|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
This brings me to my next point: people who should never be on these databases. The number of children on the DNA database has risen from 8,484 in 1995-96 to 179,441 in 2006-07a 21-times increase. About 160,000 young people aged between 10 and 17 were added to the National DNA Database last year after being arrested for the first time, of whom at least 81,000 were innocent. There are at least 105,000 innocent 10 to 17 year-olds on the database in total. All these young people will have their DNA profiles kept permanently on the computer. Many adults who have
12 Jun 2008 : Column 737
I now turn to the lack of security and the consequent loss of privacy and cash by individuals, as well as the economic cost to the state. Let us consider the cash first. In 2005, identity fraud cost the economy £1.5 billion, according to the Cabinet Office. The amount lost by individuals and companies to fraudsters reached £535.2 million during 2007. Although the introduction of chip and PIN has reduced card fraud on the UK high street, the increase was driven by a 77 per cent jump in fraud carried out abroad using cloned versions of cards that belong to British shoppers. Card fraud abroad rose from £90 million to £207.6 million last year39 per cent of total losses. In the UK, card fraud rose 6 per cent last year, largely driven by card not present fraud. We have all been lured into buying something over the phone that we want.
To many of us, the loss of our personal information and privacy matters much more than mere money. There have been numerous high-profile cases. In December 2007, the Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. Private account numbers, PINs and security codes were offered as tasters by illegal hacking sites. The Times found more than 100 websites trafficking British bank details; a fraudster offering to sell 30,000 British credit card numbers for less than £1 each; and a British e-passport for sale, although the Government insist that these are unhackable.
The News of the World disclosed in December 2007 that it had been handed two disks mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants. In February 2008, Skipton Financial Services lost an unencrypted laptop containing personal information on 14,000 customers. We have heard from my noble friend of a number of other cases involving banks and building societies. Haringey Council files, many of which were marked Confidential, were found in a squat in February 2008. The documents included the names, phone numbers, addresses, dates of birth, pay slips and bank details of more than 20,000 people. Local government is not immune from this problem.
The DVLA in Swansea in 2006 admitted that one-third of entries contained at least one error and that the proportion was getting worse. In December last year, the DVLA in Northern Ireland lost the personal details of 6,000 people and the details of 3 million theory test candidates. Southend-on-Sea Borough Council is reviewing its procedures after a laptop computer containing social service case notes on local children turned up on eBay in May. Marks & Spencer has warned 26,000 of its staff that their personal data are at risk following the theft of a laptop computer.
It was revealed in December that sensitive details about adults and children were lost in 10 incidents at nine separate NHS trusts; this is particularly sensitive information. There was the loss of a CD with 160,000 childrens names and addresses by a trust in east London. In Norfolk, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. Only last month, a laptop computer holding personal and financial information on 10,000 NHS staff was stolen from a hospital in Cornwall. Some of these organisations cannot protect their own staff, let alone their own patients.
There have been lots of breaches of financial information. The Bank of Ireland lost four laptops containing unencrypted sensitive personal information about up to 10,000 customers. The Information Commissioner said that he had been told of 94 data breaches since November last year. The breaches included the loss of laptops, computer disks, memory sticks and paper records. Some were stolen, while others were lost in the post. The combination of the lost disks with 25 million peoples financial details, the 5,000 illegal immigrants cleared to work in the security industry and the 500,000 false names on the DNA database has convinced people that putting all their most private information in the hands of the British state might not be the best of way of keeping it safe and secure.
The database to beat all databases is the one behind the planned compulsory identity cards. The ID cards project is one of the biggest computer systems yet envisaged, far more complex than the NHS system. Apparently, iris scans, fingerprints and face-recognition software will all work perfectly and be amazingly cheap to implement, although, apparently, the noble Baroness, Lady Anelay, did not think so when she recently tested out the system in this building. I am not sure what it would make of my husbands false eye and the rather startling coloured contact lenses that some young people wear these days.
The bigger the system, the greater the opportunity of failure. There is also the fact that databases pick up errors and then build data error upon error. Have noble Lords ever tried to get the spelling of their name corrected on a companys database when some illiterate has got it wrong the first time that it was input? I am sure that your Lordships will understand that it has often happened to me, with a name like Walmsley. It is very frustrating.
It is not the ID card itself but the ID register that is the problem. What I am most frightened about is that each entry will eventually take on a legal status, even if it is wrong. I know somebody who flies around the world with a passport with his incorrect name on it. He has tried to get it corrected but the agency will not do it. Once it is fixed, it is fixed. Have noble Lords ever stood in front of anyone and told them their facts and had them say that the computer says something else? Why do they always believe the computer instead of a perfectly honest and trustworthy person who could have no possible reason to lie?
