of cameras per head of population. I think there are over four million cameras and one camera for each 14 members of the population. I think our line is that is fine; there is a demand for that; but people are a lot less happy not knowing what is going on. Transparency is very important; and that is why the Data Protection Act does encourage, and sometimes requires, openness, labelling as to where cameras are, what they are being used for and what their purposes are.

Q7 Chairman: I am going to cut you slightly short on this - we will come back to the detail. Do you concede my fundamental point that quite a few of the things that Government is putting into place about data sharing and about CCTV is actually reflecting a popular demand?

Mr Thomas: In general terms I fully recognise that situation. I think sometimes it is important that politicians, commissioners and others stand up and say, "Just be aware of some of the risks involved".

Q8 Chairman: Mr Smith, would you agree, in the case of the Bichard Inquiry and those events, that that happened in response to a fairly broad public sense, which probably was not just driven by the media, that something needed to be done, and the information needed to be more widely available?

Mr Smith: The Bichard Inquiry into the events after the Soham trial are indelibly imprinted on our memory for life. I think there are a number of points to bear in mind, without going into great detail about the case. After the trial data protection was blamed essentially for the information not being shared and for the consequences in terms of the murders. Deeper investigation showed that not to be true. The information was available and should have been shared. It was the systems that fell down. It was not a question of more information needing to be made available; the system that was there did not work. You are absolutely right, Chairman, that there was pressure for more sharing of information. The Bichard Inquiry brought about a new system to enable police intelligence, as well as conviction information, to be made available, quite rightly. There is much to be commended about the system that is now in place; but we remain convinced that we could have had a system that protects children just as well with less impact on individual's privacy; without things like shoplifting convictions that people had when they were teenagers coming out 15 years later when they apply for a job. It is a complex problem, and the solution is not sophisticated enough. We could have done better.

Q9 Chairman: That is helpful. I think we will probably come back to some of those issues again.

Mr Thomas: I think it was Benjamin Franklin who said something like, those who lightly give up their liberties in the name of safety, deserve neither safety nor liberty. I think there is a certain truth in that observation.

Q10 Mr Winnick: Mr Thomas, there is a great deal of concern, and understandably so obviously, about the amount of information the Government, whichever Government happens to be in office, holds about us in government departments. Is there not an equal danger, and some may say a greater danger, on the information which is held on so many people, literally millions of people, in the private sector? What would you say to that?

Mr Thomas: I think, Mr Winnick, both areas are important and there are some overlaps in connections between the two. You are quite right to say that vast amounts of information are held on each of us in the private sector, in the financial area, in the retail area, loyalty cards and the credit reference agencies. In those sorts of areas a lot of information is held about us, as is held about us in various public sector bodies. What I would say is, in the private sector there are pressures to get it right which do not necessarily always exist in the public sector. We have had some engagement with banks recently. We have been very critical of them for the way they have been careless with people's personal records. We have secured undertakings of good behaviour from 11 banks, and we named those banks; and this shot right up the agenda to the chief executive level of those banks taking us a great deal more seriously. There are commercial pressures which do not necessarily exist in the public sector arena. There are political pressures in the public arena, but one of our missions, if you like, is to bring what is going on more to public attention so there can be a greater debate. There is another set of questions which may follow later about the extent to which the public sector, whether it is the police or the tax authorities, should have access, for example, to financial records, health records or to credit reference bureaus. Many debates are going on about public sector access to private sector data bases.

Q11 Mr Winnick: The Financial Services Authority, and I am quoting directly, says: "If you're an adult living in the UK, it's almost certain your name and details are held in the files of the three main credit reference agencies", and names those agencies. Somewhat disturbing?

Mr Thomas: It is not remotely surprising, Mr Winnick. I think it has been the case for probably 15 or 20 years now. Experian, Equifax and Callcredit are the three main agencies in this country and, yes, indeed, they do hold quite detailed personal information.

Q12 Mr Winnick: They would have information about everyone in this room?

Mr Thomas: Almost every adult. The electoral roll is the foundation of much of their work, and they hold a great deal of information. We regulate that very tightly. It was originally regulated under the Consumer Credit Act; it is now tightly regulated under the Data Protection Act. We have our issues from time to time. My predecessors some ten or 15 years ago took the bodies to the tribunal and served enforcement notices, and we moved them away from some of their unacceptable practices in those days. For example, keeping information by address now is kept by reference to each individual. They do work very hard to make sure they follow the rules in terms of accuracy, corrections and keeping it up-to-date. We do have issues from time to time when we get complaints and we deal with those as they come in.

Q13 Mr Winnick: The electoral roll plays quite a major part?

Mr Thomas: Yes, the rules were changed in 2002. Now you can in effect opt out of having your electoral information used for commercial purposes. There are some detailed limitations on that.

Q14 Mr Winnick: Is that sufficiently well known, would you say?

Mr Thomas: I think so. We had a lot of complaints about nine months ago about a website which was called B4U; and that was available to the general public allowing people to trace other people in this country. We had very large numbers of complaints, not least for example from policemen and prison officers who did not want to be traced. This website B4U was using pre-2002 electoral roll information. We took a very strong line against that; we served an enforcement notice and that activity has now stopped. We are vigilant, Mr Winnick, to deal with those sorts of problems as they surface.

Q15 Mr Winnick: Do you think there is sufficient recognition that when one signs up for whatever it may be, a store card, or agreeing to a loan, to a large extent we are really signing away our privacy? Do you think there is this recognition of the dangers involved?

Mr Thomas: The data protection legislation requires that people be told what information is being collected and how it is going to be used; but I am the first to recognise that people do not always read the small print sufficiently and do not fully understand. I wrote a publication over 20 years ago Plain English for Lawyers, and on the back of that I have been working at international level to take a much, much more transparent and user-friendly approach to what are called "fair processing notices", who are working with the Americans, Europeans and others to have a much more global approach to putting clear information upfront and not littering the information with detail which people do not want first time round. It is what is called a "multi-tiered approach". I recognise that it is an ever-going battle to make sure people do fully understand, not just when they sign up but also through the media. By far our most popular leaflet is the one about credit reference agencies; we pass large numbers of that out every year. It is an uphill battle to educate the public as to how their information is being used in that environment.

Q16 Mr Winnick: It must be quite an uphill struggle. I do not think anyone doubts that for one moment. You indicated some of the safeguards of the electoral roll post-2002. Do you feel that we should limit far more the ability of private agencies to demand personal information? Some of the personal information is very extensive indeed. This is the first session, as the Chairman has said, of this inquiry and there will be many, many witnesses I am sure from the private sector as well. Do you feel there is a case at this stage to limit the amount of information that these agencies want?

Mr Thomas: We tend not to be interventionist in the sense of prohibiting activity. To a large extent the data protection rules regulate how information is to be collected and used, with some exceptions: they do not normally prohibit altogether the collection of information. If I can go back to credit reference agencies, I think they do serve an important role in the credit-granting process. We have got fantastic amounts of money being borrowed; unsecured and secured loans; and that economy could not happen without the existence of the credit reference agencies. They do serve a very important role to ensure responsible lending and responsible borrowing. That is a debate for another committee.

Q17 Mr Winnick: Obviously this is their argument. I am not dismissing their argument for one moment.

Mr Thomas: I speak from personal experience, Mr Winnick. I was the Director of Consumer Affairs at the Office of Fair Trading in the 1980s, so I had clear insights into how the credit market worked. I do think there is merit in the argument that you need information about your borrowers in order to engage in responsible lending. It is not an absolute argument and, as with so many things, frameworks are needed; limitations are required.

Mr Smith: Perhaps I could just add that we have had from time to time discussions with supermarkets about loyalty cards and the information that is collected there. There is one issue we have been particularly keen on which is not to make people believe that they have to answer questions in order to get a card. You have to give your name and address to get a card but, in simple terms, you do not have to tell them whether you have a cat or a dog. They might like to know that information but you should be clear that it is your choice as to whether you answer that question. I think the other thing about areas like supermarket loyalty cards, it is not written but there is perhaps an unwritten contract between Tesco and Sainsburys and their customers about when you give this information you have an idea of what is going to happen to it; and you have an element of trust. We have had discussions with some of the supermarkets about where that has been threatened. It is commercial drivers that drive them. They do not want to upset their customers. Their loyalty card information is a very, very valuable commercial product. They do not want other people to get their hands on it, because they will use it in competition. There are drivers in the private sector which, if you like, assist data protection compliance which are not necessarily there in quite the same way in the public sector.

Q18 Mr Winnick: If you take, for example, the building societies, not for loan purposes but for various savings schemes they have, their questions in the main are very intrusive indeed; obviously on the financial side, as one would expect, it would not make sense otherwise; but when it comes to questions of marriage, divorce, who you live with, children and so on those questions seem extremely intrusive indeed?

Mr Thomas: I think we are getting a little away from our agenda. All I would say is, I think those sorts of characteristics feed into credit scoring techniques, because the credit scoring techniques are based on such matters as your stability and your characteristics which show whether you are going to be a high risk or a low risk. If I may say so, I think we are getting a little far away from my data protection.

Q19 Mr Streeter: Do you have the power to go into credit reference agency database at will and pick out a random file to check out that they are keeping information correctly?

Mr Thomas: No, we do not. David and Jonathan will say a little bit more about the detail of that. If we want to "assess", to use the legal wording, the processing of personal information, whether by a private or a public body, we have to have the consent of that organisation. We have said in our written evidence to this Committee we think that is not acceptable. I think we would be urging you to look at that more closely; because I think that is wrong for a regulator. Trading Standards, the Office of Fair Trading, Financial Services, Food Standards, Environmental Health, all these sorts of bodies have the power to go in. We have a search warrant power, but that is rather nuclear; that is to go in and seize a particular document or a particular computer when we suspect there has been a criminal activity. That needs a judge's warrant. For the most part, we have to work closely with those we regulate and we seek their cooperation. We take a line which is: to be constructive; to help them get it right; but we do feel that we need to have the teeth there. The teeth both deter in the first place and also allows us to make sure things are being done correctly in practice.

