Previous Section Back to Table of Contents Lords Hansard Home Page

This brings me to my next point: people who should never be on these databases. The number of children on the DNA database has risen from 8,484 in 1995-96 to 179,441 in 2006-07—a 21-times increase. About 160,000 young people aged between 10 and 17 were added to the National DNA Database last year after being arrested for the first time, of whom at least 81,000 were innocent. There are at least 105,000 innocent 10 to 17 year-olds on the database in total. All these young people will have their DNA profiles kept permanently on the computer. Many adults who have

12 Jun 2008 : Column 737

been arrested on suspicion of sometimes very minor offences, but never charged, are on the database, and some do not even realise it. The children’s database ContactPoint is a matter of concern not because it is inappropriate for professionals to share information about children who need services but because of its size, universality and questions about the lack of security. It should never replace meaningful discussions between professionals and lead to complacency that the job has been done.

I now turn to the lack of security and the consequent loss of privacy and cash by individuals, as well as the economic cost to the state. Let us consider the cash first. In 2005, identity fraud cost the economy £1.5 billion, according to the Cabinet Office. The amount lost by individuals and companies to fraudsters reached £535.2 million during 2007. Although the introduction of chip and PIN has reduced card fraud on the UK high street, the increase was driven by a 77 per cent jump in fraud carried out abroad using cloned versions of cards that belong to British shoppers. Card fraud abroad rose from £90 million to £207.6 million last year—39 per cent of total losses. In the UK, card fraud rose 6 per cent last year, largely driven by “card not present” fraud. We have all been lured into buying something over the phone that we want.

To many of us, the loss of our personal information and privacy matters much more than mere money. There have been numerous high-profile cases. In December 2007, the Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. Private account numbers, PINs and security codes were offered as tasters by illegal hacking sites. The Times found more than 100 websites trafficking British bank details; a fraudster offering to sell 30,000 British credit card numbers for less than £1 each; and a British “e-passport” for sale, although the Government insist that these are unhackable.

The News of the World disclosed in December 2007 that it had been handed two disks mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants. In February 2008, Skipton Financial Services lost an unencrypted laptop containing personal information on 14,000 customers. We have heard from my noble friend of a number of other cases involving banks and building societies. Haringey Council files, many of which were marked “Confidential”, were found in a squat in February 2008. The documents included the names, phone numbers, addresses, dates of birth, pay slips and bank details of more than 20,000 people. Local government is not immune from this problem.

The DVLA in Swansea in 2006 admitted that one-third of entries contained at least one error and that the proportion was getting worse. In December last year, the DVLA in Northern Ireland lost the personal details of 6,000 people and the details of 3 million theory test candidates. Southend-on-Sea Borough Council is reviewing its procedures after a laptop computer containing social service case notes on local children turned up on eBay in May. Marks & Spencer has warned 26,000 of its staff that their personal data are at risk following the theft of a laptop computer.

12 Jun 2008 : Column 738

It was revealed in December that sensitive details about adults and children were lost in 10 incidents at nine separate NHS trusts; this is particularly sensitive information. There was the loss of a CD with 160,000 children’s names and addresses by a trust in east London. In Norfolk, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. Only last month, a laptop computer holding personal and financial information on 10,000 NHS staff was stolen from a hospital in Cornwall. Some of these organisations cannot protect their own staff, let alone their own patients.

There have been lots of breaches of financial information. The Bank of Ireland lost four laptops containing unencrypted sensitive personal information about up to 10,000 customers. The Information Commissioner said that he had been told of 94 data breaches since November last year. The breaches included the loss of laptops, computer disks, memory sticks and paper records. Some were stolen, while others were lost in the post. The combination of the lost disks with 25 million people’s financial details, the 5,000 illegal immigrants cleared to work in the security industry and the 500,000 false names on the DNA database has convinced people that putting all their most private information in the hands of the British state might not be the best of way of keeping it safe and secure.

