SUMMARY

  The main problem in using technology to develop efficient and effective systems lies in "control". Information is a valuable commodity to business and we have seen our data "sold on" to maillists etc without consent. Government wishes to "control" our data and by default our lives. Individuals fear a "loss of control" over the volume of personal information held and the uses to which it may be put.

  Commercially we have moved away from the huge, all-encompassing databases of the 1980's because these databases were slow and cumbersome to use, inflexible and had great potential for inconsistency and error in the data they stored, eg: BACs system too slow to pay all salaries on Friday 30 March 2007. The trend is now towards smaller, simpler systems that are cheaper to implement, use and maintain and which can be linked to other databases as and when necessary.

  The issue of privacy and data protection remains critical and while all efforts should be made to develop secure systems it is not possible to guarantee any system against hackers or unauthorised access; eg: recent theft over 45 million customer records from TK Maxx and recent news that junior doctors' job applications have been accessible on the internet.

  The key to success lies in the design of the system. For example, keep personal identifying data to a minimum—full name; date of birth; full address, mother's maiden name etc—is it essential? Would initials and surname do? Personal identifying data should be kept on a separate database. The administrators working with the system should not see the personal information and the two parts of an individual's records would be linked only by a unique reference code. The computer system could link the two records where necessary eg: to sent out a letter, but joining the two parts of the individual record should be virtually impossible either by a legitimate system user or by an individual with criminal intent. Updates to records in response to, for example, changes in legislation could continue to happen as this would be an "across the board" change to all records meeting certain conditions.

  For any access to an individual record, eg due to change in circumstance or response to a query, the record holder would provide their unique code (but no other personal data) and this would also serve to imply the consent of the record holder. To further reduce system size, vunerability and improve efficiency, thought could be given to splitting a database into several small systems based on criteria like "Place of Birth" or "Age band".

  All systems should have a "time out" facility built in to prevent unattended data remaining visible on screen.

  All systems should have a detailed Access Log recording every access, time, date, user and reason for access.

  A record should be made available at any time to the individual record holder of all accesses to their record and of any requests for information from third parties.

  A Code of Practice should be drafted to clearly state the responsibilities of systems users and the penalties which will be applied for Misuse of Personal Data stored within a system. There should be a clear and simple procedure for individuals to view and correct their records and to make a complaint if they feel their data has been misused.

  An "Opt Out" should be available to everyone for every new system, with the aim that through "best practice" over time when a system is shown to work people may decide to "opt in". This provides a level of individual control and will perhaps encourage people to view new systems with less suspicion. For example, in "private business" individuals have a choice of whether or not to apply for a loan, have a store card or loyalty card etc.

ACCESS BY PUBLIC AGENCIES TO PRIVATE DATABASES

  In what circumstances would this be necessary? If an individual was suspected of involvement in fraud or other criminal activity, the public agency or police should already have some evidence on which to base their suspicions and if the individual under suspicion did not give consent to further investigations then an application for a Warrant from a Court of Law should remain the appropriate procedure. It does not seem appropriate to suggest government agencies should "fish" databases looking for inconsistencies or suspicious activity without good cause.

  Aside from criminal activity, what other purposes could exist here? Would, for example, the NHS monitor individual's shopping with a view to banning them from buying junk food or cigarettes? Any purposes for this type of access should be clearly defined and debated. Where such a request for person-identifiable information is made perhaps permission should be sought from the individual, or at the very least the individual should be informed of the action and its purpose.

  The obvious danger of this "partnership" is that it would work in two directions. For example, would a mortgage lender or a pension provider be able to access an individual's health record? Would a Curriculum Vita automatically be created on-line from various databases for a potential employer to download?

  The likely result of this type of "partnership" is that people will stop using "systems" as far as possible eg: people will reject reward cards, store and credit cards, and will return to using cash.