Q20 Chairman: When you sign up to something like the loyalty card it is compliant with the Data Protection Act; but essentially you sign up to all the purposes that the company has told you they wish to use your data for. I may want to have a loyalty card; I may not want my supermarket to analyse the data that they get from the loyalty card in order to plan where they want to open another supermarket and perhaps ruin the shopping in a market town. Should we have more choice as consumers about whether we want to volunteer all the data that is being taken off before we sign on the line and sign away our privacy?

Mr Thomas: In principle my answer is a clear, yes, although I think some supermarkets do not actually require your name and address. You can have a loyalty scheme which is anonymous. You spend so many pounds each week and you get the points and you get the rewards; you do not need to have the personal details at all and in that case that is fine. I am not aware of any supermarket which offers a two-tier approach - a card with personal details and one without, but that is conceptually quite possible. In principle my answer is a clear, yes, choice is good for people.

Q21 Mr Winnick: Mr Thomas, there is another aspect before leaving this particular section, and that is the way in which a Government intends, as it would say, to combat criminality, or prevent criminality to get information from the private sector. That would be the argument government departments would state. I know you have made some comments on this. Is there not a danger of the two combining which would indeed be a threat to civil liberties?

Mr Thomas: Yes, there are risks, Mr Winnick. The Serious Crime Bill is going through the House of Lords at the moment but has not yet come to the Commons. This issue arose during the committee stage and I was invited to meet peers from all parties about two or three weeks ago. That does have a provision in it which will allow greater access by law enforcement bodies to private sector data, particularly in the area of fraud. First of all, we are very pleased that now in the Bill there is an explicit statement that all this must be in line with the Data Protection Act; secondly, the Government I think are still considering how best to achieve this; but we have been pushing (and I think it is accepted broadly in principle) that there will be a code of practice on which we will be consulted to regulate the public sector access to the private sector databases, including to any anti-fraud organisation. Also the Home Office have accepted in principle that we should have the power to go in and inspect. I mentioned to Mr Streeter that we do not have this power - sometimes we negotiate for it, whether in return for an undertaking, as with the banks exampled earlier; but in this situation we have now got the Government to agree that we should have that power written, not into the statute - I think they are still considering that - but if not in the statute, in the code of practice. You are absolutely right, there are issues, there are risks and, as with all these areas, we need a framework to make sure that the legitimate purposes of the police and the law enforcement bodies are served by accessing this data, but it is not a free-for-all; they cannot just go in and look at everyone's data and just make merry with it; it has to be targeted, proportionate, for a defined purpose.

Q22 Mr Winnick: With the concessions the Government has made, which seem very welcome concessions, you are far less worried, are you?

Mr Thomas: Less worried than we were originally. We have had constructive dialogue with the Home Office since the middle of last year on this subject, and we put the flag up, as it were, as to what our concerns would be. As with so many of these things, they are not absolute; there is no black or white; but we do feel that the movements now being made will go a long way to satisfy our concerns.

Q23 Mr Winnick: To a large extent due to the interventions that you make, presumably, or your office?

Mr Thomas: On that one we are pleased. As always, the proof of the pudding is in the eating. Let us see how it works in practice.

Q24 Ms Buck: Can we just go back to the CCTV discussion we were having earlier. You gave us some very striking figures, and the report includes more: 4.2 million cameras and the chance of an individual being caught on 300 cameras a day. I think that was quite a depressing statement you made about people's attitudes to CCTV and the relationship between their privacy and other people's privacy. What steps do you think can be taken in public policy to advance that debate so that we are able to have a proper and balanced debate between the benefits which are, to say the least, unproven, on CCTV, and in respect of privacy?

Mr Thomas: Could I start by saying that it is not just what I might call "conventional cameras". We are now moving into new technology: digitalisation where ANPR is already being used - automatic number plate recognition; and facial recognition technology is being used. There is the capacity now to have very, very small cameras; and the report suggests, if the political will was there, they could be buried in lampposts and no-one would know exactly where the cameras were. In terms of the public debate I think, first of all, we would always want to see a rigorous debate about the benefits; and I think the jury is still out in some respects. I recognise entirely that the population like cameras and cannot get enough of them; but I think the Home Office research has indicated that there is still some doubts as to their efficacy in both certainly preventing crime, and also debates about their role in detecting crime. They do give public reassurance and I would not want to dismiss lightly the need for the public to be reassured, because perceptions can be as important as reality in this area. Assuming that we are going to stay with large numbers of cameras for the foreseeable future, then I would certainly want to push the transparency button very hard indeed. People should know where the cameras are. We have been wholly against hidden cameras, unless there is extremely good reason in very, very limited circumstances. We want maximum transparency. I am not certain we are looking for a label on every camera; particularly for roadside cameras that is not realistic; and we will share some thoughts with you about how that might be addressed. We also would be hostile to the suggestion of any sort of microphones associated with cameras. There is a debate starting now as to whether there is a case for the authorities to place microphones on the streets, and our instincts are very, very hostile to that idea. We think that would be unacceptable. There is a debate also which has started in the last couple of months about loudspeakers associated with cameras saying to people, "Pick up that cigarette packet"; or, "Behave yourself". I think Middlesbrough have been trialling this, and a number of other local authorities have now received some Home Office funding to go down that road. That may be a bridge too far; we will have to see how the public react to that. We are certainly not enthusiastic about that sort of approach. On the siting of cameras, Jonathan will have interesting ideas to share with you.

Mr Bamford: As the Commissioner has made clear, I think transparency is important. The public needs to have confidence in what is happening in terms of surveillance that is taking place. One of the difficulties that we do have in the data protection world occasionally is when we talk about different sorts of technology which actually starts to capture information about people - so imaging technology there. How do you apply the normal sorts of data protection rules, which perhaps we touched on earlier, about explaining to people when they sign up for a loyalty card they can see a nice little declaration there and make some choices? With cameras it is very different; you do not really have a choice about your image data being captured at that point. I think it is important there are signs that at least alert people to the fact that image-capture is going on and giving them a chance to find out who is involved in that because it is not always obvious, particularly in town centres; shopping centres are owned by different people than the public anticipate. A particular challenge is when we talk about the road network because as motorists, as we drive along, we might see some signs there which warn us about cameras but do not really tell us who is involved in the monitoring as we go from one police force area to another; whether it is the Highways Agency; whether it is Transport for London potentially, or anybody else who might be involved in automatic number plate recognition capture. Maybe we need to be slightly more creative there in trying to actually come up with solutions which help the public work out who is involved in the surveillance. One simple solution might be to create a website which has the road network on it; we are all used to mapping technology now, route planning; and you can click on that and actually find out who is involved in the surveillance at a particular point in time. That would cover mobile cameras and those sorts of aspects. I always thought of it in our office as something like www.cameras.gov.uk where you would not have to convey much on a road sign to allow somebody then to exercise a little more in terms of their rights to find out who is involved in surveillance. I am not saying it would not go ahead, but regularise it in some way. I think the other thing we would say as well is, transparency is all well and good; it is important as individuals we are aware of what is going on; but to come back to the other point about the growth in CCTV and the public's insatiable demand apparently for this, I think of the things that we are going to make clearer in our revised CCTV Code of Practice, which tries to make sure that CCTV-based surveillance operates in accordance with data protection law, the thing we will emphasise is the actual assessment procedure, in deciding whether to establish a scheme, should be very, very rigorous. It should not just be on the basis of public popularity, or the technological capability to do it, or the financial capability to do it. What you have really got to look at is: is this really proportionate to the evil we are trying to address here? What are we trying to deal with by having CCTV cameras? Will they actually do the trick in addressing that? If we are worried about street crime near tube stations, would better street lighting actually be much better than putting in CCTV cameras? We need a proper assessment methodology there to decide in the first place whether this should go ahead. The judgment may well be, yes, that is a proper technology to use and is a proportionate thing to do; but based on that then you actually come to what are the safeguards that should be in place in terms of how do we make the public aware about this? How do we make sure that the images are of the right quality?

Chairman: We have a large number of questions to get through. Please do not try to hang the answer to everything you want to say about a particular topic to the first question.

Q25 Ms Buck: To go back to a particular point I wanted to pursue which is the development of CCTV and the improvements in imaging technology and the fact that there is a debate now about the police looking for consistency in CCTV imaging in order to be able to make use of that technology for themselves; there are clearly risks inherent in that, and you have outlined what they are. A number of my constituents would no doubt say, "What on earth is the point of having any of this technology at all if it is not able to be used by the police; if it is not able to hone in on, let us be frank, conversations, number plates and face recognition"? How do we overcome this conundrum; that people only want the surveillance technology, if you like, if it is going to be highly effective; and yet simultaneously want to be assured of their own personal protection from that very surveillance?

Mr Bamford: I will go back to the answer that I was providing, which actually says it is all about safeguards at the end of the day that actually provide the public reassurance; and we need proper standards therefore to make sure that if the public is happy that their lives are intruded into in some way by surveillance that the images are sufficient for the police to actually identify the perpetrators of a crime. The idea that you have to send your CCTV images off to NASA to have them processed so you can identify people is clearly ludicrous. From a data protection point of view our law says that personal data has to be adequate for its purpose. We would argue that if you are going to have CCTV cameras, make sure they are fit for the job basically. We want to drive up the standards of the surveillance that is there in terms of CCTV imaging, but making sure it takes place in a context of where it actually does make a difference.

