Select Committee on Home Affairs Minutes of Evidence


Examination of Witnesses (Questions 300 - 319)

TUESDAY 26 JUNE 2007

DR CHRIS POUNDER, DR ERIC METCALFE, MS SHAMI CHAKRABARTI AND MR JAGO RUSSELL

  Q300  Patrick Mercer: I am referring exactly to that sort of case. Do you think there is a real danger that a focus on automated data-sharing can actually make getting across essential information harder, and there is simply too much information out there? It confuses rather than helps.

  Mr Russell: The thing we said on the children's index was actually, in principle, there is nothing wrong with a children's index, if it is a targeted database. Targeted amounts of information on children at risk can be helpful. The problem is, when you have got every child on a database, as Shami said, it is incredibly difficult to see the wood for the trees. In certain circumstances, yes, a database is important, but we need to be—. These human right principles that we started off with—is this necessary, is there a legitimate aim, is it going to work—those are the questions we think Parliament should be asking when a new proposal for a new government database is being proposed.

  Chairman: Thank you, Margaret Moran.

  Q301  Margaret Moran: I, like David, am interested in the evidence base of some of the things you have been asserting to us. You say in your submission to us that the extent to which every person in the UK is subjected to surveillance has increased disproportionately to any justified social need or benefit. Could you give us the research evidence for that just as a reference? If you cannot do it now could you, please, send it to us? You also make reference to the National DNA Database and say that there is an intention to make that database compulsory. Could you give us what evidence you have for that statement?

  Ms Chakrabarti: It is, of course, compulsory even now as a matter of law, because this is a criminal justice policing measure. Your DNA is compulsorily taken from you under pain of criminal sanction if you do not agree to it being taken.

  Q302  Margaret Moran: I think the suggestion is that it implies universally?

  Ms Chakrabarti: That there be a desire in certain quarters to make it—

  Q303  Margaret Moran: You have stated that you believe that a compulsory universal DNA database—

  Ms Chakrabarti: The present, soon to be outgoing, Prime Minister has stated that he thinks it would be desirable to have a universal DNA database after a public debate. Various chief constables have taken that view. It is a perfectly respectable, if slightly terrifying, view. There is logic to it. There is a logic that says, "Let us have the DNA of every man, woman and child in the country, and then, when something bad happens and there is a crime scene, we will match it." There is also a logic, I would argue, to our position, which is to say, have a smaller more ring-fenced DNA database of people who have been convicted of a particular threshold level of crime. What there is not a logic to, in our view, is the current situation where anyone who has been arrested for an offence can have their DNA taken and even if they are let go, as in my shop-lifting example, the police apologise, say, "We have got the wrong woman", never charged, let alone convicted, my DNA can be kept forever.

  Q304  Margaret Moran: I was not actually asking for a treatise on DNA, I was asking for the evidence-base?

  Ms Chakrabarti: That is the evidence; that is the law.

  Q305  Margaret Moran: Various comments do not constitute a research evidence base either to the initial point I made or to the second of those points. Have you got something substantial other than people's comments?

  Ms Chakrabarti: Well, the legal position is clear and not in contention as to what the basis for taking and keeping people's DNA is at the moment. That is a statement of the law.

  Q306  Margaret Moran: I was referring to your assertion about a universal—

  Ms Chakrabarti: If the Prime Minister says he thinks it would be a good idea, I think that is a pretty good suggestion of intention, and, as I have said, it is a logical position, I just do not think it is proportionate.

  Q307  Margaret Moran: Mr Russell, earlier you made reference to the Serious Crime Bill. The reason I have been out of the room is because I am sitting on the Serious Crime Bill. You referred effectively to function creep, to what is now known in technical circles as the possibility of phishing, data-mining, data-sharing. What evidence have you got for that function creep and are you aware of what the Minister said at the second reading on the Serious Crime Bill in relation to that in answer to the specific question that I raised?

