|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
Baroness Morgan of Drefelin: My Lords, I thank my noble friend for that question. I believe that my right honourable friend was trying to make it clear in his Statement that, although there was a breach of the rules, that was not because the document was taken outside the premises. It is extremely rare that such documents should ever be taken from specified secure government premises. The point is that, if such a rare occurrence were to be required, clear authorisation should be sought in advance and there should be specific compliance with security procedures around the removal of such a sensitive document. It is true
12 Jun 2008 : Column 723
Lord Roper: My Lords, I have two questions. The first is about the conversations that the Cabinet Office had with the BBC on Wednesday afternoon. It appears from the Statement that the BBC was requested only not to broadcast the documents contents. Does that mean that the Cabinet Office agreed that it could make reference to the fact that it had the documents in its possession, and could those documents have been covered by a D-notice? My second question goes back to an issue raised by the noble Baroness, Lady Neville-Jones, on our relations with our allies. From what we have heard on the BBC, these documents were caveated for the eyes only of citizens from certain countries. That has serious implications for our relations with those countries. I would be grateful if the Minister could reply to the question put to her by the noble Baroness.
Baroness Morgan of Drefelin: My Lords, our allies have of course been informed of the breach of security. They were informed on Wednesday and they have therefore had the opportunity to take whatever steps they feel are right. I am not sure whether I have made it clear so far, but those that we have informed to date include the US, Canada and Australia. The documents content was covered by a DA-notice but what the BBC said was not, so we communicated to the BBC that we would prefer that it did not broadcast. As the noble Baroness, Lady Neville-Jones, pointed out, it has complied to date with our request.
Lord Clinton-Davis: My Lords, will my noble friend comment on the suggestion that there should be an interim report? It is vital that Parliament should be informed on such an important subject. If there is to be an interim report, when can we expect it?
Baroness Morgan of Drefelin: My Lords, I am going to disappoint my noble friend. It would not be appropriate for me to place a timescale on Sir Davids work. I do not want to second-guess what my right honourable friend will say, but the Government would want Sir David to have the opportunity to undertake a full investigation and we should give him the opportunity to do that without creating an undue restraint. As I said, my right honourable friend has said that Parliament will be kept informed and I will ensure that noble Lords are, too.
Lord Glenarthur: My Lords, I apologise for not being in at the start of the noble Baronesss repeating of the Statement. Will she say whether the documents that were found were original or photocopied and whether they were numbered? I have had some experience of dealing with such documents and I wonder whether at this stage she knows the answer to those questions.
Lord McNally: My Lords, the noble Baroness, Lady Neville-Jones, referred not only to the political damage but also to the fact that such documents could be life-threatening because of the information that they contain. The Minister used the word authorisation on a number of occasions. It is mind boggling that such information can so casually be taken out of more secure areas. When she talks about authorisation, is there an established procedure? Does an officer who wishes to take information home ever so rarely have to have a countersigned authorisation from a senior member of the department? Is there a set procedure and is it part of the investigation whether the set procedure was followed?
Baroness Morgan of Drefelin: My Lords, I make it clear to the House and the noble Lord that the set procedure was not followed: the rules were broken. The reason why we have asked Sir David to undertake an investigation is that we want to offer reassurance that we do not take this matter lightly. Had the rules been followed, I am convinced that this would not have happened. There are strict protocols about how information of such sensitivity can be taken out of secure government premises. Let me be absolutely clear: the rules have been broken.
Lord Norton of Louth: My Lords, it is clear that rules have been broken. There has been an unauthorised removal of papers, which shows that there is a problem with the rules themselves if the papers can be withdrawn. Does this not show that the Cabinet Office has less security than the average supermarket? If we walk out of a supermarket with something that we should not have, it can set off an alarm. It is possible to tag papers so that they set off an alarm if they are being removed from a secure area. Rather than waiting for an interim report, should we not, given the nature of the problem, be pursuing something like that, which could be implemented fairly quickly?
Baroness Morgan of Drefelin: My Lords, the Cabinet Office is not placing any constraints on Sir David Omands investigation of the circumstances of this extremely regrettable breach and I do not want to second-guess what he might want to look at. I am sure that your Lordships will have heard what the noble Lord has to say.
Baroness Miller of Chilthorne Domer rose to call attention to the volume of personal data collected and retained by governmental agencies and private companies, and the protection of personal data and privacy; and to move for Papers.
The noble Baroness said: My Lords, this debate could not be more timely. Perhaps that is my good luck and the Governments bad luck. We and the public have just been shocked by yet another catastrophic example of data loss, where literally millions of the records that individuals have entrusted to the state have gone missing. The case in the Statement concerned state security, which is slightly different but potentially more serious. I am going to concentrate on the affect that these losses have on individuals, on their confidence in giving data to the state and on the states responsibility for looking after that data properly.
