APPENDIX 32
Memorandum submitted by Mrs A Jones
SUMMARY
The main problem in using technology to develop
efficient and effective systems lies in "control". Information
is a valuable commodity to business and we have seen our data
"sold on" to maillists etc without consent. Government
wishes to "control" our data and by default our lives.
Individuals fear a "loss of control" over the volume
of personal information held and the uses to which it may be put.
Commercially we have moved away from the huge,
all-encompassing databases of the 1980's because these databases
were slow and cumbersome to use, inflexible and had great potential
for inconsistency and error in the data they stored, eg: BACs
system too slow to pay all salaries on Friday 30 March 2007. The
trend is now towards smaller, simpler systems that are cheaper
to implement, use and maintain and which can be linked to other
databases as and when necessary.
The issue of privacy and data protection remains
critical and while all efforts should be made to develop secure
systems it is not possible to guarantee any system against hackers
or unauthorised access; eg: recent theft over 45 million customer
records from TK Maxx and recent news that junior doctors' job
applications have been accessible on the internet.
The key to success lies in the design of the
system. For example, keep personal identifying data to a minimumfull
name; date of birth; full address, mother's maiden name etcis
it essential? Would initials and surname do? Personal identifying
data should be kept on a separate database. The administrators
working with the system should not see the personal information
and the two parts of an individual's records would be linked only
by a unique reference code. The computer system could link the
two records where necessary eg: to sent out a letter, but joining
the two parts of the individual record should be virtually impossible
either by a legitimate system user or by an individual with criminal
intent. Updates to records in response to, for example, changes
in legislation could continue to happen as this would be an "across
the board" change to all records meeting certain conditions.
For any access to an individual record, eg due
to change in circumstance or response to a query, the record holder
would provide their unique code (but no other personal data) and
this would also serve to imply the consent of the record holder.
To further reduce system size, vunerability and improve efficiency,
thought could be given to splitting a database into several small
systems based on criteria like "Place of Birth" or "Age
band".
All systems should have a "time out"
facility built in to prevent unattended data remaining visible
on screen.
All systems should have a detailed Access Log
recording every access, time, date, user and reason for access.
A record should be made available at any time
to the individual record holder of all accesses to their record
and of any requests for information from third parties.
A Code of Practice should be drafted to clearly
state the responsibilities of systems users and the penalties
which will be applied for Misuse of Personal Data stored within
a system. There should be a clear and simple procedure for individuals
to view and correct their records and to make a complaint if they
feel their data has been misused.
An "Opt Out" should be available to
everyone for every new system, with the aim that through "best
practice" over time when a system is shown to work people
may decide to "opt in". This provides a level of individual
control and will perhaps encourage people to view new systems
with less suspicion. For example, in "private business"
individuals have a choice of whether or not to apply for a loan,
have a store card or loyalty card etc.
ACCESS BY
PUBLIC AGENCIES
TO PRIVATE
DATABASES
In what circumstances would this be necessary?
If an individual was suspected of involvement in fraud or other
criminal activity, the public agency or police should already
have some evidence on which to base their suspicions and if the
individual under suspicion did not give consent to further investigations
then an application for a Warrant from a Court of Law should remain
the appropriate procedure. It does not seem appropriate to suggest
government agencies should "fish" databases looking
for inconsistencies or suspicious activity without good cause.
Aside from criminal activity, what other purposes
could exist here? Would, for example, the NHS monitor individual's
shopping with a view to banning them from buying junk food or
cigarettes? Any purposes for this type of access should be clearly
defined and debated. Where such a request for person-identifiable
information is made perhaps permission should be sought from the
individual, or at the very least the individual should be informed
of the action and its purpose.
The obvious danger of this "partnership"
is that it would work in two directions. For example, would a
mortgage lender or a pension provider be able to access an individual's
health record? Would a Curriculum Vita automatically be created
on-line from various databases for a potential employer to download?
The likely result of this type of "partnership"
is that people will stop using "systems" as far as possible
eg: people will reject reward cards, store and credit cards, and
will return to using cash.
DATA-SHARING
BETWEEN GOVERNMENT
DEPARTMENTS AND
AGENCIES
The current system prevents the sharing of data
between agencies and this privacy is protected by legislation.
