Previous Section Back to Table of Contents Lords Hansard Home Page

6.45 pm

Baroness Anelay of St Johns: The Minister asked what we intended to achieve by the amendments and posed a different set of scenarios, all of which envisaged that we were trying to destroy the underlying principles behind data matching and data mining. However, she ended up by appreciating exactly why we had tabled the amendments; that is, to expose some of the Committee’s concerns about the implications of extending data matching and data mining without necessarily having the proper level of scrutiny. Later we shall discuss what scrutiny might be appropriate. My noble friends have tabled amendments on that matter.

I was grateful for support on these matters from the noble Lords, Lord Dholakia and Lord Burnett, and my noble friend Lord Crickhowell. There is a concern that there may not be sufficient rigour involved in data sharing as a result of the provisions of the Bill. That is a continuing theme running throughout these debates. We need to be extremely careful how we extend the sharing of information. I was grateful to the noble Lord, Lord Dholakia, for referring to the experience in Germany where they have been extremely cautious in the way that they have extended data sharing and data mining. They associate it with matters of state concern. As he said, it takes place only where there is a persistent pattern of behaviour that is a real threat to the security of the state.

As ever, my noble friend Lord Crickhowell brought us into the real world. I was intrigued when he referred to TV Licensing and described how

21 Mar 2007 : Column 1277

information technology was not at its most perfect in the way that it dealt with people suspected of fraud. His story resounded very strongly with me. A long-standing friend of mine whom I met at university some 40 years ago—

Noble Lords: Oh!

Baroness Anelay of St Johns: Indeed, 40 years ago. What a time. She and her husband have a thing about television. We pull their legs about it. They will not have a television in the house and never have in all the years of their marriage. Magistrate and upstanding member of the community though she is, she was in receipt of the kind of letter to which my noble friend Lord Crickhowell referred. In its unwisdom, TV Licensing has determined that nobody in the very respectable town in Essex where she lives—I will not say exactly where she lives—could possibly do without a television. It accused her of fraud. She invited its staff into her home to try to find a television, if they dared. Certainly, data matching is not necessarily efficacious or fair upon its subjects.

The Minister picked up on the comments of my noble friend Lord Crickhowell about ID cards. We are all warriors in this regard. We remember—I shall not say with fond memories—the exchanges on the Identity Cards Act, as I regret to say it now is, for the time being. The Minister chided my noble friend when he talked about passports and said that, when she addressed that issue on that Bill, she talked about the importance of biometric information. We were given a graphic illustration of what she had talked about—facial recognition, iris scans and fingerprints. We were assured that all those three things would be brought together to make the perfect whole. So why have the Government dropped iris recognition as one of the biometrics? It undermines my confidence in what the Government will do in securing information in this country.

This is a first throw of the dice in looking at the appropriateness of government using information that may be collated on individuals. There are very proper reasons why government may seek to use data matching and data mining. We are all concerned that those who perpetrate fraud are becoming more and more adept at so doing as they manipulate information technology.

All those years ago when I was a student I used to do vacation work in the Inland Revenue. I trawled through information to find out whether people were sending in claims for children whose ages and number they seemed to forget. They were perpetrating fraud on a rather minor scale. However, that has escalated on a national scale and involves millions upon millions of pounds. We are friends with the Minister in trying to root out fraud but we may diverge on the extent to which we should transgress the liberty of the subject in seeking information. I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Baroness Anelay of St Johns moved Amendment No. 103:

21 Mar 2007 : Column 1278

(a) anti-fraud organisations specified under this section; and (b) data sharing and disclosure for which provision is made by this section.”

The noble Baroness said: As we have just discussed, Clause 61 confers powers on a public authority to disclose any kind of information as a member of a specified anti-fraud organisation or otherwise in accordance with arrangements made by such an organisation for the purpose of preventing fraud.

Amendment No. 103 would insert a new subsection into Clause 61 to ensure that the Secretary of State will lay before Parliament a code of practice relating to,

The aim of the amendment is to discuss how the sharing of information operates, and the safeguards that are in place, and to raise concerns expressed about the lack, so far, of a code of practice. That theme runs through several amendments.

I thank those involved in the national fraud initiative at the Audit Commission and the Bill team for providing a briefing on their work to my researchers on Monday this week. I say “my researchers” very grandly. There are four researchers in the Opposition Whips Office, two of whom went on a familiarisation visit to the Audit Commission. The four people work for the entire Front Bench, so 32 of us share four researchers. I am explaining for the benefit of the taxpayer that I do not have a huge resource of researchers. Two of them received an extremely helpful briefing from the Audit Commission. I have been offered a similar briefing which I intend to take advantage of after the Easter Recess. We are looking at dates for that.

The Government have cited CIFAS, the UK fraud prevention service, as the type of body they will designate under this clause. The Bill effectively enables public authorities to join such a body if they wish to enable them to risk-assess applications for services on the basis of the information exchange. The Minister has suggested that there could be substantial savings from this measure, citing between £137 million and up to £273 million a year. From what we have been advised, I understand that the information can be used only if it is in electronic form. Can the Minister indicate whether our understanding is correct and whether there are files that cannot be included because local authorities, among others, may still file them on index cards rather than on computers? What cost would be involved should they have to computerise to take part in this work?