At the moment, the UK probably leads the developed world in data loss. The point of the debate is to ask the Government what tools are in place to prevent that loss, whether they are using them and what more tools are needed. We on these Benches believe that the culture must change dramatically before losses of this magnitude stop occurring. As the Minister will know, because he agreed to it, we succeeded in getting a change to the Criminal Justice and Immigration Bill that gives the Information Commissioner more powers to deal with reckless and careless losses. It is a small step which needs to be followed by many others.
In the debate, we will call for an urgent updating of the Data Protection Act, which is 10 years old. In that time there have been phenomenal technological changes and it is not surprising that neither legislation nor thinking have kept pace. It was timely for this debate that last Tuesday an exhibition in Portcullis House showcased some of the advances in both the private and government sectors. I expect the Minister visited the exhibition. I certainly met his counterpart from the other place there and we had an interesting discussion. We are all agreed that the public have the right to expect that government agencies which demand their data, and private agencies which request personal data, should have systems to keep them safe and staff who are well aware of how best to use such safeguards. Legislation is certainly not the only answer; there must be a widespread cultural shift across public and private sectors.
Going back into history, it was in 1965 that George Moore, a co-founder of the giant computer chip manufacturer Intel, made a prediction: he said that information technology would grow, and continue to grow, at an exponential rate and would herald a revolution in human, social, political and commercial life. He was absolutely right. The increasing ease with which data can be collected, stored and processed presents countless new and exciting opportunities. I am not suggesting that we should not welcome this but, as more and more data and information relating to us are collected and stored, protecting the security of that information becomes ever more difficult. A real tension emerges between engaging with the opportunities offered by these new technologies and ensuring that any information that is collected, stored and processed is treated with due regard to its sensitivity. That tension is most pronounced in e-government, which is convenient and efficient when it works and disastrous when it does not.
The introduction of ContactPoint, otherwise known as the Childrens Index, about which my noble friend Lady Walmsley will speak, provides a database of every single child in England and Wales. Spine, the NHS central medical record database, represents a dramatic widening of the circumstances under which the genetic information of individuals may be retained. And, of course, there is also the proposed national identity card scheme.
Data are also collected as part of CCTV operations, cameras record us in our cars in the street, satellites watch over our homes, police helicopters operate face-recognition technology above crowds and technology now exists which allows tiny drones to swoop in and photograph indoors. I must ask the Minister whether recent reports are true that the Government are considering the construction of a database which will hold details of every phone call made and every e-mail sent by the public, allegedly as part of the fight against crime and terrorism, although that might be part of the wilder imaginings of the press.
Mass data collection and retention are not the sole domain of government. The private sector has been years ahead in seeing the commercial potential in data collection. However, collection is one thing but the problems arise in its retentionhow is it stored, how is it accessed and by whom? Even the technology that I understand and usethe memory stick, for exampleallows vast amounts of data to be downloaded in one place and removed to another, just as we were talking about in the Statement. More sophisticated is the collection of information by Google, for example, in developing targeted advertising. There are all kinds of technological advances which are hard to grasp.
I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it. Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. It is a company on the cutting edge of what can protect the public. A bit of controversy surrounds its work because, with its client BT, it intercepted peoples online business without BT customers knowing. But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. This is what Phorm is trying to develop with major telecommunications clients on a global scale.
The focus should now be on what is stored and how because once there is a breach it is too late. A robust assessment of new databases and other initiatives could be effected through the use of privacy impact assessments, which, essentially, are privacy specific audits, which identify areas of e-government but have the potential to conflict with the provisions of data protection legislation. These are in their infancy in Europe but are commonplace in Australia and Canada and, to a lesser extent, in the US. I ask the Minister whether PIAswhich have been warmly welcomed by the Government, who have acknowledged that they can be useful in maintaining the balance between the needs of todays society for more information to be shared and protecting privacyhave been conducted in any aspect of e-government. As far as I can establish,
12 Jun 2008 : Column 727
I am sure the Minister is aware that some use of online data is absolutely disgraceful. The worst private sector example that I have come across recently is the utterly pernicious national staff dismissal register. I know my noble friend Lord Roberts of Llandudno will make some remarks on this new development and so I will simply say that this new database, where tittle-tattle, rumour and potentially defamatory material concerning ex-employees can be stored for access by other prospective employers, is a dangerous development. We on these Benches take business crime seriously but there is a court system to deal with it. A website which is run for profit and which is trying to take the place of the police, prosecution, judge and jury is a serious issue. I hope the Government will do something about safeguarding the interests of workers who have little ability to pay for expensive access to the courts in order to do something about it.