Merging or splitting government agencies and departments should
not be used as a way to circumvent this system. As now, a Warrant
can be applied for where reasonable evidence exists to suggest
an illegal activity has taken place.
Better and quicker communications between departments/agencies
should be built-in where it is necessary to confirm or clarifyfor
examplethat a person's contributions are sufficient for
a claim for a state benefit. This is not "data sharing"this
is a simpler "Yes or No" response to a query.
EXISTING SAFEGUARDS
FOR DATA
USE AND
WHETHER THEY
ARE STRONG
ENOUGH
The current legislation that protects privacy
and prevents data-sharing is fairly robust, and should be further
strengthened in light of the new, current and future systems under
discussion. There is a need to be open and to state exactly what
data is required and for what purpose it will be used. Any links
from one database to another need to be stated and explained.
Data should not be used for any other purpose without individual
consent.
THE MONITORING
OF ABUSES
No one individual or team should be given control
of or access to a complete individual record. Personal data could
be managed within the system eg: to send out a letter but should
not be readily available to any system users. All access should
be closely controlled and monitored, eg: only the data essential
to a particular task should appear on the screen. A full electronic
log should automatically track and record each access. An extremely
robust system of penalties for unauthorised access, misuse of
data, divulging information to a third party etc must be clearly
set out and made available to system users and to members of the
public. Investigations into misuse and the issuing of penalties
must be adhered to. This is a "new" crime which should
be treated very seriously. It is currently difficult to prove
a breach of confidentiality has taken place and this process needs
to be simplified and all steps taken to ensure transgressions
are investigated and acted upon where necessary.
POTENTIAL ABUSE
OF PRIVATE
DATABASES BY
CRIMINALS
The abuse of any database systempublic
and privatecannot be underestimated. It may prove impossible
to protect any system from hackers or from data theft or misuse.
Even "chip and pin" is not foolproof. Iris scans, DNA
and fingerprints are not feasible for a routine administrative
system, and will perhaps not prove to be accurate or cost-effective.
The larger the system the greater the risk, and therefore it is
essential to consider system design. If someone decides to "acquire"
an individual's tax records, for example, these will be of no
real use if the personal identifying information is held elsewhere
on a separate system. The task of acquiring the two separate parts
of the record becomes much harder. The splitting of the record
into further parts will again make the "acquisition"
harder.
The onus on system security must lie with the
system owner, and this could lead to the system owner becoming
financially liable to compensate for distress or other effects
of data abuse.
THE CASE
FOR PRODUCING
PRIVACY IMPACT
ASSESSMENTS
Advertise in the national press for case studies
from people whose lives have been affected either by the information
stored about them or by the way in which that information has
been used. A large number of "ordinary, decent" people
have already been adversely affected by this and use of real case
studies should be viewed as an essential part of system design,
to minimise or remove "unfairness". A current example
is the many people who have worked hard and lived decent lives
for years but who now find their employment activities are curtailed
because of CRB disclosure of "spent" crimes.
PRIVACY-ENHANCING
TECHNOLOGIES
The issue of privacy does not lie within "technology".
It rests with system design, safeguards, system users, and clearly
defined guidelines of acceptable use with penalties for any other
use. The danger of technology is the speed and ease with which
information can be found. A person may have been reluctant to
break into a locked store room to look through thousands of paper-based
files for personal information, but can now use a PC to access
the same information in seconds. The temptation to a low-pay administrator
to acquire and sell-on this information must be great therefore
the solution is to limit the information an individual administrator
can access.
In what way will our privacy be enhanced or
protected if we are required to give our full name, date of birth,
address etc to estate agents, banks and building societies, shops,
solicitors, doctors, hospitals, government agencies, schools,
colleges, insurers, pension providers, current and future employees
etc. Currently many of these bodies take and keep a photocopy
of a Passport or a Driving Licence, making it much easier today
to collect sufficient personal information to use in a criminal
way than was previously possible. An ID Card containing all our
personal data seems something of a gift to someone with criminal
intent. Club membership cards and soon bank cards will be totally
blank cards which can only be activated by authorised terminals
and will then only divulge relevant information about the holder.
Even this is unlikely to be "fool proof" for long.
April 2007
|