Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Morgan of Drefelin: My Lords, I thank my noble friend for that question. I believe that my right honourable friend was trying to make it clear in his Statement that, although there was a breach of the rules, that was not because the document was taken outside the premises. It is extremely rare that such documents should ever be taken from specified secure government premises. The point is that, if such a rare occurrence were to be required, clear authorisation should be sought in advance and there should be specific compliance with security procedures around the removal of such a sensitive document. It is true

12 Jun 2008 : Column 723

that from time to time it is necessary to take such documents out of the secure premises, which is why there are clear rules about how that should happen, but we have asked Sir David to look at all the circumstances around the incident and to keep the Intelligence and Security Committee informed. The Joint Intelligence Committee will be involved in any outcomes of such a review.

Lord Roper: My Lords, I have two questions. The first is about the conversations that the Cabinet Office had with the BBC on Wednesday afternoon. It appears from the Statement that the BBC was requested only not to broadcast the documents’ contents. Does that mean that the Cabinet Office agreed that it could make reference to the fact that it had the documents in its possession, and could those documents have been covered by a D-notice? My second question goes back to an issue raised by the noble Baroness, Lady Neville-Jones, on our relations with our allies. From what we have heard on the BBC, these documents were caveated for the eyes only of citizens from certain countries. That has serious implications for our relations with those countries. I would be grateful if the Minister could reply to the question put to her by the noble Baroness.

Baroness Morgan of Drefelin: My Lords, our allies have of course been informed of the breach of security. They were informed on Wednesday and they have therefore had the opportunity to take whatever steps they feel are right. I am not sure whether I have made it clear so far, but those that we have informed to date include the US, Canada and Australia. The documents’ content was covered by a DA-notice but what the BBC said was not, so we communicated to the BBC that we would prefer that it did not broadcast. As the noble Baroness, Lady Neville-Jones, pointed out, it has complied to date with our request.

Lord Clinton-Davis: My Lords, will my noble friend comment on the suggestion that there should be an interim report? It is vital that Parliament should be informed on such an important subject. If there is to be an interim report, when can we expect it?

Baroness Morgan of Drefelin: My Lords, I am going to disappoint my noble friend. It would not be appropriate for me to place a timescale on Sir David’s work. I do not want to second-guess what my right honourable friend will say, but the Government would want Sir David to have the opportunity to undertake a full investigation and we should give him the opportunity to do that without creating an undue restraint. As I said, my right honourable friend has said that Parliament will be kept informed and I will ensure that noble Lords are, too.

Lord Glenarthur: My Lords, I apologise for not being in at the start of the noble Baroness’s repeating of the Statement. Will she say whether the documents that were found were original or photocopied and whether they were numbered? I have had some experience of dealing with such documents and I wonder whether at this stage she knows the answer to those questions.

12 Jun 2008 : Column 724

Baroness Morgan of Drefelin: My Lords, despite being tutted about answering the question, I am aware that the documents have been recovered and that they are the originals.

Lord McNally: My Lords, the noble Baroness, Lady Neville-Jones, referred not only to the political damage but also to the fact that such documents could be life-threatening because of the information that they contain. The Minister used the word “authorisation” on a number of occasions. It is mind boggling that such information can so casually be taken out of more secure areas. When she talks about authorisation, is there an established procedure? Does an officer who wishes to take information home ever so rarely have to have a countersigned authorisation from a senior member of the department? Is there a set procedure and is it part of the investigation whether the set procedure was followed?

Baroness Morgan of Drefelin: My Lords, I make it clear to the House and the noble Lord that the set procedure was not followed: the rules were broken. The reason why we have asked Sir David to undertake an investigation is that we want to offer reassurance that we do not take this matter lightly. Had the rules been followed, I am convinced that this would not have happened. There are strict protocols about how information of such sensitivity can be taken out of secure government premises. Let me be absolutely clear: the rules have been broken.

