TUESDAY 20 NOVEMBER 2007

MS CLARE MORIARTY AND MR JOHN SUFFOLK

  Q400  Bob Russell: So I can be satisfied that I as the technology challenged Member of Parliament for Colchester will not be discriminated against?

  Mr Suffolk: Absolutely.

  Q401  Bob Russell: Thank you. How does the CIO Council ensure that where possible technology-based systems are not duplicated? How is information on the development of systems shared across government?

  Mr Suffolk: One of the processes I have put in on the CIO Council is a process called the champion/challenger process. It is fair to say that the public sector has vast amounts of technology and we do not always see where that great technology is and we run the risk of reinventing the wheel which increases risk, increases cost, and slows our time from a citizen outcome perspective. The champion/challenger process is a very simple process. Anyone can nominate a champion. Let me give you an example. The Government Gateway, where we have 12 million citizens and businesses registered so they can get access to government services—someone can come along and say, "I believe that is a champion asset." Anybody can come along and say, "No, I think I have got a better one," and therefore it is quite democratic in terms of the way we do this. An evaluation process occurs and the best product will commence. The rule is quite simply this: if you cannot beat it, you should join it. It is a peer-based review, it is very democratic, it does not take a long time to do, but the objective is to begin to coalesce the systems and technology that we have already in the public sector that we can continue to invest in and protect and support without having to go through connecting 23 different systems together. That is a long-term activity but it is also the right way of doing things. The CIO Council runs that process.

  Bob Russell: Thank you, Chairman.

  Chairman: Thank you very much, Mr Russell. Gwyn Prosser?

  Q402  Gwyn Prosser: Mr Suffolk, one of the strands of the Transformational Government Strategy, as you know, is shared services and common infrastructures, which includes a reduction in the number of computers storing data and networks, et cetera. It seems on the face of it perhaps a logical progression but we have heard from a committee of Dutch experts that their recommendation in their country to move towards a single clearing house for data was met with huge opposition on the grounds that greater centralisation could result in a greater threat to security. What is your view? Where is the balance to be struck?

  Mr Suffolk: I think you are absolutely right; there is a balance to be struck. First of all, I think it would be nonsense to assume or even think about a central database and a central clearing house. The UK public sector is more advanced than many countries because we have been doing joined-up technology for years. The oldest computer system that I know in the public sector is 33 years old on 1 April 2008, which is the Police National Computer, and therefore we work at a national scale, and when you work at a national scale I think to continue to put more eggs in a single basket is a foolhardy approach. You are absolutely right when you say that some of the best ways of protecting data are to say that this data has a specific purpose, the purpose is clear in terms of all parties, and therefore we can put protection around that specific purpose in terms of only the people that need legitimate access to that data can access that data. The more and more we put it into large databases where more and more people have access to it, it becomes more complex. I think there is a balance to be struck, but clearly what we want to avoid doing is creating yet another large-scale citizen database when we have a number of those already because that would not be a wise thing to do.

  Q403  Gwyn Prosser: Ms Moriarty, the passage of the Serious Crime Bill represents a good example, some people say, of cross-government working on data-sharing. If that is your view, what was done right during that exercise which made it such a success and what could the Ministry of Justice learn from the exercise?

  Ms Moriarty: It is a very good example because fraud as a crime is obviously an area where information sharing can be of great benefit. What was specific about the Serious Crime Act was that the information that needed to be shared was relatively sophisticated and relatively sophisticated arrangements were needed because of the nature of fraud as a crime, and that meant the protections that needed to be in place were also more complex than in some areas. What happened with that piece of legislation was the Ministry of Justice worked very closely with the Home Office in framing the legislation which provides a legal gateway through which public authorities can share data in order to prevent fraud. There was a lot of discussion between the two departments and with the Information Commissioner on exactly what was the best way of achieving the policy objective. As the legislation went through Parliament there were a number of changes made, particularly the introduction of the requirement for a Code of Practice. It is a good example of spotting the issue, working together between departments and with the Information Commissioner to find the best way of addressing that issue, making sure that we have the right powers in place to do it and also listening to the views of Parliament and being prepared to make amendments as the legislation goes through.

  Q404  Gwyn Prosser: How will the Ministry of Justice work with the Information Commissioner to take forward the Framework Code of Practice for Sharing Personal Information?

  Ms Moriarty: The Information Commissioner has published the Framework Code of Practice and we very much support that as a way of encouraging public authorities to develop Codes of Practice and giving them a template to work with. We will be working with him and with the public authorities as they develop their Codes of Practice.

  Q405  Margaret Moran: You will be aware that the Varney report referred to engaging citizens, businesses and the private sector in both the design and delivery of services. Referring specifically to Clare at this moment, how can you assure citizens that the data-sharing that requires is done in such a way that gives them confidence to be able to access those services? Is it not true to say that a great deal of what is good in Transformational Government is data sharing by stealth, in other words local authorities, for example, are doing some of this Transformational Government public service delivery but they do not want to tell anybody because the data-share rules are so obscure?