Q26 Ms Buck: The implication of this is that you are not satisfied with the safeguards that currently exist, whether that is in data protection or a code of practice. Is that what you are saying? Do you believe that there is a difference between the safeguards and the use of surveillance technology and CCTV in the public sector, effectively the crime-fighting technology, and in the use of private cameras?

Mr Bamford: Clearly the development of CCTV surveillance has been across both sectors really. There is a lot of public money being put into CCTV surveillance, and we should be begging the question about whether we are getting value for money with some of the schemes that are there, enabling them to go on. The use of that information can be wider than, say, a limited private sector scheme. I think we need to be concerned in terms of how much imaging data is caught and what purpose it can be used for, and whether there is an element of function-creep, if you like. It is like automatic number plate recognition; the idea of denying the criminals the road seems a very sensible idea. If you are matching number plates with vehicles that are wanted by the police for a variety of reasons, people who are wanted who own those vehicles, you can see how that works in real time when somebody is detained very quickly. Now, because of technology and storage capacity increase, should we keep the automatic number plate recognition records for five years, three years or two years? We move along by degrees to something which is rather different than we started out with, which is the idea of spotting a vehicle immediately and taking action in relation to it. We say, "It'll be handy to keep this for longer". In the public sector you have got a real issue about that. In the private sector we do see invasive technologies being used as well. Automatic facial recognition can now be deployed by private sector organisations. We have heard instances of saying that might be helpful in identifying people who often turn up at the returns desk of major stores because people who bring back clothes a lot maybe did not buy them in the first place and stole them, and they are trying to get credit notes for something they do actually want, or are trying to get money back. If you spotted all these people coming back then somehow that would enable you to run your business better. There are lots of people who do not like trying on clothes in shops, like me, who take them home, try them on and bring them back and worry about maybe being labelled as a shoplifter.

Mr Thomas: The underlying theme is public confidence. It is not about the exact boundaries of the law; it is: are the public confident in the cameras? If they go too far and microphones are deployed and the public really reacts against that then that is going to serve in no-one's interest.

Q27 Ms Buck: What you have been saying so far is that there does not appear to be any great sense of the public being concerned about the use of technology insofar as other people are concerned; hence the demand for surveillance cameras which are hugely popular. To play devil's advocate, the fundamental question is: if you are innocent, what have you got to fear?

Mr Thomas: It is a very, very familiar argument to anyone concerned with privacy, and David has been in this area for 15 years or more and is itching to answer that particular point. I think the general point is that you can always go on more and more with surveillance. You could say we could stamp out any form of crime or anti-social behaviour by having cameras in everyone's living room; where do you draw the lines? It is not what technology or what law enforcement could be doing; it is what is acceptable in a modern democracy.

Q28 Chairman: I have been listening to this discussion for some time and I have not yet heard a single example given to this Committee of somebody who has actually suffered as a result of the introduction of this technology. It may or may not work; it may or may not raise issues of principle; it may or may not be a good investment of public money.

Mr Thomas: You could be saying, Chairman, we are doing a wonderful job!

Q29 Chairman: We could imagine all sorts of things that may be going wrong, however we do seem to be a little short of examples, despite there being 4.2 million cameras, of people's lives being ruined by this technology.

Mr Thomas: You have not asked us yet. We can give you many examples of people who have suffered detriment as a result.

Mr Smith: There is one very well known case, Chairman, the Peck case which went to the European Court of Human Rights where an individual was photographed on the CCTV camera essentially in what was a semi-private area, in a car park. He was trying to commit suicide and these images were essentially broadcast, I hesitate to say, for public entertainment. The European Court of Human Rights found against - it was a local authority in this case. The images were essentially used for a different purpose. There are areas which go too far. This is this question of purpose. I think it comes back very much to this: cameras that listen in. If you are talking of targeted policy investigations, this is an area where you know drug dealers meet and you put a listening device in, that is targeted and that is okay. What if we are then talking about shoplifting rather than drug dealing? Is it okay to use that information for that lesser crime? If it is okay then, is it okay to put listening devices in anywhere to detect shoplifting? Where do we draw the line? I do not think, Chairman, we have any answers and we are not pretending we do. I think we can say to you that the public accepts CCTV cameras in public areas. I think we can probably safely say they would not accept cameras and listening devices in their living rooms. Where is the dividing line? We do not know but we are getting nearer to it.

Q30 Ms Buck: How can you help us to construct a framework for a policy debate that allows government and the public to discuss where those lines are drawn? At the moment, I think it is extremely difficult to be able to frame that debate. I think we really need to be able to pin that down.

Mr Thomas: On cameras and related issues, we will send you the updated version of our code of practice during the course of your inquiry. The existing code has been there for about seven or eight years now. It is out of date. We are moving rapidly now to finalising the updated code. I am afraid it is not ready for this morning but we will share that with the Committee, if you would like that, as soon as possible. That will set out our approach. It will have some clear dos and don'ts and it will be our attempt to apply the more principled debate we are having this morning to the practicalities of camera deployment. We can give you many examples in the area of database problems where people have suffered as a result of information either being incorrectly on a database or being used inappropriately.

Chairman: Thank you very much.

Q31 Mr Clappison: I heard you a moment ago drawing distinctions between different types of criminal activity and the extent to which you would allow use to be made of information technology. You did not mention terrorism in that. I hope you would take full account of the huge public interest in dealing with terrorism and the serious detriment there can be to the public from that. Will you be giving it a lot of leeway, given what we hear about the scale of the problem?

Mr Smith: Terrorism is, if you like, the highest in the scale, but there is still a question, even with terrorism, as to how far you go in intruding into the private lives of everybody in the country in order to fight against terrorism. In everything there is a question of proportionality. A greater degree of intrusion is proportional in fighting terrorism than it is proportional in fighting shoplifting.

Mr Thomas: There are some important exemptions on national security and law enforcement in the Act. We fully respect that. This is not a popular or easy thing to say, not least after yesterday's trial - we recognise the cross-over on this debate - but, sometimes, when the threats are the greatest, the need for safeguards is the strongest. Liberties are involved here. We are going to come on later, I am sure, to talk about privacy impact assessments. I have with me a pamphlet from the Department of Homeland Security which is right at the front of the American fight against terrorism, and they are taking privacy and safeguarding that extremely seriously. Worldwide, there is a recognition of a balance. Yes, the fight against terrorism is paramount, but, even there, there has to be some framework to make sure the authorities do not overstep the mark.

Q32 Mr Streeter: It is a fascinating debate. I am going to ask you a couple of questions about information sharing between government departments, but before that I would like to ask you a question, because I have not quite got to the bottom of this in my mind as I am listening to you speak. I know you are ruled by a couple of statutes, but do you have in your own minds a kind of golden rule or overarching set of principles which is your compass. Surely your job is not just about getting the balance right. Do you have a golden rule?

Mr Thomas: We have a way of reconciling the data protection and the Freedom of Information Act that says we exist as a statutory independent body to improve public access to official information and to protect your personal information. I recognise that is very general. Going down a stage further on the data protection side, I would articulate it in terms of a society where there is proper respect for the integrity of people's personal information, where there is proper respect for their privacy, where people, as far as possible, know what is being done with their information and how it is being used and there are safeguards in place. I reinforce the point I made earlier, Mr Streeter, that it is not to prohibit activity; it is to regulate it. Please do not forget that data protection has its origins in Continental Europe, and in the 20th century in Western Europe and Eastern Europe. Some of my colleagues, as Commissioners in Poland and other countries, have seen the real evils of a surveillance society and they talk to us about those within their recent memory. Data protection has its roots in a human rights concern, not ever, ever to achieve in Europe or elsewhere that sort of environment again.

Q33 Mr Winnick: There is a film about that.

Mr Thomas: The Lives of Others, yes - a sort of data protection film.

Q34 Mr Streeter: Government databases, information stored about us. Could greater use be made of personal opt-ins and opt-outs without undermining the whole reason why it is important that information is stored about us by government departments, do you think?

Mr Thomas: I think you have to start the debate by recognising that there is a lot of pressure now for more information to be shared across different parts of the public sector. Sometimes that is not particularly controversial or not particularly difficult. In relation to the sharing of information between the tax people and the social security people, most of the population expect that goes on already. That would not be at all difficult. The sharing of information between the tax authorities and the police authorities, or between the health authorities and the police authorities raises far more controversial and difficult issues. I am not being at all evasive but you have to take a case-by-case approach. There is a Cabinet committee looking at these issues. We are pleased we have been asked to contribute to that. There are visions and statements coming forward all the time in that area. I think our input has been welcomed and we are putting forward a so-called framework code of practice, a code of practice overarching all these different initiatives, trying to set out some of the principles in the sorts of terms I have been sharing with you this morning as to what is clearly unacceptable, what is okay and how to approach the middle territory. We are hoping that this code of practice will influence the specific initiatives where information is going to be shared more regularly. On your specific question of opt-ins and opt-outs, it is not normally going to be very easy. I do not think government is going to be wanting to go down this road, because it is not like in the private sector where you do have a genuine choice: you can choose that holiday or that loyalty card or that bank account and you can shape your choices according to what is on offer. When you are dealing with the Health Service, the police, the taxman, by and large there is not much scope for choice. Having said all that, in particular areas I think there will be scope as you go forward for more to be expressed by way of preferences; particularly, for example, in electronic health records. That is a massive subject which your sister committee, the Health Committee, is looking at. We shall be coming forward there shortly. It is a very challenging area in terms of privacy, in terms of safeguarding information. There are all the benefits of sharing information between doctors and hospitals and specialists - and I am the first to recognise the benefits - but the risks are also very great indeed. There may be scope within that. We are exploring with Connecting for Health the scope within that to tailor people's use of patient information more in line with their personal preferences.