Lord Norton of Louth: My Lords, it is clear that rules have been broken. There has been an unauthorised removal of papers, which shows that there is a problem with the rules themselves if the papers can be withdrawn. Does this not show that the Cabinet Office has less security than the average supermarket? If we walk out of a supermarket with something that we should not have, it can set off an alarm. It is possible to tag papers so that they set off an alarm if they are being removed from a secure area. Rather than waiting for an interim report, should we not, given the nature of the problem, be pursuing something like that, which could be implemented fairly quickly?

Baroness Morgan of Drefelin: My Lords, the Cabinet Office is not placing any constraints on Sir David Omand’s investigation of the circumstances of this extremely regrettable breach and I do not want to second-guess what he might want to look at. I am sure that your Lordships will have heard what the noble Lord has to say.

Data Protection

3 pm

Baroness Miller of Chilthorne Domer rose to call attention to the volume of personal data collected and retained by governmental agencies and private companies, and the protection of personal data and privacy; and to move for Papers.

12 Jun 2008 : Column 725

The noble Baroness said: My Lords, this debate could not be more timely. Perhaps that is my good luck and the Government’s bad luck. We and the public have just been shocked by yet another catastrophic example of data loss, where literally millions of the records that individuals have entrusted to the state have gone missing. The case in the Statement concerned state security, which is slightly different but potentially more serious. I am going to concentrate on the affect that these losses have on individuals, on their confidence in giving data to the state and on the state’s responsibility for looking after that data properly.

At the moment, the UK probably leads the developed world in data loss. The point of the debate is to ask the Government what tools are in place to prevent that loss, whether they are using them and what more tools are needed. We on these Benches believe that the culture must change dramatically before losses of this magnitude stop occurring. As the Minister will know, because he agreed to it, we succeeded in getting a change to the Criminal Justice and Immigration Bill that gives the Information Commissioner more powers to deal with reckless and careless losses. It is a small step which needs to be followed by many others.

In the debate, we will call for an urgent updating of the Data Protection Act, which is 10 years old. In that time there have been phenomenal technological changes and it is not surprising that neither legislation nor thinking have kept pace. It was timely for this debate that last Tuesday an exhibition in Portcullis House showcased some of the advances in both the private and government sectors. I expect the Minister visited the exhibition. I certainly met his counterpart from the other place there and we had an interesting discussion. We are all agreed that the public have the right to expect that government agencies which demand their data, and private agencies which request personal data, should have systems to keep them safe and staff who are well aware of how best to use such safeguards. Legislation is certainly not the only answer; there must be a widespread cultural shift across public and private sectors.

Going back into history, it was in 1965 that George Moore, a co-founder of the giant computer chip manufacturer Intel, made a prediction: he said that information technology would grow, and continue to grow, at an exponential rate and would herald a revolution in human, social, political and commercial life. He was absolutely right. The increasing ease with which data can be collected, stored and processed presents countless new and exciting opportunities. I am not suggesting that we should not welcome this but, as more and more data and information relating to us are collected and stored, protecting the security of that information becomes ever more difficult. A real tension emerges between engaging with the opportunities offered by these new technologies and ensuring that any information that is collected, stored and processed is treated with due regard to its sensitivity. That tension is most pronounced in e-government, which is convenient and efficient when it works and disastrous when it does not.

12 Jun 2008 : Column 726

The introduction of ContactPoint, otherwise known as the Children’s Index, about which my noble friend Lady Walmsley will speak, provides a database of every single child in England and Wales. Spine, the NHS central medical record database, represents a dramatic widening of the circumstances under which the genetic information of individuals may be retained. And, of course, there is also the proposed national identity card scheme.

Data are also collected as part of CCTV operations, cameras record us in our cars in the street, satellites watch over our homes, police helicopters operate face-recognition technology above crowds and technology now exists which allows tiny drones to swoop in and photograph indoors. I must ask the Minister whether recent reports are true that the Government are considering the construction of a database which will hold details of every phone call made and every e-mail sent by the public, allegedly as part of the fight against crime and terrorism, although that might be part of the wilder imaginings of the press.