  Mr Russell: The specific point about function creep and where my concern about the function creep comes from is the fact that in the bill there is a very clear provision which says that the Home Secretary, Secretary of State, may by order increase the functions for which data-mining may be undertaken. So, that is how function creep most often happens: if you have got a power to do something with personal information and then, by regulation, the reasons for which you can process that information can be extended. That is where the concern about function creep comes from. There is a clear power in the bill. I cannot remember the clause reference, but there is one there which says that the purposes can be extended. So that is the function creep point.

  Q308  Margaret Moran: That contradicts what the Minister said at the second reading, that the Audit Commission will not be able to use the powers to predict who might commit fraud in the future, in other words phishing, and it is right and proper that we put safeguards in place to prevent data-mining and data-phishing.

  Mr Russell: Can I come back on that point? That is absolutely right. We pushed in the House of Lords for an amendment to the bill which would prevent data-mining to be used to profile people's future behaviour. The Government agreed with us that that was a concern in the current legislation and, therefore, agreed in the House of Lords to put an amendment in to stop profiling of individual suspects in terms of their future behaviour, and we are delighted they have put that in. That is slightly different to the question of function creep, because the question of function creep is about what purpose is this data-mining going to be used for, and I would be very surprised if the Minister had said that there was no risk of function creep in relation to this aspect of the Serious Crime Bill, because the provision is there.

  Dr Pounder: Just a comment on the Serious Crime Bill. The Audit Commission can do data-matching in relation to serious crime, not so serious crime and debt collection. In relation to debt recovery, one wonders whether the Serious Crime Bill is the correct vehicle for this. There is a real problem in over-indebtedness in the UK. Whether or not that should be treated by separate legislation is another thing, but if you look at Schedule Seven, you will see that debt recovery is part of the Audit Commission's remit in the Serious Crime Bill.

  Dr Metcalfe: Can I make an additional point about function creep. Before I was at JUSTICE I was a lawyer in the immigration and judicial review section of the Treasury Solicitors Department and I was responsible for helping to arrange advice in relation to the Asylum Registration Card or ARC, so that was an identity card system which involved fingerprinting of asylum seekers. I am not saying anything that is not in the public domain at this point. The original purpose of the Asylum Registration Card was to reduce fraud in relation to asylum seekers, but it is very easy to see, just as a practical measure, how the information stored for one purpose can be used in relation to others. If you had that information stored in relation to asylum seekers and you are a law enforcement agency, why would you not want to check information to see whether any of the people that you now have on your database match unsolved crimes? Why would you not want to see if any of those people are also involved in relation to mainstream benefit fraud, if in some way they have managed to fraudulently obtain documents in relation to mainstream benefits? Why would you not, if you were a medical researcher, want to cross-reference the biometric information that you might have on that database in relation to preventing genetic diseases? You do not have to be a conspiracy theorist to see how function creep happens. It happens perfectly naturally, in that people see information which is useful and then seek to gain it; and no-one can deny that these databases are useful; the point that we are trying to make in this situation is that what people do not see when they see the utility of information is the danger and risks. I thought the evidence this morning from the people involved in medical research was extremely interesting. Yes, it is true that in the old days you could go into a doctor's surgery and get a patient's medical records off the doctor's desk, but, generally speaking, that would mean going down to a quiet street in Basingstoke, finding the doctor's surgery and going in there. Now, anyone with a computer can access that information. Just to give you some idea of the extent to which—

  Q309  Chairman: Just a minute. It is not actually true, is it, that anyone with a computer can access the NHS database? If you want to let that lie as your evidence that anyone with a computer can access the NHS database, I think you need to justify it.

  Dr Metcalfe: Obviously, I am generalising to a degree. The computer has to be networked and also has to be able to access the NHS network.

  Q310  Chairman: That is quite a big difference, is it not, between "anyone with a computer"?