The database to beat all databases is the one behind the planned compulsory identity cards. The ID cards project is one of the biggest computer systems yet envisaged, far more complex than the NHS system. Apparently, iris scans, fingerprints and face-recognition software will all work perfectly and be amazingly cheap to implement, although, apparently, the noble Baroness, Lady Anelay, did not think so when she recently tested out the system in this building. I am not sure what it would make of my husband’s false eye and the rather startling coloured contact lenses that some young people wear these days.

The bigger the system, the greater the opportunity of failure. There is also the fact that databases pick up errors and then build data error upon error. Have noble Lords ever tried to get the spelling of their name corrected on a company’s database when some illiterate has got it wrong the first time that it was input? I am sure that your Lordships will understand that it has often happened to me, with a name like Walmsley. It is very frustrating.

It is not the ID card itself but the ID register that is the problem. What I am most frightened about is that each entry will eventually take on a legal status, even if it is wrong. I know somebody who flies around the world with a passport with his incorrect name on it. He has tried to get it corrected but the agency will not do it. Once it is fixed, it is fixed. Have noble Lords ever stood in front of anyone and told them their facts and had them say that the computer says something else? Why do they always believe the computer instead of a perfectly honest and trustworthy person who could have no possible reason to lie?

The really worrying thing is that the perpetrators of 80 per cent of all computer security lapses are not hackers but employees. This multiplies the dangers.

12 Jun 2008 : Column 739

People working on the ID database might be corrupted, threatened or blackmailed into creating perfectly legal ID cards for international terrorists and criminals. Then the ID card, far from eliminating problems, will be a one-stop shop for identity fraud and possible terrorist crime. Is it any wonder that we have no confidence in these databases? Even nine out of 10 doctors do not have confidence in the NHS system.

What would we on these Benches like to see? First, we believe in the primacy of the right to privacy and informational autonomy; we see a close relationship between that right and the liberty of the individual. Therefore, we believe that, while every reasonable step must be taken to detect crime and deter terrorists, infringement of those rights must be necessary and proportionate and be done to the highest level of professionalism and security. We believe in the principle of consent, with people fully informed about the information held on them and with appropriate rights to opt out in many cases and to correct wrong information.

Anyone who knows anything about human development knows how important the sense of self and personal autonomy is to the human race. The breaches to which we are subjected in this country today are of the most fundamental sort and go to the heart of a free society. I hope that today’s breach will be the fatal sword in the heart of plans for the national identity database and the stimulus for the rethink of the whole sorry mess that my noble friends and I have advocated today.

3.56 pm

Lord Kingsland: My Lords, first, I pay tribute to the noble Baroness, Lady Miller, who, in addition to introducing this debate, played an important part in defining the offences of deliberate or reckless mishandling of personal data in the late, and entirely unlamented, Criminal Justice and Immigration Bill.

It has to be accepted that the Government have an appalling record of negligence in the handling of retained personal data. The most graphic incident in recent times was reported to another place by the Chancellor of the Exchequer in November 2007 when he revealed that Her Majesty’s Revenue and Customs had lost personal data, including bank account details, relating to families in receipt of child benefit, affecting around 25 million people in total. Although the information that the disks contained was password-protected, they were not sent by registered or recorded delivery. As your Lordships have heard this afternoon, there have been many other examples, on a somewhat more modest scale, of equally meretricious conduct on behalf of government departments.

Those are the facts, and in my view one is led to the inevitable conclusion that these lapses flow from the low value that the Government place on the protection of personal data. That is certainly the conclusion to which the Joint Committee on Human Rights came in its report printed on 28 March this year. At paragraph 27 on page 14, the committee said that,

The report goes on to reflect on why that is so. It places responsibility in two areas: first, in the manner of legislating; and, secondly, in the nature of the relationship between the Ministry of Justice, the various departmental ministries and the Information Commissioner. On the first reason, I understand it has been the Government’s view that adequate protection is already provided to the citizen by a combination of Article 8 of the Convention on Human Rights and the various relevant articles in the Data Protection Act 1998. Consequently, the Government conclude there is no need for a detailed framework of primary legislation in each particular Bill which deals with personal data retention and distribution.

