The British Computer Society (BCS) is pleased to send its response to the Home Affairs Committee, House of Commons, Inquiry on "A Surveillance Society?"

  With almost 60,000 members, the BCS is the leading professional and learned society in IT and computing.

  BCS is also responsible for setting standards for the IT profession. It is spearheading the IT in Professionalism programme and is also leading the change in the public perception and appreciation of the economic and social importance of professionally managed IT projects and programmes. In this capacity, the Society advises, informs and persuades industry and government on successful IT implementation.

  BCS, as a Learned Society, also has direct responsibility for leading, encouraging, promoting, supporting and developing all aspects of teaching, research and technology transfer in the disciplines of, and relating to, computing, computer science and information systems.

  BCS is determined to promote IT as the profession of the 21st century especially as IT is affecting every part of our lives. Therefore, BCS is pleased to take this opportunity to comment on such an important issue.

1.  SCOPE

  BCS has consulted its membership and particularly targeted its security experts—amongst whom a number are members of the BCS specialist Information Privacy Expert Panel (IPEP) and who have provided much input in to this consultation. (Information about IPEP is provided in the supplementary material at the rear of this memorandum).

2.  EXECUTIVE SUMMARY

  2.1  BCS is concerned about the amounts of data being collected about individuals, often without their knowledge, over a long period, how it is being collected and how it is being used—including, for example, selling data on to third parties.

  2.2  There are serious concerns that if combined, this data can build up a comprehensive picture of an individual's life which can potentially be misused.

  2.3  BCS suggests that government should build citizen-centric (rather than application-centric) multiple, distributed databases, aimed at minimising the amount of data collected and becoming more accurate.

  2.4  BCS considers that a citizen's data belongs to that individual citizen and accountability mechanisms should be put in place to allow the citizen access to the data kept on them.

  2.5  BCS continues to be very concerned about the security of the data being held as there is still little evidence that effective mechanisms are in place to ensure un-authorised access is not possible.

  2.6  BCS would like to draw the committee's attention to the paper "Identity Myths and Identity Management". (See supplementary material).[160]

Comments

3.  ACCESS BY PUBLIC AGENCIES TO PRIVATE DATABASES

  3.1  BCS members have expressed concern about the way in which information is being gathered eg schools taking children's fingerprints without reference to parents (http://education.independent.co.uk/news/article2434942.ece).

  3.2  Members are concerned about the large amounts of (individually) low value information being collected over long periods that is (potentially) easily connected to an individual (unlike CCTV images) and built into a comprehensive picture of their life. Examples of such information include: mobile phone location records, Oyster card usage records, credit card transaction records, and indeed other telecommunications and Internet usage records.

4.  DATA-SHARING BETWEEN GOVERNMENT DEPARTMENTS AND AGENCIES

  4.1  BCS believes it is necessary to recognise the difference between "data sharing" and "data aggregation". Instead of seeking informed consent to create links between existing databases, the government combines existing data into new databases; the NHS spine and National Identification Scheme are prime examples of this. In each case, a new, monolithic, legacy system is created.

  4.2  Instead of this approach to combining data, we need to consider the federated approaches as currently being adopted by industry. The goal should be to create multiple, distributed databases, but with a minimisation of data such that each item exists only once (or in as few occurrences as possible). This will only be achieved by a fundamental rethink of government attitudes towards data ie:

—    recognition that the data itself belongs to the citizen, not the state;

—    building citizen-centric, rather than application-centric, systems; and

—    aiming to minimise data and achieve greater accuracy, rather than the current approach of gathering as much data as possible.

  4.3  Most importantly, we need to introduce accountability mechanisms that allow citizens to see what data has been stored, processed and shared and why. The Estonian ID Card model is an example of this.

5.  EXISTING SAFEGUARDS FOR DATA USE AND WHETHER THEY ARE STRONG ENOUGH

  5.1  BCS notes that there is very little guidance on what is considered adequate security for the classes of personal data. A blanket statement that conforming to an issued standard should be OK is not sufficient, especially where the standard is risk based and allows a wide range of attitudes to risk.