  Dr Metcalfe: We are currently extraditing a man to the United States because he was able from the United Kingdom to hack into the United States Department of Defence database. Do we really suppose—. I do not think literally everyone with a computer can access that information, but I mean anyone who skilled enough with networks, and there are a large number of people like that nowadays out there. If someone in the United Kingdom can access what is arguably the most secure defence network in the United States from here in the United Kingdom, I do not think we can afford to be blasé about the possibility that someone, say, in China could at one point hack into our NHS database.

  Q311  Chairman: Nonetheless, you take our point about being a little bit more accurate.

  Ms Chakrabarti: He qualified it.

  Q312  Margaret Moran: The suggestion you are making there is that these other uses should not be occurring. What would you advocate to prevent phishing? Are there limitations that could be placed on the use of this data that would give sufficient assurance, in your view, to the general public or to yourselves rather, because maybe the general public have a different idea?

  Dr Metcalfe: I think really it has to be taken on a case by case basis, because obviously not all databases are equal and different databases work in different ways. One major source of concern, for example, is the recent European Framework Directive, which allows law enforcement agencies from across the European Union to access information held in UK law enforcement databases, which means that information could potentially be passed from police criminal records to a law enforcement agency in Lithuania. One major concern there is what assurance do we have that the end user in Lithuania will not misuse that data, because they are not subject to the same data protection standards as we are here in the United Kingdom? I think that is a very good illustration of a potential gap. We need to make sure that every end user, every person who has access to official government data is bound by the same standards. So, that is one global point I would make, particularly in relation to data-sharing across the European Union. In relation to the specific—

  Q313  Margaret Moran: I want to be clear. You are saying there should not be sharing of data across Europe or beyond until all of those protocols are in place. I think the parents of young Maddie might have a different view on that.

  Dr Metcalfe: Certainly, I would hope so, but I would also like to think that they do not want her personal data being shared willy-nilly with people in another European Union country without sufficient data protection standards. Think of the potential risks, for example, if you allowed access to our children's database to be given to any accession country, and think of the potential risk to children that might arise from that situation, because we are not asking the same standards of an accession country that we do of our own public officials in this country.

  Q314  Gwyn Prosser: You have all argued in your various ways that the current legislation does not provide comprehensive data protection, that it is out of date, out of step and fails to keep pace with technological changes. I wonder if I can ask you briefly each to describe revision or improvement in the legislation which would correct that error and how can we ensure that such provision does not get outpaced by the rapid improvement in technology?

  Dr Pounder: I think the starting position I have is that there needs to be a counterbalance to the data surveillance and the data-sharing that occurs. I think there are three elements to this counterbalance. One is parliamentary, the second is regulatory and the third is the individual. Starting from the individual basis, I think the time has come to look at a right to information privacy. The Culture and Media Committee toyed with this idea and recommended that Parliament should grab this particular nettle. My own view is that it can be done via the Data Protection Act, a right to information privacy, and the advantage of that is that it would not disturb the relationships with the press, it would avoid that problem. In relation to parliamentary, what I would like to see is the ability to have a feedback loop into Parliament that could possibly result in, say, for example, a show-stopper in respect of, shall we say, some sort of surveillance activity potential. I will try and explain what I mean. At the moment the Home Secretary and many secretaries of state are responsible for setting the procedures that safeguard as well as the responsibilities for interference, and I would like to see Parliament being more on the ability of being able to, shall we say, have some safeguards. For example, the Home Secretary could produce a Code of Practice in relation to X and, say, for example, he could approach the Information Commissioner with a view to what the Commissioner's views are. Instead of the Code of Practice being, say, for example, laid before Parliament, it could be approved by Parliament. So, if the Information Commissioner, for example, had problems with the Code of Practice, he could bring those problems to Parliament and Parliament could set social policy as to where the balance lay. I also think that the regulator, the Data Protection Commissioner, should have the ability to check regulations passed by this House (and as you know in the identity card legislation there are some wide-ranging powers), shall we say, for example, to go straight to the court and say, "I think these regulations are awful", and have somebody who can actually challenge the lawfulness of the regulations that are placed in human rights terms. I also think Parliament needs more information about what government intends. The bulk of the appendix in my evidence relates to how I thought that Parliament was not informed as to the true intent of the identity card, and I hope that in the new arrangements, with respect to Gordon Brown's possibilities, that Parliament will be able to get the information it seeks to make informed decisions. In relation to the regulator, the final thing I would say is that—. Sorry not the regulator. A general matter is that there has to be absolute transparency in relation to data-sharing or any surveillance, what is going on, and that absolute transparency has to be backed up by the fact that people can do something with the information. It is pointless telling you, "Oh, there is a camera here", blah, blah, blah. Once you have been given this information, you can do something, and that is one reason why I think a right to information privacy is inevitable. At least the individual who is subject to the surveillance can do something with the information that he gets.