Mass data collection and retention are not the sole domain of government. The private sector has been years ahead in seeing the commercial potential in data collection. However, collection is one thing but the problems arise in its retention—how is it stored, how is it accessed and by whom? Even the technology that I understand and use—the memory stick, for example—allows vast amounts of data to be downloaded in one place and removed to another, just as we were talking about in the Statement. More sophisticated is the collection of information by Google, for example, in developing targeted advertising. There are all kinds of technological advances which are hard to grasp.

I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it. Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. It is a company on the cutting edge of what can protect the public. A bit of controversy surrounds its work because, with its client BT, it intercepted people’s online business without BT customers knowing. But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. This is what Phorm is trying to develop with major telecommunications clients on a global scale.

The focus should now be on what is stored and how because once there is a breach it is too late. A robust assessment of new databases and other initiatives could be effected through the use of privacy impact assessments, which, essentially, are privacy specific audits, which identify areas of e-government but have the potential to conflict with the provisions of data protection legislation. These are in their infancy in Europe but are commonplace in Australia and Canada and, to a lesser extent, in the US. I ask the Minister whether PIAs—which have been warmly welcomed by the Government, who have acknowledged that they can be useful in maintaining the balance between the needs of today’s society for more information to be shared and protecting privacy—have been conducted in any aspect of e-government. As far as I can establish,

12 Jun 2008 : Column 727

none has been conducted on the proposed national ID card scheme, ContactPoint—nor has that been done on Spine or the forthcoming implementation of the automatic number plate recognition system. Is the Minister able to say why not?

I am sure the Minister is aware that some use of online data is absolutely disgraceful. The worst private sector example that I have come across recently is the utterly pernicious national staff dismissal register. I know my noble friend Lord Roberts of Llandudno will make some remarks on this new development and so I will simply say that this new database, where tittle-tattle, rumour and potentially defamatory material concerning ex-employees can be stored for access by other prospective employers, is a dangerous development. We on these Benches take business crime seriously but there is a court system to deal with it. A website which is run for profit and which is trying to take the place of the police, prosecution, judge and jury is a serious issue. I hope the Government will do something about safeguarding the interests of workers who have little ability to pay for expensive access to the courts in order to do something about it.

Of immediate public concern, too, is the HM Revenue and Customs debacle last year—this has been referred to on numerous occasions in your Lordships’ House—when the records of 25 million people were lost in the post. There have been further incidents of significant losses from the DVLA and the MoD. In the context of data mismanagement, the public do not have the confidence that they need to feel if the Government are going to take their next step in e-government. That next step, which was demonstrated at Portcullis House in the exhibition on Tuesday, is centralised registration online guarded by secure access, along the lines of what noble Lords may be used to using with their online bank accounts. It sounds good and looks convenient, but if something goes wrong and it proves to be insecure it will be a total disaster. The fact is that nothing can be regarded as totally secure. Does the Minister agree with that?

One of the things the Government have tried to do is bring in data guardians. On the advice of Kieran Poynter of PricewaterhouseCoopers, who was commissioned to conduct the review into what went wrong at HM Revenue and Customs, the Government have appointed a number of dedicated data guardians charged solely with ensuring that large quantities of data, held by whichever department, are treated in compliance with good practice set down in the Data Protection Act. That is a welcome move. How is it progressing?

The Government also have—this was a surprise to me—a dedicated Data Protection Minister, currently Mr Michael Wills MP. It was revealed, subsequent to the HMRC data loss, that the first he heard about that incident was when a Statement was made by the Chancellor in another place. Mr Wills candidly admitted that in the light of the Revenue and Customs data loss the Government are going to have to learn lessons—but I am afraid it is part of his job to teach them.