Q35 Mr Streeter: As an aside, Chairman, it might be appropriate to get a member of that Cabinet committee to come to this Committee to give evidence. I was not aware of perhaps the new season of government information-sharing which is about to break out. In relation to the Government's Child Index, you have made some observations to the Government about that. Could you explain your thinking. Do you think such an index should relate only to children at risk and not to all children? I think I agree with you but it would be helpful to have an explanation .

Mr Thomas: Could I pass that one to Jonathan.

Mr Bamford: It is a very, very emotive issue when we start talking about children and what is best for children. One of the things that has perhaps been flagged up in the report by the Surveillance Studies Network and other research that we have commissioned specifically on children's databases is that we have moved much more away from just child at risk issues to child welfare issues more generally and trying to improve life chances. That has pushed us along to more and more information being gathered about children. During the lifetime of the Children's Index its ambitions started out as rather greater and have fallen backwards a little bit into being almost like an index of children and those practitioners who have an interest in children, so it is more limited than perhaps our original concerns would be in terms of data content. I think our philosophy has been that if we are particularly dealing with issues to do with children at risk, it is already difficult to find that information. We often use the phrase: if you are looking for a needle in a haystack why do we keep building bigger haystacks all over the place? We want information of the right quality relating to the people who really need care and concern attached to them, where people should take seriously the responsibilities in respect of those children. The simple acquisition of more and more information does not actually mean that people make better judgments. It will become overloaded. We have certainly heard it said from those who are involved in the early child welfare issues that sometimes it is more social workers we need rather than more information because we already have that much information we cannot act on. From a data protection point of view, we beg the question: Does the information that you say you need really make a difference? If you are keeping it, is it going to be easy to keep it up-to-date? The more and more you keep, the more problems you have in keeping information up-to-date, and the more and more you keep, the greater the collateral impact if that falls into the wrong hands. A data minimisation concept is something that we are quite keen on.

Mr Thomas: Going back to your question, I am quite, quite clear that the case for an index of children is very much greater for those children who are, or who are perceived to be at risk, than is the case for a universal database of every child in this country in the more nebulous name of promoting their social educational welfare. I think the second part is a great deal more doubtful. I stand by the views I have expressed on that.

Q36 Mr Streeter: I would certainly agree with that. Finally, you touched on this, Mr Thomas, in your opening remarks to me. Do you think there could be more benefits if more government departments shared data than they currently do; for example, HMRC and social security? How could we also safeguard the public if that were to happen?

Mr Thomas: There are benefits - and I am the first to recognise that - but also risks. I am sorry to be boring but it is a point I have to keep on making. We had some debate with the Audit Commission. They have a thing called the national fraud initiative to identify individuals who, for example, might be employed by a local authority at the same time as unlawfully claiming housing benefit. We had some concerns about the way they were using data-matching techniques and data mining. With hindsight, I think they would say they were going a bit too far. We had a battle with the Audit Commission which actually resolved itself in a very constructive way. We now have a code of practice which my office and the Audit Commission have signed up to which both sides are very happy with. Indeed, it will be not quite the template but the starting point for the wider code on information sharing I mentioned earlier. It is now held out as a very good example. Recognising the benefits, to go back to the point made earlier in another context by David: if you are clear what you are trying to achieve with data sharing, it is fine, but if you go too far, if you do not have the safeguards in place, you will forfeit public trust, you will alienate people and you will defeat the purpose you are trying to achieve. There was a report commissioned by the DTI about a year ago from the Council of Science and Technology. It said, if I can summarise, that with technology and sharing you can do almost anything these days but just because technology allows it to happen does not mean to say it should happen. There have to be clear political choices being made here and there have to be proper safeguards in place. Otherwise, you will forfeit public trust and confidence.

Q37 Mrs Cryer: Further to what you have just said, apparently your office have said that when the Identity Cards Act 2006 is implemented it should be consistent with the Data Protection Act 1998. Surveillance Studies Network believes that once ID cards are introduced the Government's reliance on those providing both technological and commercial expertise will increase. Could you say what implications you feel this will have on individuals?

Mr Thomas: A big question, Mrs Cryer, and I am sure the Committee does not want a complete re-run of the identity card debate. I was before this Committee I think three years ago.

Q38 Chairman: Certainly not, and I know Mr Winnick would not like it either.

Mr Smith: It has been through Parliament.

Mr Winnick: My views have not changed.

Q39 Chairman: Nor have mine.

Mr Smith: I did express strong views to this Committee and elsewhere. When the Bill was going through Parliament, I took the view that it was not right for me, as an appointed official, to engage in the political debate and the Bill is now the Act of Parliament. Now we are moving to the stage of implementation and we have had some dialogue with the Home Office and the Passport and Identity Service which will be rolling out that programme. That programme is going, I think, a little bit slower than perhaps had previously been suggested. We have concerns. Some of these are continuing concerns. We have concerns about data quality. Until it was announced, we were not aware that there was going to be a change of course. They are now going to be using information from the Department of Work and Pensions to populate the initial National Identity Register. Our concerns have always been the register behind the card. It is not the plastic card that causes the concern; it is the database. We have some concerns about the fact that the DWP has not had what one might call a completely clean database in the past and there are some anxieties about the data quality of imported data. We have always expressed anxieties about what is called the data trail. It can be an audit trail. We recognise there is a tension there, but the more that information is kept about every transaction with your card, every time your details are searched, the greater the risk in surveillance terms for individuals. That does begin to build up a very comprehensive picture, available to the state about your activities, which people may not be at all comfortable about. I think the controversy in more general terms will run for some time yet but we need to see how it rolls out in practice now.

Q40 Mrs Cryer: Further to that, still bearing in mind the introduction of ID cards, do you feel the data protection is adequate, or is there a need, or will there become a need for more specific powers to regulate different types of surveillance as technology develops?

Mr Thomas: I would like to invite my deputy David to say a little more about the role of the National Identity Register as a universal identifier, with the ability, not necessarily in practice, to connect together all the different schemes. To a certain extent, the fact that government and commerce are not joined up in practice provides some safeguards. If you have separated fragmented collections of information, ironically, from a citizen's point of view, that has certain advantages. It has certain drawbacks too but certain advantages. Whether using the National Identity Register or by other means, as you go down this route of drawing all the threads together then incrementally the big picture builds up. This is quite a subtle theme, and it comes out of the Surveillance Studies report. I do not think they are criticising us, but they say that we are looking at the individual schemes and giving red, green or amber lights to individual schemes, but are we sufficiently looking at the big picture and seeing how that is impacting on the citizen? The Government talks about public services being citizen-centric, and that is welcome, but is anyone seeing it from the point of view of the citizen in terms of all this information being collected and shared about them? The National Identity Register could - I emphasise, could - undermine public confidence in this collection of information.

Q41 Chairman: Are you saying, in a sense, that the audit trail of when I use my ID card might perhaps be of less concern to me than would the state getting hold of my store cards and my credit cards, because if they had details of where I shopped and my financial transactions that may give the state far more information about me than the number of occasions on which I have identified myself.

Mr Thomas: I am not sure you could separate the two debates. If identity cards were used to prove your entitlement to drink in a pub at 18 years old or otherwise prove your entitlement to access certain private sector goods and services, then there could be a record of that transaction going onto our database. That would give the state more information about your private life but I think we are more concerned about the use of the national identity scheme in its dealing with the public sector, whether it is the police, the Health Service, the Immigration Service, Criminal Records. That is the main are of our focus and I think it will probably confuse the debate to worry too much. I think it is more fanciful to look at the extreme possibilities in accessing your purchasing activity.

Mr Smith: The Surveillance Studies report really paints a picture of a lot of developments, developed with good intention, for benign reasons in many cases, which, when coupled together, are starting to change the nature of the way in which we live. But they are isolated developments. The idea of an identity card and an identity number and a traceable database and this being used in all sorts of places, as Mr Thomas said, makes it much easier to link these different developments together. Even across the private sector - and it may be an extreme example - if you have one number used for tax purposes and the same number is available for your supermarket loyalty cards, the tax authorities could look at what you are spending your money on and see if that fits in with the lifestyle you trade in your tax returns. At the moment, one reason that does not happen is because technologically it is virtually impossible. If you put the same number in each database, it becomes relatively easy. It may come down to other reasons, but what was unthinkable because of cost and technology a few years ago is not unthinkable now. There is very little that is not possible. The public policy questions and the data protection questions come to the fore because the cost and the technological questions have disappeared.

Q42 Mr Clappison: Could I ask you a little bit more about access by different government departments to centrally held data. You have touched upon this already. You have mentioned what would be happening with the identity card and you have also mentioned public sector access to private sector information. With access by government departments to centrally held data, do you think it is properly dealt with in terms of regulation by the Data Protection Act?

Mr Thomas: The debate about surveillance is not unique to this country, by the way, the same debate is happening on a worldwide basis, but I think this debate reinforces the importance of the underlying data protection principles as a foundation to protect individuals. I have been Commissioner for over four years now and I was concerned that data protection had a rather mixed reputation, shall we say. It was seen as often a bureaucratic imposition. People were quick to hide behind data protection: "I can't do this because of data protection." We have all heard it in our different ways. I would be very keen to bring out - and I think the surveillance debate does bring out - the fundamental importance of such principles as accuracy, security, keeping information up-to-date and so on. I think it has stood the test of time. It has been developed in a way which is technology neutral, so, although we have seen fantastic changes in the last 20 years and I am sure we will see even more over the next 20 years, those basic principles are technology neutral. I think there is a much wider acceptance. Data protection is now seen as an essential safeguard against excessive surveillance and it does provide benefits to people. In some research about a year ago now we asked a question about people's social concerns. In rank order, crime was number one; education was number two; protecting your personal information came third in the league table. That was ranked by 86% of the population. It was way ahead of concerns about freedom of speech, ahead of concerns about the environment and so on, so people do care about it. If I had asked them about data protection, I dare say it would be ranked much lower down the list.