There is some concern that the sharing of data will include the sharing of sensitive personal data such as medical records—an issue on which we felt very strongly, as the noble Baroness will recall, when we discussed the setting up of the national identity register during the debates on the Identity Cards Bill. One can only look at benefit fraud as a potential example. Provisions of this Bill would enable details

21 Mar 2007 : Column 1279

of benefit fraud to be shared with mortgage lenders, and suspicious activity reports from the private sector could be matched with data held by the Inland Revenue authorities.

One assumes that the Department for Work and Pensions, the Passport Service and the DVLA would all come into play; they would all be pooling information in some way. As I understand it, there are no exclusions for the type of personal data requested for data-matching exercises run by the Audit Commission. So, as such, presumably they could cover sensitive personal data. Could the noble Baroness explore that and give us some reassurances on it? I understand that the Audit Commission may be selective in the data it uses, but can the Minister confirm if these data may include sensitive personal data as well as non-sensitive data?

Unlike the data-matching requirements, there appears not even to be a provision for a code of practice covering this aspect of data sharing, yet any member of staff who tips off the Information Commissioner or the press is treated as if that member of staff had alerted the individual under suspicion and, under the provisions of Clauses 62 and 63, could face two years in prison. Will the noble Baroness explain whether that is the case, and if so, why?

I anticipate that the Minister may argue that this clause aims to fill a gap, to top up data-sharing provisions without prejudicing the bodies and organisations that already have the power to share data. As such, a code of practice in the Bill would cover only those who choose to take advantage of the gateway itself.

As the Minister highlighted at Second Reading, there is no compulsion in the Bill—yet—to participate. In which case, the question is how can we be certain that all members of the bodies specified in this section—the complete list which is as yet unknown—will adhere to the same principles and operational practical steps of carrying out the work. It is essential that we get the administrative detail of privacy issues right.

The Committee will recall that, back in 2005, the PIU report stated that there were,

and that while,

That is certainly a wise observation.

I am sure that that case will be put forward very well by my noble friends Lord Northesk and Lord Lucas when they speak in more detail to their amendments. However, if the disclosure of information and information sharing will be able to happen across such a wide variety bodies, surely it is exactly why we need a code of practice—to ensure transparency and accountability. I beg to move.

21 Mar 2007 : Column 1280

Baroness Carnegy of Lour: My noble friend has just mentioned the evidence of a rise in anxiety about privacy. I know that it is very tiresome for the noble Baroness when people go on about this subject, but I wonder whether the Government realise just how careful they have to be in the whole matter of data sharing.

I heard only this past week of a neighbour of mine who, while on holiday in Kent, for some reason drove along in the bus lane and was charged. He was told that, if he did not believe it, he should look on the internet. He found on the internet a picture of himself and his wife driving along a bus lane in Kent. That absolutely terrified him. He is an intelligent man, and he said to me, “Soon they will know where all of us are all the time”.

The Government do not realise quite how alarming this is to people. We must very carefully consider any request for a code of practice and any way of making sure that people are told what the rules are about these new intrusions that the Government feel are necessary in order to foresee crime before it happens. This is an important amendment and I hope that the Minister will not find it too tiresome that I give this example. It is not just my noble friend Lord Crickhowell who is frightened; it is also other people, such as my neighbour.

Lord Crickhowell: I entirely agree with what my noble friend just said, and she may be encouraged to know that the British Bankers’ Association agrees with her general point, too. For obvious reasons, it strongly supports the general thrust of this provision. It makes an important and relevant point. If noble Lords will forgive me, I shall read what is has to say:

That is an extremely important statement by the British Bankers’ Association. It establishes criteria and a set of procedures that I wholly support. I believe that, in moving this amendment, my noble friend has raised a very important issue. Clearly, if we do not pursue it today and if we do not get satisfactory answers from the Minister—although I hope that we will—we will have to take it up at a later date. With the support of the British Bankers’ Association, I find it hard to see how the Government can possibly resist the amendment.

21 Mar 2007 : Column 1281

The Earl of Erroll: Looking at the amendment, I realised that a couple of points might apply. First, if we want to do some data mining in order to look at trends, some of the provisions on data sharing could involve anonymising the data. That would solve a lot of problems under the Data Protection Act and allay people’s concerns. Also, I can see that, if we are investigating a particular fraud, and in some other work, we would not want the data anonymised. That made me wonder whether this provision could be used for something that is lacking at the moment. There is a big problem with fraud over auction sites and sales over the internet. At the moment, the Met is trying to set up a national crime co-ordination unit, with no resourcing and staffing. Although these are level 2 frauds—very small frauds—they aggregate to many millions of pounds and individually they hit people hard. It occurred to me that this anti-fraud organisation provision could also be used to authorise auction sites to exchange data with a national fraud alert site, for instance, which could then find the trends and possibly target certain areas afterwards. Of course, that data sharing would have to be looked at carefully, and therefore data sharing and disclosure provisions would need to be looked at carefully as well. I thought that this could be extended to deal with that and not just used for the massive state databases as envisaged at the moment.