  Q315  Gwyn Prosser: Dr Metcalfe, would you concur with that?

  Dr Metcalfe: I would concur with that. It is very difficult for me to add anything further. Perhaps one point I should just identify, if we are going to identify wish-lists. We would argue that there needs to be prior judicial authorisation of any interception of private communications under Part I of the Regulation of Investigatory Powers Act. Currently you can intercept, a law enforcement agency can intercept email, it can intercept telephone calls, it can intercept letters and text messages simply by going to the Home Secretary and asking for a warrant. I am not saying that the Home Secretary grants them willy-nilly, but in every other common law country you find that the prior authorisations are made by independent judicial authority. That does not happen in this country and it should.

  Q316  Gwyn Prosser: Ms Chakrabarti or Mr Russell?

  Mr Russell: Again, we agree with the comments that have been made, and I will not repeat them. There are another couple of points that we would make. We need to look at the Data Protection Act with specific reference to CCTV, because a large number of CCTV cameras are not regulated by the Data Protection Act at all, and we think that there should be very sensible, legally binding guidance or regulations on the question of whether people have to be informed about where a CCTV camera is, who operates the CCTV camera or what training they need and the appropriateness of the placing of cameras. So, we think CCTV should be looked at. The DNA database: we think there should be a presumption in favour of the removal of DNA from somebody who is not charged or convicted, a rebuttable presumption, but in some cases it may be necessary. I am thinking of something like Ian Huntley. It may be necessary to keep somebody's DNA even if they are not convicted, you know, if there are repeat allegations, but generally we think there should be a presumption for removal.

  Q317  Chairman: Thank you. Could I just press the Parliamentary scrutiny point a bit. Dr Pounder, to some extent your evidence is slightly embarrassing for this Committee in the sense that it suggests the Home Office were able to put one over on us and on Parliament. We very clearly said there should not be a Citizens Information Project. You may have been given the impression there would not be one and you track how officialdom kept the Citizens Information Project going for months, if not years, and it then re-emerges as the core of the National Identity Register. Given that experience where, certainly when we were discussing the Identity Cards Bill, none of us knew that the officials were carrying on with this secret project, how can Parliament actually do the scrutiny role you want us to us do?

  Dr Pounder: You invited me to say that that is why I recommended that this Committee should recommend removing section 1(4)(e) of the ID Card Act.

  Q318  Chairman: Remind us, for any who may be watching on the Internet link, which section that was.

  Dr Pounder: It is to do with the ability to share information, using the identity card database for a general public administration purpose. The other thing I would say is that this public administration purpose is subject to the review, it is called the Crosby Review, which is supposed to announce soon. I have given my evidence to the Crosby Reviewers with the hope, I have said to them, that if they are going to progress their ideas in identity management, it has to be through primary legislation and not through section 1(4)(e) of the Identity Card Act.

  Q319  Chairman: Thank you. Ms Chakrabarti.

  Ms Chakrabarti: I would agree with that. There are more general points about doing more in primary legislation. They do not just apply to privacy protection but to Parliament privacy scrutiny more generally and less by way of regulations after the event.


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008