Q43 Mr Clappison: Surely part of that public reaction will be protecting their details from criminals rather than use being made by central government.

Mr Thomas: As with any survey, it depends how you interpret the question. The question was put very broadly in terms of safeguarding your personal information. We had the same question two years running. My own office has exposed a wholly pernicious black market in the buying and selling of personal information. We published two reports last year and the Government is now going to legislate to introduce a custodial sentence to deal with that particular mischief. Yes, it is a problem. It has a read-over to the issues we are discussing this morning. The question we asked was cast in much wider terms about threats to privacy; that wrong choices and decisions can be made about you if people use your information in the wrong way.

Q44 Mr Clappison: I think in your answer you have implicitly accepted the conclusion of the Government's review on public services, that restrictions on sharing data can hamper the delivery of services. But you are saying that that can be addressed and there is this need for the safeguards in any case because of the issues of accuracy and so forth which you have mentioned.

Mr Thomas: The Government, understandably, said that if there is to be more sharing of information then we need to have stronger safeguards. They have talked about the role of my office but they have also linked that to the prison sentence for those who hack into the systems by impersonation or by payment.

Q45 Mr Clappison: Do you think the Government should be required to put in place codes of practice for information-sharing in the public sector?

Mr Thomas: I am not sure whether the question puts emphasis on the word "required". I think the Government is going down this road in any event and therefore there may not be a need for legislation, but I think that is a debate which could be had. There is almost a plethora of codes at the moment and one of our concerns is that there can be too much guidance. It sounds ironic but you come across situations - and the research proves this - where lots of people in the police and social services and health have drawers full of guidance: they shove it in the drawer and never read it. We are trying to have a more consistent approach. That is why I talked about the framework code which we are developing for public sector information sharing which could then be applied in a more targeted way in a particular environment.

Q46 Mr Clappison: You think that will be streamlining a lot of what is taking place in other codes of practice.

Mr Thomas: Exactly that. If there is not a maintenance of the current enthusiasm for codes of practice, then I think there may be a case for a mandatory requirement. I am not ruling that out but I hope, particularly with government, we can achieve that on a more consensual basis, because an imposed code is never one which is going to work. The whole point of codes of practice really is to get something which is going to work in practice which is achieved in a constructive spirit.

Q47 Mr Clappison: Coming at it from a slightly different direction, on the basis of what you have seen and your experience: other than creating a central database for use by public services, what steps do you think the Government could take to increase the efficiency with which it retrieves and uses data?

Mr Smith: I think we are getting close now to privacy impact assessment. I am not sure whether the questions are going to come on to that.

Q48 Chairman: We will come on to that later.

Mr Thomas: We see the privacy impact assessment as a really important way of addressing the particular question you put, Mr Clappison. The fundamental message for me to send to a government department, a local authority, a police force is: Think before you act. If people think through what they are trying to achieve through the use of personal information, think through what the risks are, make sure they do not go beyond what is necessary, then I think we will get it right. But if people get sold a whizz-bang computer which can assemble lots of information and therefore will use it and just let anyone have access to that, then it is going to end in tears.

Q49 Gwyn Prosser: Mr Thomas, we have been talking about the general sharing of data across databases. I want to ask you specifically about tests and safeguards put in place when the police want to interrogate a particular database to progress their investigations. We have touched on these issues but do you think the present tests, present safeguards and assurances, are adequate?

Mr Smith: Much depends on what information it is the police want to access. We have the Regulation of Investigatory Powers legislation. That controls telephone tapping but it controls access to telephone records and the like. We do not have any problems with that legislation. There might be matters of detail but the whole thrust, that the police have to do a proportionality assessment and check whether access is right in relation to the crime they are investigating, is correct. There are also exemptions in the Data Protection Act that allow organisations to give information the police which, if you like, in ordinary circumstances they would not be able to give. Again, there is a similar sort of test as to whether enforcement of the law would be prejudiced. I do not think data protection provisions there stand in the way of the police accessing databases. We are seeing more of the building of up collections of information. It is not information that people are holding for their business purpose and to which the police are getting access; they are being held for policing for the first time. Telephone records are one example. Essentially, telephone companies may have needed to keep records for six months or a year, but partly through UK legislation, partly through a European Directive, there will be a time period for which they are being kept beyond the business need of the telecoms provider, where they are a resource for the police if they would be useful to an investigation. With automatic number plate recognition, the simple approach to that would be to say that you set up a camera, you run the results against, say, the DVLA database and you stop people whose cars appear not to be taxed, so you do not need to keep the data - or you may keep it for a week or two, just to check. Now they are talking about two or five years so we can track back. That is what is changing. It is these big collections of information being held in case they come in useful.

Mr Thomas: We had a case recently where a 48-year old woman, when she was 14 years old, had been convicted of assaulting her careworker and had been given an absolute discharge. She discovered, because her neighbour was a policeman who improperly accessed the police national computer, a record of that conviction. It was true, it happened when she was 14-years old and it was still on the police database. In another case, an accountant, who wanted a Green Card to go to America, had stolen his father's car when he was 18-years old. That was still on his record and that prevented him getting a Green Card to go into the United States as a chartered accountant. These are examples - and there are many more like this - where even accurate information, let alone the problems with suspicions or untrue information, can cause detriment if it is kept for too long.

Q50 Gwyn Prosser: Those are matters about how long you keep this information stored. In terms of access, let us take a children's library. Some children's libraries use a fingerprint system now. How difficult would it be for the police to have access to that? How serious a crime and what test would they have to pass to be allowed access to that, which could be very sensitive

Mr Smith: At the moment the test is with the school. The police make an access request. The school looks at: "Would we breach the Data Protection Act if we respond to the police?" If they can say that not giving the information would be likely to prejudice prevention or detection of crime and does not say a level of crime, or the apprehension or prosecution of an offender, then they can give that information without breaching the Act. A low level of crime would justify that. The information might be of limited use to them because of the way it is stored. Those fingerprint systems in schools would not necessarily be compatible with the way that the police use it. But the test is fairly low.

Q51 Gwyn Prosser: Would the school or library have to inform the youngster or the parent?

Mr Smith: They would not have to, although we would recommend as part of good data protection practice that they do notify people, unless doing so would essentially be a tip-off which would harm the police investigation.

Q52 Gwyn Prosser: We have talked about store cards and I would like to ask you about police access to store cards. How reasonable would it be for the police to say, "We want to access a whole series of store cards, because a particular item has been found and we want to see who has had possession of such an item in the recent weeks or months." Would that be far too wide a net to cast?

Mr Smith: The police have accessed store card information in the course of crime investigations. We would expect a supermarket to say to the police: "Look, have you narrowed down what you want? You are asking us to give this information. We have a decision to make. Have you narrowed down sufficiently what you want and is the crime sufficiently serious?" We had an example not so long ago to do with airport workers. There had been an incident and the police asked for details of everybody who was on duty between certain hours. We basically said, "Where did the crime take place? What was the nature of the crime? Actually you only need this smaller group." But you do need a group. You cannot pin down one individual because you are looking at suspicions. That is the whole approach: narrowing down what you need.

Q53 Gwyn Prosser: Would you consider there would be sufficient narrowing down in a case where the police said, "We want to do a widespread search of store card purchases in order to gauge the lifestyle of particular individuals"?

Mr Smith: I hesitate to say, off the top of my head, "That's going too far" but that is my initial reaction. Are you really seriously going to be able to help a crime in that area? We would be most concerned where you have no crime and you go and look at the lifestyle information to look for -----

Q54 Gwyn Prosser: Fishing.

Mr Smith: Yes, fishing, absolutely.

Mr Thomas: One can see, in the fight against terrorism, that if there had been a purchase of materials to build explosive then one might want to track through all the suppliers of that and see where sales went. But on the more general question, the banks, for example, are very precious about maintaining confidentiality of banking information. I am not sure if people like Nectar are giving evidence to this Committee but they would have strong views to share with you on police and other access to their database which they do safeguard very jealously.

Q55 Chairman: I gather from what you said to Mr Prosser that, in principle, you are quite happy with the threshold of tests that the law applies

Mr Thomas: Indeed. Section 28 national security, section 29 law enforcement. Those are in the statute. We are happy with those.

Chairman: Good. Thank you.

Q56 Mrs Dean: Before I move on to my question, could I ask whether it could be beneficial for the Child Support Agency, on behalf of parents with care of children, to be able to access lifestyle information on people who should be paying to support their children.

Mr Thomas: I am not familiar with whatever legal powers they have. It may be that the Child Support Agency has powers to inspect tax records and work records and bank records. My colleagues may know in more detail than I do but I think we would start with the proposition that a body like that has a job to do but if it is going to obtain information from elsewhere then that must take place in a way which is lawful and fair and then fulfil all the other data protection principles. We deal with a very wide range of bodies and I am afraid I am not familiar with exactly what the powers are. If they can make a good case out and that would be acceptable in fairness terms and they have the legal power, then I would have thought that would not be a problem.

Mr Smith: It is a slightly different point but I think it is worth bearing in mind, Chairman, that you are often faced with conflicting public policy objectives in situations like this. There is clearly a desire to decrease things like benefit fraud - which you might be talking about in the area of the Child Support Agency - but there is also a desire to increase the take-up of benefits by eligible people. The more you ratchet up what you collect from benefit claimants and the more widely you share it, there is a real risk that you will put people off claiming. You see the same in the Health Service. There are some very interesting arguments in the Health Service.

Chairman: I am going to stop you, Mr Smith, because we are going way off the question.