7 pm

Baroness Scotland of Asthal: We have heard some very interesting points, not least the powerful statement made by the noble Lord, Lord Crickhowell, about the banking approach. I hope that your Lordships will find that we are not outwith the concerns that have been expressed. It may be helpful at this stage if I outline what the safeguards are and how they will work. The noble Baroness, Lady Carnegy of Lour, is absolutely right that we have to be very sensitive to how people feel about this matter and make sure that data sharing is done in a safe, appropriate and sound way. That has been very much at the forefront of our minds when we have looked at the provisions. I hope that, as we go through them, the Committee will feel increasingly comfortable that we have taken these issues very seriously indeed.

As I tried to say earlier, the usual data protection requirements will continue to apply, and we will continue to work with the Information Commissioner and consult him on the codes of data-matching practice for the implementation of the proposals. The national fraud initiative provisions contain an offence of unlawful disclosure of data, which carries a maximum two-year custodial sentence. The safeguards can be summarised as follows; I will run through them because it is important at this stage that we bear them in mind. First, only the Audit Commission can decide which data should be matched. Secondly, the Audit Commission and other bodies are permitted to disclose information only for defined purposes. Tough criminal sanctions for breaching the disclosure provisions are provided. There is a statutory requirement for the Audit Commission to prepare a code of data-matching practice. Those are very much some of the issues that

21 Mar 2007 : Column 1282

the noble Lord, Lord Crickhowell, touched on in his recitation of the banking approach.

The data-matching practice is a code to which all participating bodies must have regard. Under the existing code, the Audit Commission restricts itself to using sets of data where it has been established that fraud is known to be prevalent or to involve significant sums of money. The Bill restricts the purposes for which patient data, such as name, address and date of birth, can be used. They can be used only to combat fraudulent activity in the NHS. The Data Protection Act will continue to apply in full to data-matching exercises. All the protections that currently exist in relation to the Data Protection Act will apply with full force to these provisions, without exception.

The issue of what safeguards will apply to specified data-sharing organisations has been raised. All the existing legislation, principally the Data Protection Act 1998, will continue to apply. We have talked about the safeguards in other Bills, and they will still be there. The noble Baroness asked about the cost of the national fraud initiative. The Audit Commission charges each body about £2,000 to match its data. That currently happens once every two years, and all bodies keep the data needed in electronic form. The noble Baroness foreshadowed what I was going to say about this matter. It is providing a resource that people will be able to use, and it will be available. We expect all bodies to be using electronic databases. Information would be shared electronically through anti-fraud organisations, and bodies would need access to the internet to be able to share in that way. Bodies are charged relative to their size and their assets.

I have dealt with sensitive personal data, because their use is already moderated by the Data Protection Act. I hope that noble Lords will see that those protections are very real indeed.

The Earl of Erroll: The Data Protection Act is being cited a lot. Does the Information Commissioner have the resources to prosecute? I believe that he has hardly carried out any prosecutions at all because he is heavily under-resourced in this area.

Baroness Scotland of Asthal: Resources are, of course, always an issue. Every time any Minister gets to the Dispatch Box, there is usually a conversation about resources. We are working very closely with the Information Commissioner on making sure that the codes will operate in a way that he deems appropriate. We are working on the procedure that would need to be adopted by all the participating parties, and we are ensuring that his role and ability to scrutinise in accordance with the Data Protection Act are in no way diminished or undermined by any provisions in this Bill. We will continue to do that because we believe, as the noble Baroness and others believe, that this is an important function, which will help us to provide safeguards.

I have tried to deal with the general concerns and the debate that we have had, but it might be helpful, since I do not have very much to say, to deal with the amendment. The amendment suggests that there be a duty on the Secretary of State to lay before

21 Mar 2007 : Column 1283

Parliament codes of practice relating to anti-fraud organisations and data sharing. I question the need to impose such a duty, because under Clause 61 data sharing will have to conform to the rules of the relevant anti-fraud organisation. In addition, Clause 62 provides safeguards against the further disclosure—the noble Baroness has been concerned about this in the past—of certain protected information that is shared under Clause 61. It seems to me that there is a risk of adding a further layer of regulation to that which is already provided by the Data Protection Act, something that I know the noble Baroness, the noble Lord, Lord Crickhowell, and others have always found objectionable.

When processing personal data relating to individuals, the specified anti-fraud organisation and its members will be required to comply with the Data Protection Act. We consider that there are sufficient measures in the Data Protection Act and in this Bill to reassure members of the public about how their information will be used, so we have not been able to see any good reason or need for this amendment. I absolutely understand that, yet again, the noble Baroness rightly is probing to make sure that there is clarity of understanding on how we go forward.

Next Section Back to Table of Contents Lords Hansard Home Page