This attitude is a fundamental misreading of Article 8 which gives the citizen a general right to privacy. This right is qualified by various public interest factors such as public security, public health, public order and so on. The relationship between the general right and the particular way it is constrained will vary enormously, depending on the area of legislation and the kind of data we are talking about. The noble Baroness, Lady Walmsley, talks about data in relation to children; that raises quite different issues from, for example, DNA data. These issues should be dealt with discretely and specifically by a proper analysis by the Government of the way in which Article 8 works in each case.

The point is again made by the JCHR report at paragraph 20 on page 12. The committee says:

The second area addressed by the committee is the relationship between the Ministry of Justice, the individual departments and the Information Commissioner. It is plain, as a result of the evidence taken by the committee, that these relationships are in a state of deep occlusion. The Minister of State at the Ministry of Justice was interviewed by the committee. It summarises, at paragraph 24 on page 13 of its report, what the honourable gentleman, Mr Wills, believes is the nature of his ministry’s task:

12 Jun 2008 : Column 741

It is plain that, operationally, the view of the Ministry of Justice is that responsibility for these matters really lies with the individual departments.

Mr Wills went on to explain that, more generally, apparently, individuals called human rights champions are located in every government department grade 3 level; and, later, evidence was given to the Joint Committee by an official that each department had an action plan for the delivery of in-house training to front-line staff. When representatives of the Information Commissioner were interviewed, they appeared to be totally unaware of such a network. The Joint Committee concluded at paragraph 34 that it had,

In view of this confused picture, the JCHR concluded that the Information Commissioner needs a much enhanced role in this area. At paragraph 39 on page 17, the JCHR makes the following observation:

I should like the Minister to address himself to that conclusion of the committee and tell us whether he agrees with it.

Finally, I turn to the Government’s draft legislative programme outlined in May in which, among many other things, is proposed a communications data Bill. It appears that Home Office officials are considering a database that would record all e-mail and telephone communications in the United Kingdom. Can that really be true? If it is, it is a matter of deep concern to the Opposition and, I suspect, to those on the Liberal Democrat Benches. How can such a proposal have emerged, even if, on due reflection, the Government think again?

Why do the Government have so much difficulty with this area of individual rights, personal data rights? Is it because as a party for so long their focus has been not on the individual but on the collective—and they find it exceedingly difficult to adjust to the idea of privacy and the protection of personal data? The Government have lost an enormous amount of ground in this area and, in a very traditional Victorian image, they need to pull their socks up.

4.08 pm

The Parliamentary Under-Secretary of State, Ministry of Justice (Lord Hunt of Kings Heath): My Lords, it is a great pleasure to respond to yet another fascinating and highly informed debate. Little did I guess at the beginning that I would be able to debate collectivism and all its joys with the noble Lord, Lord Kingsland, but of course we are new Labour now, so I shall desist. I echo his remarks in thanking the noble Baroness,

12 Jun 2008 : Column 742

Lady Miller, for giving us an opportunity to debate this most important subject, and pay tribute to her work on the late but, I would say, beloved Criminal Justice and Immigration Act and her formidable and persuasive powers, combined with the rather difficult deadline we were up against on the protection of personal data. I have to congratulate her on her timing for this debate which, as we have seen from the Statement, brings home to us the importance of the integrity and protection of data. The noble Lord, Lord Kingsland, suggested that this Government are less concerned with the individual protection of personal data but, far from that, I very much share some of the concerns that have been raised. I in no sense seek to mitigate or underestimate the genuineness of those concerns. The noble Lord, Lord Roberts, and the noble Baroness, Lady Walmsley, gave some very powerful examples of some of those matters, and I listened with great enjoyment to the interesting comments of the noble Earl, Lord Erroll.