Q57 Mrs Dean: Data protection gives the right to know what information is held about us but we can give up personal information without realising it. You mentioned earlier that work has been done on health-related databases but should we have clearer rights to decide whether our data can be shared, even if in that opting out, for instance, of health-related databases we accept that there are risks in not sharing the data?

Mr Thomas: Again, I think it depends on particular circumstances. We had an exchange earlier about health records. If there were a scenario where you insisted that your information stayed with your GP and was not to be shared under any circumstance with hospitals, then I would certainly expect the risks of that to be spelt out, so you would be told, if that choice were to be available, by exercising that choice you are running a very serious risk that if you are taken by ambulance to the local hospital they will have no information on you. That is a fairly obvious example of spelling out the consequences to people. We talk a lot about choice but I think the general proposition is that any choice has to be an informed choice and that is why we put so much emphasis on transparency and fair processing notices, so that people are told why the information is being collected, how it is going to be used. It does not really matter if 100% do not read it or understand it; the mere discipline of the obligation of the organisation to have to put in writing and to communicate with their customers or their citizens why they are doing it in itself is highly beneficial. This point arose earlier and I think we accepted that many people do not read the small print and do not fully understand it. The mere fact that they have to communicate in itself I would say is a public good.

Q58 Mrs Dean: What effect do you think an increase in penalties from unlawfully obtaining personal data will have?

Mr Thomas: Quite dramatic, I hope, because there is a very pervasive and unacceptable black market out there. There is a network of private investigators. Their clients include banks, insurance companies, newspapers, law firms. For a wide range of reasons this personal information is being obtained from many organisations. For any member of this Committee or any member of the public here I could say what the tariff is for getting your personal information. I know how much it costs to get into this market because we have seized the materials using our search warrant powers. I could say how much to get your mobile phone records; how much to find out if you have a criminal record or not; how much to get hold of you DVLA records to see who owns the car parked outside your house last night. We documented this very fully in our first ever report to Parliament in May last year. I think that caused quite a lot of surprise. People suspected it was going on but this was the first time it had been properly documented.

Q59 Chairman: Could you remind us what a couple of those prices were.

Mr Thomas: I do not have the report with me, but it ranged from about £75 for the easiest information up to about £750 for the more difficult information. Our report set out the full tariff. To find out who owns the car parked outside your house last night is about £75. These people often work through networks. One agent specialises in British Telecom, one in DWP, one in DVLA. They all interrelate to each other. It is a criminal offence. It has been a criminal offence since 1994. We prosecute cases. They often ended up with derisory penalties: a conditional discharge for one of the most serious ones, or very, very low fines. I am afraid this was a Commission who got very angry about this, decided Parliament needed to be told about it and I am delighted that it has been taken seriously. As soon as time is available in Parliament, I hope this Committee and others will support that initiative when it comes forward. It has already been a wake-up call for the private investigators and their users. Already we are seeing better penalties coming through from the courts using their existing powers, but there are quite low thresholds there. It has had quite a dramatic effect on this particular industry but there is a long way to go yet. I have to say that the newspapers are not keen on my proposals. I am being attacked as a threat to freedom of speech, which I thoroughly deny because there is a defence there. If you are doing this in the public interest situation, then there is a complete defence.

Q60 Mrs Dean: Are your protocols for handling information sufficient to safeguard privacy or should your office have more power to conduct inspections and impose sanctions on negligent or reckless data controllers?

Mr Thomas: I think this is where we move on to our inspection powers. The law says what I can do and what I cannot do and we take our obligations and our powers very seriously. The law at the moment says: "The Commissioner may with the consent of the data controller assess any processing of personal data for the following of good practice and shall inform the data controller of the results of his assessment." The key words there which we find very limiting are "with the consent of the data controller". This was a point I started making earlier. We are a regulatory body. We are unusual because we regulate government and other parts of the public sector. We are not completely unique in that. We certainly regulate the private sector as well. I have been a regulator in other environments. I find it very bizarre, frankly, that we have to have the consent of the organisations we are regulating in order to find out what is happening in practice. This case has been put to the Home Office, the Lord Chancellor's Department, the Department for Constitutional Affairs, the Ministry of Justice. We have been putting this case on a regular basis, where they smile and say, "We will do what we can" but we have not yet had a firm commitment that they will change the law. There is some pressure now from the European Commission to change it as well but I hope this Committee will understand that whatever protocols or codes of practice, data protection principles, whatever people tell us about what they are doing, sometimes it is what is happening in practice that we need to go in and investigate - not necessarily in a threatening way, we often will go in and carry out an audit to help people get it right, but, to know the regulator can step in has a very sharp deterrent and therapeutic effect upon organisations. To know that they can turn me down and say no and my inspectors and my investigators and my auditors cannot go in now, or not until they have put things right in 12 months time, does have an unfortunate effect on the dynamic of us as regulators. We have come to this Committee with one or two specific proposals. We are recycling something we have said to the Government in the past but we hope you understand why we attach weight and importance to it.

Q61 Bob Russell: Mr Thomas, that leads us neatly into the section I have, which is the monitoring of abuses. I picked up on your earlier observation that 86% of the general public regard safeguarding personal information as a major priority. In that context, technology puts employers in a powerful position vis-à-vis employees during the working day. As MPs we are aware of that from our whip's office! Have you detected a rise in the number of cases of abuse of surveillance technologies in recent years?

Mr Thomas: In the workplace, I think it is going down, if anything. We can claim some credit for that. We launched a code of practice with the full support of the TUC and the CBI, to have the three bodies together at the same time launching our code of practice. The code was a difficult one to write. We had to rewrite it several times. It covers all aspects of monitoring staff in the workplace. It covers recruitment, personnel records, monitoring email and internet use, health checks. It is a wide-ranging code. David can take enormous credit for being the principal author of that. In its early stages it was the victim of some criticism, of being a bit too lengthy and a bit too detailed. We got it right in the end and we got a lot of praise from many organisations. The human resource/personnel industry now understands that here is the Information Commissioner's code of practice, it is seen as helpful and I do not think we get any serious complaints. I am sure we get occasional complaints but we are not getting anything like the volume of complaint one might otherwise have expected. Members of Parliament I do not think are employees, but the principles of the code might apply in your context.

Q62 Bob Russell: That is a fascinating response, bearing in mind we have just started our inquiry A Surveillance Society? I was going to ask what scope is there for the Information Commissioner's office to do more monitoring work in this area and you are telling me that the work you have already done has led to matters being improved. There is less invasion by employers against employees.

Mr Thomas: The risks are still there but I would say quite vigorously that the fact we were able to secure an agreed code of practice - we got agreement and we pushed this very hard around the employer community, and the trade unions have taken it seriously too - shows that in the particular context of the workplace - and data protection creeps everywhere, it is a horizontal law - the risks of excessive surveillance have been very substantially reduced because of our code of practice and I am proud of that. I would like to see the same approach apply in many other areas where surveillance remains a considerable risk.

Q63 Bob Russell: That leads me on to my next question: what steps can be taken to make it easier for organisations to detect abuse of their databases? What incentives could make organisations work harder to protect them? - and organisations can mean anything you can think of: statutory, voluntary or whatever.

Mr Thomas: I am not sure whether your question is gauged more at a new initiative or just keeping the existing system in good order.

Q64 Bob Russell: We have new technology and you have explained very successfully how employers, as a general rule, and the workforce, as a general rule, working together, have reduced that danger of a surveillance society. But the question now is about organisations. I am not going to name the organisations - they could be statutory, they could be voluntary or it could be a members club or whatever - but organisations which have electronic retrieval systems.

Mr Thomas: I think the general message, yet again, is that they must take the legal and the good practice requirements seriously. We have put a lot of guidance out. We have moved away from perhaps a slightly theological approach to data protection, which is rather abstract. Now we have put out a lot of guidance notes, good practice notes - Do this, do that; do not do this, do not do that - in a wide range of areas, so we are getting a good feedback on that. More generally, we have already talked about strengthening our inspection powers. We would like to see a penalty associated with legislation. At the moment our only real stick is an enforcement notice which says do not do it again. There was an example last week of the Health Service recruiting doctors. I am sure many members of the Committee read that the Department of Health website was shown to be insecure. People could see all their colleagues' application forms and details of their criminal records, their health history and all the rest of it. The Department of Health was obviously quite in the wrong. It was wholly unacceptable. It put its hands up and their website was closed down within half an hour. I do not give them praise for how they got there; I do give them praise for closing it down within half an hour. There is not very much we can do in that situation. I do not think they will do it again in a hurry; certainly, therefore, an enforcement notice on the Department of Health would have been not very meaningful. We are exploring and we would like this Committee to explore the idea that for situations where there is a flagrant or a negligent or repeated disregard of the requirements of the law there should be some sort of penalty. This is not rocket science. It is the norm in other areas of regulatory life and we think it would serve as a very useful tool to concentrate minds to prevent the sort of problems you are talking about. I do not want to prosecute left, right and centre, but I would like there to be a deterrent and, in the extreme case, where there had been unacceptable disregard of the regulations, to be able to go to court and have a system of fines to sanction that behaviour.

Q65 Bob Russell: You have made a powerful case there that there should be penalties for the abuse of surveillance technologies. Would you be prepared with your colleagues to consider submitting to us a suggested tariff as to what you may have in mind so that we can consider that? Do the ICO or other agencies have sufficient investigative powers in this respect?

Mr Thomas: On the first point, of course the answer is yes. We floated the idea in our submission to you. If the Committee would like us to elaborate on any other point, we will elaborate with a written submission as to what a scheme might look like in terms of how you might define the offence and what the associated penalties would be. Mr Russell, we have probably answered your second question on our investigatory powers.