  Ms Moriarty: To take the first part of the question, public trust and confidence is one of the biggest challenges that we face. We know from research which Ipsos MORI did that the vast majority of people want to see more sharing of information in order to produce better and more joined-up services, provided that the right controls are in place around the data. The Information Commissioner published his tracker survey last week and that showed us that people are very concerned that their data is properly protected and they are very concerned about the sorts of things that might happen to it. We are not seeing a huge groundswell of people who are really concerned that organisations are not looking after their data properly but they do feel they are losing control over their data and they want more reassurance that the legislation and the operational practices are going to provide, and are going to continue to provide, adequate protection. That is why, while we are confident that the basic architecture of the data protection, data-sharing system is robust, we have to keep looking at it as the technology moves on, as people's expectations move on, so we need to be making sure that it is constantly up-to-date. That is something we do all the time internally and we have also recognised the need to have some independent input to that process and that is why we have set up the independent review which Richard Thomas[2] and Mark Walport[3] are going to lead looking at the use of information in both public and private sectors.

  Q406  Margaret Moran: I also mentioned the fact that people are doing data-sharing by stealth in the public sector.

  Ms Moriarty: I am not aware of any detail about that.

  Q407  Margaret Moran: Local government?

  Ms Moriarty: Broadly speaking, as I said, the Framework is that there has to be a purpose in order for data-sharing to take place, there have to be the correct powers in the place, there has to be an assessment of the proportionality and the data has to be properly protected. As long as all of those things are in place then it is reasonable for people to share data, but if they are sharing data without the powers then that is something which is an issue that we need to take up with them and the Information Commissioner.

  Q408  Margaret Moran: Perhaps you would like to comment on that, John, but can I ask you particularly, what is your role in ensuring that government departments do engage with the public when they are developing Transformational Government services and sharing personal data? Could you comment on the fact that when we spoke to the head of the Social Inclusion Unit recently she made the comment that the issue around data-sharing and privacy is very much a middle class concern rather than a concern of those who need those services at the frontline.

  Mr Suffolk: Thank you. There are three points there. The first one is that I am not aware of anyone sharing data on stealth. The question was asked if we sometimes get in and arbitrate deals with departments and the answer is, yes, we do and frequently that comes around people's interpretation of "Do I have the powers to data-share?" All of my experience when I work across local and central Government is that people are very conscious in terms of data-sharing, very conscious in terms of do they have the powers and do they have a legitimate purpose. I am absolutely not aware of anything occurring by stealth, as Clare has already said. If we knew that then we would go in and work with the teams and understand why that has happened.

  Q409  Margaret Moran: Do you talk to SOCA teams?

  Mr Suffolk: I am very happy to talk to SOCA and I will take it up with our colleagues in SOCA. In relation to the second point, which was engaging citizens to understand what they want, as part of the Varney work in terms of Transformational Government, which is putting the citizen at the heart of what we do, we have created a thing called the Customer Insight Forum and the objective there is to share information about what citizens' wants, needs, likes and dislikes are because, of course, citizens come to us in different guises and that is why we have created things like Customer Directors, one for old people, one for farmers, and of course you could be an older person and a farmer. The purpose there is to say, "Let's look through the eyes of the citizen and understand what their need is and what the best way of delivering that need is." It is fair to say historically that we have not always been as good as we could have been in terms of sharing that insight, hence why we created the Customer Insight Forum and why we have positioned that knowledge, that information, at the heart of the way that we do service design. We are absolutely conscious in terms of we have to look at it through the eyes of the citizen and we have the processes on board in terms of doing that. Your point about data-sharing and security being a middle class view, I have heard that said before and those who want a benefit would say, "Guys, share my data to give me the benefit". Our starting point is really quite simple: what is it that we are trying to do with the citizen, what is their need? If their need, for example, is giving benefits quickly then the systems and the programmes that we have designed are around fulfilling that requirement. We never look at this from a one-size-fits-all point of view in terms of, "Here is an approach which will apply to all walks of life", it fundamentally does not work that way. Customer insight mapped on to what is the purpose and what problem are we trying to overcome from the citizen's perspective should drive whatever solution and technology that we put in place.

  Chairman: The final question is from James Clappison.

  Q410  Mr Clappison: Could I ask you both if you would comment separately from your points of view to tell us if you track trends and new developments relating to data-gathering and data-sharing? One example which has had a bit of publicity in the past is the use of loyalty cards which give businesses a great deal of personal information about shopping habits and, perhaps even more topically, the growth of social networking websites, which the younger generation know all about but I have got to say I do not know all that much about.