Of immediate public concern, too, is the HM Revenue and Customs debacle last yearthis has been referred to on numerous occasions in your Lordships Housewhen the records of 25 million people were lost in the post. There have been further incidents of significant losses from the DVLA and the MoD. In the context of data mismanagement, the public do not have the confidence that they need to feel if the Government are going to take their next step in e-government. That next step, which was demonstrated at Portcullis House in the exhibition on Tuesday, is centralised registration online guarded by secure access, along the lines of what noble Lords may be used to using with their online bank accounts. It sounds good and looks convenient, but if something goes wrong and it proves to be insecure it will be a total disaster. The fact is that nothing can be regarded as totally secure. Does the Minister agree with that?
One of the things the Government have tried to do is bring in data guardians. On the advice of Kieran Poynter of PricewaterhouseCoopers, who was commissioned to conduct the review into what went wrong at HM Revenue and Customs, the Government have appointed a number of dedicated data guardians charged solely with ensuring that large quantities of data, held by whichever department, are treated in compliance with good practice set down in the Data Protection Act. That is a welcome move. How is it progressing?
The Government also havethis was a surprise to mea dedicated Data Protection Minister, currently Mr Michael Wills MP. It was revealed, subsequent to the HMRC data loss, that the first he heard about that incident was when a Statement was made by the Chancellor in another place. Mr Wills candidly admitted that in the light of the Revenue and Customs data loss the Government are going to have to learn lessonsbut I am afraid it is part of his job to teach them.
I am not excluding the private sector. There have been some shocking examples of the misuse of data by a number of banks and companies entrusted with
12 Jun 2008 : Column 728
Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Governments intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Governments proposals ... and, bearing in mind that secondary legislation cannot ... be amended, would increase the opportunity for Parliament to hold the executive to account.
The Information Commissioner has made a good start in changing attitudes in all public bodies, but he is labouring, as I have said, under a rather outdated Data Protection Act. He is also pretty limited in his resources. Are the fees that the Information Commissioner can raise sufficient to deal with the volume of work that he now has to cope with? The regulator is charged with not only educating data controllers about their obligations but their compliance with the Act itself. I would be surprised if the resources that he was set up with were adequate for the job he now has to do. Arming the commissioner with new legal powers is essential. Although I know that by convention the Minister will not comment on what is going to be in the Queens Speech, it would be useful to know how urgent the Government feel that updating is.
I shall mention the situation raised in the European Parliament by my noble friend Lady Ludford, who is concerned about exchanges of passenger data and DNA from different European countries. She is concerned about the operation of the data retention directive, which is an effective and constructive dialogue that is very much needed, and the UK Governments contribution to that, particularly as our primary data protection legislation is derived directly from Europe.
In conclusion, the pace of technological advances has been ferocious. The benefits are great in convenience, but equal dangers or, probably, greater ones are posed by data misuse, theft or improper exploitation. The tools are not yet in place to give the public confidence in even what the public and private sectors hold now, and, as PFIs and partnerships allow more and more data to move between the two, any regulatory system must apply equally to both and be constantly reviewed. In the short term, money is far better spent on that than on creating an identity card system that brings further challenges. In the longer term, the far more technologically literate younger generation are those who should decide whether or not that should proceed. I beg to move for Papers.
One thing that interests me about this debate is how few people seem to be interested in it. That really worries me. This subject goes to the heart of a lot of things to do with the relationship between the citizen and the state, about which there are many highly independent Back-Benchers on both sides who get deeply upset. Because the debate has the word data in it, however, they do not see that actually this is the futureit is exactly the sort of thing that could tip the balance of power in the wrong direction if we do not get it right. That is why it is critical.
The House has just had a debate about youth justice, which unfortunately I was not able to take part in. What really worries me about that is what data are kept long-term. A year ago I became aware that both a reprimand and a caution are admissions of guilt to a criminal offence. You may say to a youth aged 14, Dont worry, its a reprimand, it will come off your record, but in fact it does not. They have a criminal conviction that stays on their record for life for the purpose of American or Australian visas. They can never work with the law. They can never get a job as a policeman, in the Army or as a teacher. That last situation depends slightly on the offence but, since we saw the other day that they were considering firing a headmaster for fishing without a rod licence, we can gather that, with regard to the relevance of the criminal offence to what you can do in the teaching profession, common sense has been suspendedas usual.
We need to worry about this. We are criminalising a generation of young people who will be completely disbarred from seriously useful professions in the future. Many of those people are the brighter ones. It is the people who are risk-takers, more outgoing and a little bit more punchy who get into trouble, and they are probably the people who you want as your leaders in the future. We need to look at how we expunge records properly, for all purposes, so that they cannot be recovered. There may be one or two offences that we consider sufficiently serious that records for them should be keptfor example, sexual interference with a personbut an awful lot of them should be written off properly. We used to have a statute of rehabilitation, but we seem to have forgotten that. Moments of madness now live with you for ever. We have to think about that. It is underlying aspect of my thinking on this. I shall talk about the principles that worry me.
|Next Section||Back to Table of Contents||Lords Hansard Home Page|