Mr Smith: There is an example which relates back to your question about employment monitoring and to this question of offences or possible offences. We have had a case where essentially a secret camera was installed in a workplace, caught an employee vandalising a machine and the employee was dismissed as a result of it. The secret camera, because it was secret, was in breach of the Data Protection Act. The employee was dismissed and appealed to a tribunal. The tribunal, perhaps quite rightly, said, "Well, we can't ignore the evidence. However it was obtained, you did something wrong," the dismissal was upheld, but nevertheless you are left with that employer who had essentially breached the Data Protection Act in obtaining the information. The only power we have is to issue them with an order to say: Do not do it again in the future, but that is a set of circumstances where that problem will not arise again. There is no sanction for a breach of the Act. It is that that we are looking for: knowingly and recklessly breaching the Act in a way that causes harm.

Q66 Gwyn Prosser: You have painted for us a very worrying picture about the trading of illegal identification and personal information. I sit on the all-party identity fraud group and we have been told there is something called the "deep web". This is an internet system which is closed to the rest of us on which there are thousands of transactions going on every day apparently: offers of identity, offers of information which you could put together and then steal someone's identity. It is all very worrying. It fits in with the pernicious black market you were talking about. Could you tell us about your experience of the impact of being the victim of identity theft or of the supply of personal information about an individual? Perhaps you could give us some hard cases or one hard case on the individual.

Mr Thomas: First and foremost, when people find their identity has been stolen there can be severe financial consequences. Even if the banks and others assume some ultimate liability there can be a horrendous amount of hassle and worry for people to sort matters out. When people suffer financial loss, even if it is reimbursed, there are real negatives there as a result of identity theft. If people find they are being impersonated their reputations can suffer. It can be in the workplace, it can be in their social environment, with their families, all that sort of area. Moving into a different sort of set of examples, if people's private lives are unjustifiably intruded upon, there can be a very, very, real deep sense of outrage. If people think that what they are doing in their private lives is suddenly available not even to the tabloids and the newspapers but to other organisations, then they find that wholly unacceptable. In one of the examples we had, a man was suspected by an insurance company of making a bogus insurance claim - a genuine claim, as it turned out, but they thought he was making a claim and they are entitled to make legitimate investigations. The insurance company hired one of these very dubious private investigators. Within a very short time indeed, they had telephoned his 82-year old mother, pretended they were from the Inland Revenue, obtained details of her maiden name and other personal information. We have these conversations on tape, by the way. Within ten minutes of getting that information from the mother they had gone to the bank account in order to find out more information about how that individual conducted his financial affairs. You may say he suffered no financial loss - he might have done, he might have been turned down for his insurance claim wrongly, but in fact in that case he suffered no financial loss - but when he found out what had happened he was absolutely outraged. We have a large number of examples like that in our report, Mr Prosser. I could go on but that gives you a flavour of some of the activities. I have to say it happens in the political arena too. You may say politicians are public figures, they are fair game, and I will not comment on that, but there were secretaries of politicians who were having their personal lives invaded in this way, which I think is absolutely outrageous, and I am very glad we are going to see legislation on that particular point fairly soon. I think it does illustrate the wider issue about some of the risks of surveillance. If you collect information, the risk of it being improperly accessed must by definition increase.

Q67 Gwyn Prosser: On that issue of improperly accessing this information, do you think some of the organisations that store the information tend to be a little bit complacent about the safeguards?

Mr Thomas: Yes.

Q68 Gwyn Prosser: Would it be helpful if they had more liaison and more connection with the work you are doing?

Mr Thomas: Yes. I think there is a lot of complacency and a lot of people are very shocked when we reveal to them how their systems can be so easily breached. We work very closely with bodies like the DWP, British Telecom. We have arrangements in place. If they have suspicions, they come to us. My investigators are mostly ex-policemen and we go out and investigate. We have search warrant powers. We do cooperate, particularly with organisations with call centres because the telephone call centre can be a particularly vulnerable weak point, but there are other ways in which people are really quite shocked to find out how easily their systems have been breached. We do what we can but I think there is a lot of self-interest at work here because organisations do not want their security breached and they are working very hard themselves to prevent these problems.

Q69 Mr Clappison: Could I come on to the subject which we touched on a moment ago: mandatory privacy impact assessments. What do you see as the prospects for the introduction of them into the UK and do you think they will be practical in terms of keeping pace with technology developments?

Mr Thomas: Could I break it down into two sections, first of all, just to share with the Committee what we mean by privacy impact assessments and then discuss whether it should be mandatory or not. My colleagues will amplify my remarks, I am sure. It is a methodology which is quite widely used in other parts of the world which are still not familiar in this country. We are looking at something entirely new. Essentially a privacy impact assessment is an attempt by the organisation which is going to be collecting information in new or enlarged ways to record what they are going to do, why they are going to do it, how they are going to do it, to identify the various risks associated and to spell out publicly how they are going to mitigate those various risks. It is a discipline. It is a sort of risk management or risk assessment programme. It has caught on in other parts of the world. In the United States now it has been mandatory under the E.Government Act of 2002. I have here, and I would be happy to send a copy, the privacy impact assessment, the official guidance from the Department of Homeland Security. In the United States this is mandatory but they embrace this approach with a very constructive positive spirit and it seems to be beneficial. Here is the DHS charged with safeguarding the security of the American people. They are taking it seriously. We have talked to a number of government departments and they all say it sounds a good idea, we are not really quite sure what it would involve. There is no hostility to the idea. Later this year we are going to be producing a great deal more guidance for a UK environment as to how it might work and what the benefits would be. We are expecting a fairly warm reception to what they have to say. I think people do genuinely want to find out how it would work. We all want to avoid unnecessary bureaucracy. We are keen to spell out this will not be a bureaucratic intervention. The second part should be mandatory. My answer is that if public sector bodies, particularly central government, refuse or are reluctant to go down this road, then I think the case for a mandatory requirement to carry out a privacy assessment becomes very much stronger. It will only work if it is done in a positive spirit and you explore that first.

Q70 Mr Clappison: You mentioned in the first part of your answer that you would be coming back later this year to the question of the benefits. I wonder if you could give us a foretaste of that. How would you spell out the benefits of this to the public in straightforward terms?

Mr Thomas: I cannot do very much better than read out what the Department of Homeland Security say. They say: "This PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. The purpose is to demonstrate that system owners and developers have consciously incorporated privacy protections throughout the entire lifestyle of the system. It is built into a system from the start. Addressing privacy issues publicly through this PIA will build citizen trust in the operations of the Department of Homeland Security." I will not read more but it goes on to spell out what they are doing and how they expect to reinforce that trust and confidence and reassure the public. There are a lot of anxieties. The Chairman's very first question was: Are we being paranoid? - if I may paraphrase your first question. We do not think we are but we do think the public need reassurance and we believe this is one way in which reassurance can be given.

Q71 Mr Clappison: You are saying to us that this fits in with the work of your office.

Mr Thomas: Indeed. We have not done much in the past but we have started this debate over the last six months or so and we see this as a real, attractive opportunity to push this case. Jonathan is overseeing the consultancy we now have in place to bring to the surface clearer ideas as to how this methodology would apply in the UK environment.

Mr Bamford: Within the next month or so we are going to put out an invitation to tender for people to draw up privacy assessment methodology and also a handbook. The New Zealand Privacy Commission has developed a handbook. If we are bandying definitions around, it is interesting to add one point in their definition which I think is relevant when we talk about a surveillance society and things like that. It says in here: "A privacy impact assessment will sometimes go beyond an assessment of the system and consider critical downstream effects on people who are affected in some way by the proposal. It is not just looking at what is the safeguard there, it is looking at what the consequences are for the individuals affected and then modifying the system to take account of those". We are very keen to make sure we have something that works in the UK environment. To answer the second point of your question as well, to what extent PIAs are technology proof because of changes in technology, I think I would go back to what I said about the data protection principles being largely robust and technology proof. A privacy impact assessment will be rooted on the data protection principles, so questions about the integrity of the data, its accuracy, the security, what people are told, those are timeless questions that are not dependent upon technology. They are relevant questions all the time, so I think the privacy impact assessment will live beyond just the point of publication.

Mr Thomas: Our written evidence to you records - it is very welcome - that the Department of Transport has offered to work with our contractor to allow its plans for road charging to be used to provide a practical basis for where we are coming forward. They are road charging. It is a controversial area. Privacy is one of the issues in that and I think it is a very welcome gesture from the Department of Transport to cooperate with us to explore this methodology in the context of road charging.

Q72 Chairman: It is interesting that that document has come from the Department of Homeland Security, which implies that the US authorities are planning to apply this to areas of terrorism, serious crime and so on. We also know that the same US authorities have obtained the credit card details of millions of European citizens through targeting the Belgian organisation which handles all this information with demands for a vast amount of information on all of us before we try to fly to the United States of America. Have you any sense that these privacy impact assessments are having any effect at all on the way the US Government is going about its business?

Mr Thomas: Again, Chairman, you touch on the competing public interests. We all want to tackle terrorism. We all want to safeguard our privacy. You mentioned the financial data available to the Americans and we also have a debate about airline passenger information, but it is my impression - I do not have empirical evidence - that the Americans are struggling with exactly the same issues we all struggle with. They do not have a data protection framework but, in the last four years that I have been in office, privacy and safeguarding the individual have shot up the congressional and public agenda in the United States quite dramatically. I went to one conference in Washington three years ago and there were about 400 people; I went this February and there were 1200 people. It was front-page news right across Washington. People are very concerned indeed about the state having either too much information or abusing their information. Equally, the government turns round and says that we need to identify those who present a risk to society. I think there is stronger experience in Australia. Jonathan mentioned New Zealand, Canada, where this methodology has been in place. Our impression - and I would not go beyond impression - is that it really has had a beneficial effect on getting organisations to take the issues seriously, and, above all, to address them at the architecture design and not as a bolt-on later in life when things start going wrong. It is a great deal more expensive that way round.