  Ms Moriarty: From the Ministry of Justice, we work with all government departments who in turn work with the various sectors that they connect with, so within each sector departments will be gathering information and looking at trends. We also work closely with the Information Commissioner. We have complementary roles. We are in charge of setting the Framework, he is in charge of regulating it and, obviously, as the regulator he can gather evidence about all the sorts of issues that are coming up, and certainly social networking forums is one of the issues that he has identified and he is working on guidance to make sure that people understand the basis on which they are giving their consent, that they know what might happen to the data. It is something where we work, as part of our work across Government, with departments and the Information Commissioner.

  Q411  Mr Clappison: From your point of view, given the difference of roles between yourself and the Commissioner, have you seen anything in trends in the social networking sites, some of which are obviously well-known, which concern you or are of interest to you?

  Ms Moriarty: It is one of the issues that make us aware that we constantly need to be looking at the Framework to make sure that it is up-to-date, and that is something we would expect the Thomas / Walport review to be looking at because it covers the crossover between the public and private sector.

  Mr Suffolk: We certainly do track all of the social networking and the trends in terms of what people are doing and we do this for a number of reasons. The first reason is in terms of what are people's perceptions in terms of security and personal privacy. We ran the Get Safe Online Week last week and all the research is telling us that still we have 20% of people who use technology on the Internet who do not have basic protection. Of the 80% who do, 50% do not keep it up-to-date. When you translate that on social networking, those behaviours are often translated as well, so people do give out their date of birth and personal information which, of course, is a primary cause and stimulus from an identity theft perspective. Often we track the technology from the basis of how are people using those technologies and what does it tell us in terms of their propensity to secure themselves or not to secure themselves. Also, if you take something like mySpace, one of the bigger social networking sites, the amount of users on that is equivalent to the eleventh largest country in the world. It fundamentally begins to tell you how the world is shifting in terms of how people treat technology and how they expect service providers and governments to deal with them from a technological perspective, and we track it in that context in terms of what is the norm in terms of the way we are doing business and what are the consequences of doing business in that way.

  Q412  Mr Clappison: Could I ask on a slightly separate subject if there are any lessons you think the Government can learn from the private sector in terms of harnessing IT capability?

  Mr Suffolk: We partner extensively with the private sector and much of what we do from a technological perspective is outsourced to the private sector. Clearly we are working at a scale which is much bigger than the private sector from the number of countries that we deal with, because we operate in 148 countries now, and we work at a level of security the private sector would not need to worry about because we have to protect loss of life, witness protection, domestic violence, et al. Where I think the private sector is exceptionally good is how do you create customer facing worlds that absolutely map on to their hopes, their aspirations and their requirements in a quick way and, therefore, there is always learning that we look to take from the private sector. We also work extensively with every major supplier from around the world because, rightly or wrongly, I have a belief that somebody somewhere in the world has cracked most of the problems, we just do not know where they have cracked them. One of the roles that I am more used to is to act as a kind of data agent where someone says, "I have a particular problem, do you know somebody with a solution?" and often those solutions exist somewhere under a different banner in health or education and we try and match those two up.

  Q413  Margaret Moran: A small but practical question. I recently visited my CCTV hub in Luton and they have been the subject of some publicity because a beating up in the town centre was relayed on to YouTube, I believe. What mechanisms are there to retain the privacy of that data through the whole process so that both the victim and those who are the alleged perpetrators are not identified and, indeed, the integrity of the criminal justice system is not jeopardised?

  Ms Moriarty: That is obviously a misuse of data because the data collected by the CCTV cameras is not intended to be used for those purposes, so there is a breach of data use there. We have a system for regulating compliance with the Data Protection Act. One of the things we have recently done is to change the penalties for wilful misuse of data because the Information Commissioner gathered evidence that the penalties were not—

  Q414  Margaret Moran: I am talking about the process, the trail of that.

  Ms Moriarty: The trail of process?

  Q415  Margaret Moran: The data is shared across a number of actors within the criminal justice system from the CCTV operator to it ending up on YouTube, but there were a lot of actors in-between.

  Ms Moriarty: It depends on what data-sharing arrangements are in place, but the data-sharing arrangements all have to be governed by the provisions of the Data Protection Act, so there has been a breach and if it is a breach which is significant then that is something which needs to be investigated and, if necessary, prosecuted.

  Mr Suffolk: If I could just come in there. It really comes down to what Richard Jeavons said this morning. The more and more that the technology becomes sophisticated, we absolutely will be able to find people who are getting access to systems and using information illegally. In that instance where clearly they have breached the Data Protection Act by taking data and using it for a purpose that it was not intended, there will be audit logs in terms of who had access to those systems. My belief is that we have to execute that review process to find out what went wrong in a situation like that and learn those lessons because it is clear that is not what should have occurred.

  Chairman: Mr Suffolk, Ms Moriarty, thank you very much for giving evidence today. We have almost concluded our evidence for our report into the Surveillance Society. Our next evidence session on this will be on 11 December when ACPO and the Minister at the Home Office, Tony McNulty, will be giving evidence.

3   Note by Witness: Dr Mark Walport is the Director of the Wellcome Trust. Back