6.  THE MONITORING OF ABUSES

  Note comments made in Sections 5.1 and 7.1.

7.  POTENTIAL ABUSE OF PRIVATE DATABASES BY CRIMINALS

  7.1  BCS continues to be concerned about data security issues relating, for example, to ensuring that un-authorized access to the data held on any widely assessable database(s) is not possible. This is a huge topic in which much work is being undertaken and yet there are still examples of successful un-authorised access being possible.

8.  THE CASE FOR INTRODUCING PRIVACY IMPACT ASSESSMENTS

  Risk basing for the type of security provision mentioned in 5.1 above makes the privacy impact assessment a good idea. BCS supports the introduction of mandatory (and published) privacy impact assessments for all government data sharing and government/ private sector data sharing.

9.  PRIVACY-ENHANCING TECHNOLOGIES (PETS)

  9.1  BCS would like to direct the Committee's attention to a vast literature on PET research which has developed. Some surveys of privacy-enhancing technologies which have already been carried out are listed below:

—    http://www.ipc.on.ca/images/Resources/up-1bio—encryp.pdf

—    www.cosic.esat.kuleuven.be/publications/article-835.pdf

—    http://www.law.ed.ac.uk/ahrc/script-ed/vol3-1/mowbray.pdf

10.  PROFILING

  10.1  Although BCS members can see the benefit of surveillance in many situations eg (hospitals, airports etc), there is a concern about the general tracking of citizens in their daily life since citizens are not in control of the data collection, post processing and potential profiling.

  10.2  Of special concern at this time are vehicle tracking and DNA databases. Taken to its extreme, such information could be used as a tool of suppression by a police state.

11.  ID CARDS

  11.1  BCS believes that the National Identification Scheme requires a fundamental re-think if it is to properly serve the needs of both the state and the citizen. We have, to date, witnessed a "binary" approach by government that assumes that:

—    it is the responsibility of the state to provide authoritative identity data on citizens;

—    an identity is either trusted or not trusted, with no tolerance in between; and

—    private organisation will depend upon government—supply identification data, even where there is no liability upon government if that data proves to be false.

  11.2  The role of government is not to identify citizens in any context except for travel documents. It is, twofold:

—    to confirm uniqueness of each individual: that is to provide assurance that an individual has not claimed duplicate identities in order to exist as more than one entity. Note that this does not prevent the use of pseudonyms, since the individual may use as many names as they wish so long as they exist only once within the National identification Register (NIR).

—    To confirm eligibility of the individual to exit with the NlR. This is not the same as identifying the individual. Once enrolled, a separate database may provide an audit trail of the enrolment, but personally identifiable information should not be required.

  11.3  The existence of such a "National Uniqueness Register" would permit private organisations to build their own identification systems, with assurance that individuals cannot engage in multiple enrolments and hence claim false entitlement. Corporate uptake of identification services would be greatly accelerated. Furthermore, individuals would be far more likely to trust an approach such as this that minimises data gathering and hence the risk of misuse or modification of personal data.

12.  CONCLUDING REMARKS

  12.1  A wide-ranging enquiry, such as has been described in the announcement for this present one, can only produce general answers.  BCS believes that the ground rules for security are already well documented and understood by government IT professionals.  BCS anticipates that a general enquiry by MPs exploring `large strategic issues' will elicit very little which is new and of value. This will result in the press picking up again on some of the identified risks and accuse the IT industry of incompetence once more.

  12.2  BCS recommends that Committee members first clarify what they want to do and what specific outcomes (level of security/risk) they want to achieve under particular legislation. MPs have the duty of ensuring that all legislative changes are checked in detail for security/risk before they are approved.

  12.3  Only at this stage, will it be appropriate for the BCS to comment on the critical technical aspects of legislative changes.  We would also be very happy to provide further detailed input on the implications of proposed changes to the technical environment or business requirements, as and when the committee feels it to be appropriate.

Dr M G Rodd,

Director of External Relations at the British Computer Society (BCS)

April 2007