I suppose that the heart of the debate is the question, which has sometimes been suggested, about us being in some kind of surveillance society and the fears that come from that. It is interesting that the noble Lord, Lord Kingsland, quoted from the JCHR report. I read the recent Home Affairs Committee report of 9 June with great interest; it looked at this whole question of whether we have a surveillance society. It said:

It was a balanced and mature conclusion and one which, I suspect, all Members of this House agree with. That there is a sense that we are catching up with a massive social and technological advancement, which we have seen in the last few decades, is not in doubt. It is not surprising, but none of us quite knows exactly how we do that and where to get the right balance. I am clear that the Government are not in the business of storing and sharing information simply for the sake of it. There has to be a purpose.

There is much to be gained from the proper use of the data, to which noble Lords have referred, but there has to be a balance between the positive outcome of much of that data use with proper respect for the individual’s privacy. We have a sound legislative framework to preserve that balance, through the Data Protection Act and the Human Rights Act. We will be informed by the representations made by the reviews taking place, on which I will respond in a few moments, but we have the essential foundation right.

The noble Lord, Lord Erroll, raised some important issues, including anonymisation potential and our regulatory culture. He also raised the issue of the regulatory council—the culture of uniformities, as he described it, versus flexibility. He particularly related it to the use of information. I will just say to him that the Hampton review propounded the concept of proportionate regulation. My experience is that that is

12 Jun 2008 : Column 743

informing most regulatory bodies. I am going to take a punt and really champion the Health and Safety Executive—not the most popular of agencies, but one which has come under considerable criticism recently for not prosecuting enough people. That is an example of a proportionate regulator that wishes to put most of its emphasis on working with people to improve their health and safety regimes, reserving prosecutions for the most serious offences. That is appropriate and proportionate regulation. I understand the comments the noble Lord made about RIPA. There are currently 795 authorised public authorities, including 474 local authorities. On the one hand, this is a very valuable tool for the investigation and prevention of all crime; on the other hand, I understand the concerns about the way some authorities are using it. Noble Lords will know that a new code of practice for the acquisition of communications data came into effect in October 2007 which gives much clearer guidance. We are committed to working with the police and other public authorities to create awareness of why and how such data should be used, which is only, of course, in a lawful way.

A number of other databases were mentioned. On ContactPoint, the noble Baroness, Lady Walmsley, while raising concerns about the amount of data, did not argue against the principle. The Climbié report detailed up to nine public authorities, all of which had information which, if it had been properly shared, might have saved Victoria Climbié’s life. It was a very powerful message. It is, however, clearly important that the security of data within ContactPoint is maintained to a very high level. When I was in charge of the NHS IT programme, we had a lot of discussions with officials in ContactPoint to make sure that the levels of security were commensurate. On the NHS IT programme, I understand the sensitivity of personal health data held about us by a system as large as the National Health Service, but there is a huge potential in this programme. We have already seen it with X-ray data exchange. The Department of Health is criticised for the delays that have occurred but much of that delay is about needing to take people with it to assure people and give them confidence about the integrity of the data that are held.

The noble Baronesses, Lady Walmsley and Lady Miller, and others raised the issue of the national DNA database, but it has had a very positive, powerful impact on the number of crimes detected. The courts have recognised that the retention of samples and DNA profiles involves a triangulation of interests. The privacy of those subject to DNA data is important but also the purpose of criminal law to permit everyone to go about their daily lives without fear of harm to person or property. Getting the balance right is vital.

The issue of the national identity scheme has been raised. We could have many hours’ debate on that. The Identity Card Act 2006 has very strong provisions about unauthorised disclosure. Maintaining confidence in the integrity of the process, the efficiency and the protection of data will be very important to any successful implementation. There are concerns about how much closed circuit TV is used but again, where it is used efficiently and the right systems are in place, it has proven to be hugely important in the investigation of serious crimes. Again, getting the balance right is very important.

Next Section Back to Table of Contents Lords Hansard Home Page