DATA-SHARING BETWEEN GOVERNMENT DEPARTMENTS AND AGENCIES

  The current system prevents the sharing of data between agencies and this privacy is protected by legislation. Merging or splitting government agencies and departments should not be used as a way to circumvent this system. As now, a Warrant can be applied for where reasonable evidence exists to suggest an illegal activity has taken place.

  Better and quicker communications between departments/agencies should be built-in where it is necessary to confirm or clarify—for example—that a person's contributions are sufficient for a claim for a state benefit. This is not "data sharing"—this is a simpler "Yes or No" response to a query.

EXISTING SAFEGUARDS FOR DATA USE AND WHETHER THEY ARE STRONG ENOUGH

  The current legislation that protects privacy and prevents data-sharing is fairly robust, and should be further strengthened in light of the new, current and future systems under discussion. There is a need to be open and to state exactly what data is required and for what purpose it will be used. Any links from one database to another need to be stated and explained. Data should not be used for any other purpose without individual consent.

THE MONITORING OF ABUSES

  No one individual or team should be given control of or access to a complete individual record. Personal data could be managed within the system eg: to send out a letter but should not be readily available to any system users. All access should be closely controlled and monitored, eg: only the data essential to a particular task should appear on the screen. A full electronic log should automatically track and record each access. An extremely robust system of penalties for unauthorised access, misuse of data, divulging information to a third party etc must be clearly set out and made available to system users and to members of the public. Investigations into misuse and the issuing of penalties must be adhered to. This is a "new" crime which should be treated very seriously. It is currently difficult to prove a breach of confidentiality has taken place and this process needs to be simplified and all steps taken to ensure transgressions are investigated and acted upon where necessary.

POTENTIAL ABUSE OF PRIVATE DATABASES BY CRIMINALS

  The abuse of any database system—public and private—cannot be underestimated. It may prove impossible to protect any system from hackers or from data theft or misuse. Even "chip and pin" is not foolproof. Iris scans, DNA and fingerprints are not feasible for a routine administrative system, and will perhaps not prove to be accurate or cost-effective. The larger the system the greater the risk, and therefore it is essential to consider system design. If someone decides to "acquire" an individual's tax records, for example, these will be of no real use if the personal identifying information is held elsewhere on a separate system. The task of acquiring the two separate parts of the record becomes much harder. The splitting of the record into further parts will again make the "acquisition" harder.

  The onus on system security must lie with the system owner, and this could lead to the system owner becoming financially liable to compensate for distress or other effects of data abuse.

THE CASE FOR PRODUCING PRIVACY IMPACT ASSESSMENTS

  Advertise in the national press for case studies from people whose lives have been affected either by the information stored about them or by the way in which that information has been used. A large number of "ordinary, decent" people have already been adversely affected by this and use of real case studies should be viewed as an essential part of system design, to minimise or remove "unfairness". A current example is the many people who have worked hard and lived decent lives for years but who now find their employment activities are curtailed because of CRB disclosure of "spent" crimes.

PRIVACY-ENHANCING TECHNOLOGIES

  The issue of privacy does not lie within "technology". It rests with system design, safeguards, system users, and clearly defined guidelines of acceptable use with penalties for any other use. The danger of technology is the speed and ease with which information can be found. A person may have been reluctant to break into a locked store room to look through thousands of paper-based files for personal information, but can now use a PC to access the same information in seconds. The temptation to a low-pay administrator to acquire and sell-on this information must be great therefore the solution is to limit the information an individual administrator can access.

  In what way will our privacy be enhanced or protected if we are required to give our full name, date of birth, address etc to estate agents, banks and building societies, shops, solicitors, doctors, hospitals, government agencies, schools, colleges, insurers, pension providers, current and future employees etc. Currently many of these bodies take and keep a photocopy of a Passport or a Driving Licence, making it much easier today to collect sufficient personal information to use in a criminal way than was previously possible. An ID Card containing all our personal data seems something of a gift to someone with criminal intent. Club membership cards and soon bank cards will be totally blank cards which can only be activated by authorised terminals and will then only divulge relevant information about the holder. Even this is unlikely to be "fool proof" for long.

April 2007