I am not excluding the private sector. There have been some shocking examples of the misuse of data by a number of banks and companies entrusted with

12 Jun 2008 : Column 728

sensitive data. HSBC is facing the prospect of a Financial Services Authority investigation and a hefty fine after it lost the key details of some 370,000 customers in April. Nationwide customers, not directors, are going to have to pay for security lapses with a £980,000 fine.

I must also draw the House’s attention to a crossover between the private and public sectors in the comments of the Joint Committee on Human Rights, which said in a recent report on data protection:

I would be grateful for the Minister’s comment on that.

The Information Commissioner has made a good start in changing attitudes in all public bodies, but he is labouring, as I have said, under a rather outdated Data Protection Act. He is also pretty limited in his resources. Are the fees that the Information Commissioner can raise sufficient to deal with the volume of work that he now has to cope with? The regulator is charged with not only educating data controllers about their obligations but their compliance with the Act itself. I would be surprised if the resources that he was set up with were adequate for the job he now has to do. Arming the commissioner with new legal powers is essential. Although I know that by convention the Minister will not comment on what is going to be in the Queen’s Speech, it would be useful to know how urgent the Government feel that updating is.

I shall mention the situation raised in the European Parliament by my noble friend Lady Ludford, who is concerned about exchanges of passenger data and DNA from different European countries. She is concerned about the operation of the data retention directive, which is an effective and constructive dialogue that is very much needed, and the UK Government’s contribution to that, particularly as our primary data protection legislation is derived directly from Europe.

In conclusion, the pace of technological advances has been ferocious. The benefits are great in convenience, but equal dangers or, probably, greater ones are posed by data misuse, theft or improper exploitation. The tools are not yet in place to give the public confidence in even what the public and private sectors hold now, and, as PFIs and partnerships allow more and more data to move between the two, any regulatory system must apply equally to both and be constantly reviewed. In the short term, money is far better spent on that than on creating an identity card system that brings further challenges. In the longer term, the far more technologically literate younger generation are those who should decide whether or not that should proceed. I beg to move for Papers.

3.15 pm

The Earl of Erroll: My Lords, I apologise for being a couple of minutes late. I thought we were going to start at half past, and I was reading something downstairs.

12 Jun 2008 : Column 729

One thing that interests me about this debate is how few people seem to be interested in it. That really worries me. This subject goes to the heart of a lot of things to do with the relationship between the citizen and the state, about which there are many highly independent Back-Benchers on both sides who get deeply upset. Because the debate has the word “data” in it, however, they do not see that actually this is the future—it is exactly the sort of thing that could tip the balance of power in the wrong direction if we do not get it right. That is why it is critical.

The House has just had a debate about youth justice, which unfortunately I was not able to take part in. What really worries me about that is what data are kept long-term. A year ago I became aware that both a reprimand and a caution are admissions of guilt to a criminal offence. You may say to a youth aged 14, “Don’t worry, it’s a reprimand, it will come off your record”, but in fact it does not. They have a criminal conviction that stays on their record for life for the purpose of American or Australian visas. They can never work with the law. They can never get a job as a policeman, in the Army or as a teacher. That last situation depends slightly on the offence but, since we saw the other day that they were considering firing a headmaster for fishing without a rod licence, we can gather that, with regard to the relevance of the criminal offence to what you can do in the teaching profession, common sense has been suspended—as usual.

We need to worry about this. We are criminalising a generation of young people who will be completely disbarred from seriously useful professions in the future. Many of those people are the brighter ones. It is the people who are risk-takers, more outgoing and a little bit more punchy who get into trouble, and they are probably the people who you want as your leaders in the future. We need to look at how we expunge records properly, for all purposes, so that they cannot be recovered. There may be one or two offences that we consider sufficiently serious that records for them should be kept—for example, sexual interference with a person—but an awful lot of them should be written off properly. We used to have a statute of rehabilitation, but we seem to have forgotten that. Moments of madness now live with you for ever. We have to think about that. It is underlying aspect of my thinking on this. I shall talk about the principles that worry me.

Next Section Back to Table of Contents Lords Hansard Home Page