Q73 Mr Winnick: Perhaps we could get a copy of that booklet.

Mr Thomas: We have a lot of material to give to the Committee, Chairman.

Q74 Ms Buck: Could I ask you to tell us about the pros and cons of privacy enhancing technologies.

Mr Bamford: The whole idea behind privacy enhancing technologies is the way of using the technology itself to help protect people's privacy. We know how technology can do all sorts of wonderful things for us but let us use it in a way where we can deploy it to protect individuals' privacy in some way. Whether that is limiting the amount of information that is collected about individuals or perhaps using more sophisticated identity management techniques, but thinking about a way of using the engineering itself to look after individuals in some way. This is something which within the data protection community internationally has gained a lot of leverage, really to try to make sure that technologists do try to design privacy in. One of the slightly more frustrating aspects of our role in many ways is particularly when government departments let contracts for major IT systems and move more to say, "Well, you deliver what we want and we will give you a general overview" but they do not specify, "And we want you to do that in the most privacy friendly way" so the contractors never bother to try to come up with a more privacy friendly way. A concept of saying how can we do things here that is more privacy friendly is quite welcome. Interestingly, the Royal Academy of Engineering, which has just published a report, has very much latched on to the idea of privacy enhancing technology. These are the technology people who are speaking and they recognise there is a way of using technology to enhancing privacy, so we are quite supportive of the idea. Again, as the Commissioner says, it is something which you cannot think of as an afterthought really. It is something that is built into the system. We have talked about our issues here about information sharing for transformational government. In Austria their e.Government approach is essentially to try to dispense with a central identification number for all the Austrian citizens to tie up government services. I will not go into the technology because I cannot say that I really understand it myself that well but, basically, it means you can use different ID numbers for different services but the systems recognise the ID numbers without having to exchange and keep all the ID numbers. You can see how, if you do not have one powerful ID number, the collateral risk to the individuals of tying together information is reduced to only certain aspects. The Austrians have managed to do some interesting work in this area and it is somewhere that we would encourage government departments and the major private sector organisations to think about. Identity management is one aspect there and we are trying to sponsor some more work in that area. The Oxford Internet Institute is having a symposium on identity management to see if there is a way of dealing with identity that does not involve really large collections of information all verifying that I am the right Jonathan Bamford, so it my driver's licence number, passport number being replicated in lots of different databases.

Q75 Ms Buck: You sound quite enthusiastic about it. The criticism is the extent to which it is a technological fix for what is not fundamentally a technological problem. But that is not the implication you are giving. You see it as quite integral if it is done properly.

Mr Bamford: The way I like to think of it is as one of a number of measures that help. I do not think you can simply say there is a killer answer, the silver bullet solution, but it must be right, must it not, if we think there is a risk out there of big collections of information falling into the wrong hands, being used in ways that prejudice individuals - perhaps it is Mr Prosser's example of identity theft which is clearly facilitated through that - we must try at the outset to stop that information being misused in that way through technology helping that. That does not mean to say there are not other procedural safeguards, legislative scrutiny safeguards which would also go there. I see really it is more of a jigsaw of things that fit together and I would not like that piece of the jigsaw to be missing really.

Q76 Chairman: The more the databases grow, the more we can do profiling. I suppose that is what credit risk agencies do. Effectively, they build up a profile of people's financial records. As the potential to profile individuals grows, would you like the Committee to be saying that we restrict the ability or the circumstances in which you could do profiles or simply to raise awareness of the fact that profiling can take place?

Mr Thomas: I think raising awareness is the priority. You quite rightly said that profiling has now become very sophisticated in the private sector. People know what sort of books you are likely to read. They know what holidays you are likely to be interested in. That has become a very sophisticated technique. The same techniques are now being explored and to some extent deployed in the public sector. But it is a bit like children at Christmas: there is a risk that people think we can do anything now through profiling, and I think we would like this Committee to sound a very grave warning about some of the risks. If you get it wrong, particularly in the public sector, you can get it very badly wrong. In the report we commissioned this is discussed at length and some of the risks are set out. I hope the Committee will look at those. They talk about profiling and also social sorting where the computer gathers information about you, it labels you and characterises you. Let me give you a few simple examples. At one level, if at one time you are dealing with social services and they write down "heroin addict" that might have been true ten years ago, is it true now? Is that label around your neck for the rest of your life? If you then start putting snippets of information about you together - where you live, your postcode, whether you have a phone, the criminality patterns of your parents - you can build up images of people which may take you in the wrong direction. If you are trying to identify children who will commit crimes later in life - the Cabinet Office is doing a lot in this sort of area - I understand their motivations and I understand what they are trying to achieve, but if they get it wrong - if they label that youngster as someone who is going to be a criminal in ten or 15 or 20 years time or that family as a problem family - it needs our intervention. Technology can take you a long way but it is not going to be 100% effective. When we raised concerns about profiling, we raised concerns about social sorting. It is to signal the risks involved without the human intervention. Machines can do a lot to gather and to help you inform your decisions but without the human intervention I think there are grave dangers. My answer to your question, Chairman, is that absolutely paramount is the importance of raising awareness as to the risks involved. I do not come to you saying there should be a ban on profiling by the public sector. We are not suggesting that. However, as with so many things, I say proceed with caution, amber light in this area, because if public bodies embrace the potential of the technology to literally and too enthusiastically it will undoubtedly create the sort of climate of suspicion, lack of trust, real problems, and only take a handful of star questions which get splashed over the newspapers to destroy all the good work that the health authority, the social services, the education and all the other people are trying to do to use information intelligently.

Q77 Chairman: Given the risks - and of course we saw them in the private sector perhaps a lot more two years ago than we do now, with credit reference agencies and people being wrongly denied credit because of wrong information and so on - is there a case for having some formal government procedure that ensures that, if profiling is going to be done, those who are going to use it have properly assessed its potential liability, what it can tell you, what it cannot tell you and how the possible risks should be handled? Should that be made a formal part of legislation or should it linked with the privacy impact assessments or with something built into the UK Government?

Mr Thomas: It goes back to the debate about whether PIA should be mandatory or just done because it is good practice. I am happy to start with the good practice route and I would see the suggestion you are making as an excellent suggestion to fit within the framework of a PIA. If a particular system is to use profiling techniques, then a section of the privacy impact assessment would spell out what is going to happen, how it is going to happen and how the various risks are going to be addressed and then we would like to have our inspection powers to make sure it happens in practice. Could I link that to one suggestion I would like to share with the Committee this morning, Chairman. It was not in our written evidence but we do have the power under the existing law to do a special report to Parliament. The report on What Price Privacy was the first time we had used that. If the Committee were so interested, we could think in terms of an annual surveillance report using our special powers to record what developments there had been over the previous 12 months, the extent of our involvement, what we felt we had achieved in terms of promoting good practice and areas where we had some concerns. If we could do that in a way which routed into our data protection responsibilities, we could not address all the issues but that might be a suggestion the Committee might like to think about.

Chairman: It is certainly a very interesting suggestion and one I am sure we will bear in mind as we go through the inquiry and come to our report. That takes us neatly, I think, to the last question.

Q78 Mrs Dean: Thank you, Chairman. Given the pace of technological development and the drive by government to share and use information to deliver public services and fight crime, in which particular areas should developing ground rules be the priority?

Mr Thomas: I am going to ask David to say a bit about the importance of educating the public because that is a very important priority as well, to make sure the public are educated. We have done some work and he will say more about that. As a broad proposition I would say the public sector needs to have priority at the moment over the private sector. It goes back to the exchanges we had earlier, because I think there are commercial and other pressures impacting on the private sector which I see being taken very seriously indeed. The state has a monopolistic and often a mandatory power over citizens and it can do things without their consent, without their agreement, without their involvement for perfectly good reasons. The state has, if you like, greater potential but also can cause greater harm if people are wrongly labelled, if they are wrongly identified, if mistakes are made. Also the state tends to have larger numbers. The databases run by the state are much, much larger, so if things go wrong within a public sector database the effects would be multiplied many times more. We talked about the doctor's database going wrong last week. Several people made the point that it was only a handful of doctors compared to the millions and millions of patients on that single spine for the National Health Service if something went wrong and everyone could see your health records. Well, that would be catastrophic. If I am asked to select areas, I would say public sector against private sector. I would then say, broadly speaking, in the sort of Home Office area which this Committee is particularly shadowing. I know I have gone wider than your immediate responsibility but I do think the Home Office, the Department of Justice, the Ministry of Justice sort of area is the area where there is the most difficult challenge because there, for understandable reasons, people are collecting and using information. But that is where there are the most coercive powers against the citizen, and that is where, unpopular though sometimes it may be - and after yesterday's trial I know this is difficult territory - sometimes the importance of upholding liberties means that an independent commissioner has to say things which may be unpopular in the short term, but by putting weight on those areas I am not minimising taxes, criminal records bureaux, social security. We have a long agenda.

Q79 Mr Winnick: Back to 1984.

Mr Thomas: I am happy to live in 2007, Mr Winnick. Could we say a word about education.

Mr Smith: It is probably right, Chairman, just at the end to go back. You asked us about our vision earlier on and part of that vision was an aware population who know their rights and are confident in using them. That is one of the protections against the excesses of the surveillance society. We have not concentrated much on it today. I think it is right to bring it in at the end and say we do see it very much as our part of our role to bring about that education. We have produced things like a personal information toolkit earlier this year which advises people how to protect themselves against identity theft, it advises them how to access their information. If you like, put that firmly on the table: it is about educating and encouraging people to use their own rights as much as about what we can do as the regulator.

Chairman: Thank you, Mr Thomas and colleagues. You have got the inquiry off to a very good start this morning.