The really worrying thing is that the perpetrators of 80 per cent of all computer security lapses are not hackers but employees. This multiplies the dangers.
12 Jun 2008 : Column 739
What would we on these Benches like to see? First, we believe in the primacy of the right to privacy and informational autonomy; we see a close relationship between that right and the liberty of the individual. Therefore, we believe that, while every reasonable step must be taken to detect crime and deter terrorists, infringement of those rights must be necessary and proportionate and be done to the highest level of professionalism and security. We believe in the principle of consent, with people fully informed about the information held on them and with appropriate rights to opt out in many cases and to correct wrong information.
Anyone who knows anything about human development knows how important the sense of self and personal autonomy is to the human race. The breaches to which we are subjected in this country today are of the most fundamental sort and go to the heart of a free society. I hope that todays breach will be the fatal sword in the heart of plans for the national identity database and the stimulus for the rethink of the whole sorry mess that my noble friends and I have advocated today.
Lord Kingsland: My Lords, first, I pay tribute to the noble Baroness, Lady Miller, who, in addition to introducing this debate, played an important part in defining the offences of deliberate or reckless mishandling of personal data in the late, and entirely unlamented, Criminal Justice and Immigration Bill.
It has to be accepted that the Government have an appalling record of negligence in the handling of retained personal data. The most graphic incident in recent times was reported to another place by the Chancellor of the Exchequer in November 2007 when he revealed that Her Majestys Revenue and Customs had lost personal data, including bank account details, relating to families in receipt of child benefit, affecting around 25 million people in total. Although the information that the disks contained was password-protected, they were not sent by registered or recorded delivery. As your Lordships have heard this afternoon, there have been many other examples, on a somewhat more modest scale, of equally meretricious conduct on behalf of government departments.
Those are the facts, and in my view one is led to the inevitable conclusion that these lapses flow from the low value that the Government place on the protection of personal data. That is certainly the conclusion to which the Joint Committee on Human Rights came in its report printed on 28 March this year. At paragraph 27 on page 14, the committee said that,
The report goes on to reflect on why that is so. It places responsibility in two areas: first, in the manner of legislating; and, secondly, in the nature of the relationship between the Ministry of Justice, the various departmental ministries and the Information Commissioner. On the first reason, I understand it has been the Governments view that adequate protection is already provided to the citizen by a combination of Article 8 of the Convention on Human Rights and the various relevant articles in the Data Protection Act 1998. Consequently, the Government conclude there is no need for a detailed framework of primary legislation in each particular Bill which deals with personal data retention and distribution.
This attitude is a fundamental misreading of Article 8 which gives the citizen a general right to privacy. This right is qualified by various public interest factors such as public security, public health, public order and so on. The relationship between the general right and the particular way it is constrained will vary enormously, depending on the area of legislation and the kind of data we are talking about. The noble Baroness, Lady Walmsley, talks about data in relation to children; that raises quite different issues from, for example, DNA data. These issues should be dealt with discretely and specifically by a proper analysis by the Government of the way in which Article 8 works in each case.
We fundamentally disagree with the Governments approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Governments intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Governments proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account.
The second area addressed by the committee is the relationship between the Ministry of Justice, the individual departments and the Information Commissioner. It is plain, as a result of the evidence taken by the committee, that these relationships are in a state of deep occlusion. The Minister of State at the Ministry of Justice was interviewed by the committee. It summarises, at paragraph 24 on page 13 of its report, what the honourable gentleman, Mr Wills, believes is the nature of his ministrys task:
My responsibility is not for stopping any breaches of data protection personally, individually or even corporately within the department wherever and whenever they may occur. What this department is responsible for is the construction of a proper legislative apparatus which has proper protections in place.
Departments have operational independence to implement their own data protection arrangements, within the legal framework maintained by the Ministry of Justice, explained the Minister: we are not policemen in this department.
Mr Wills went on to explain that, more generally, apparently, individuals called human rights champions are located in every government department grade 3 level; and, later, evidence was given to the Joint Committee by an official that each department had an action plan for the delivery of in-house training to front-line staff. When representatives of the Information Commissioner were interviewed, they appeared to be totally unaware of such a network. The Joint Committee concluded at paragraph 34 that it had,
We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the National human rights machinery. We support proposals to enhance the Commissioners powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively.
Finally, I turn to the Governments draft legislative programme outlined in May in which, among many other things, is proposed a communications data Bill. It appears that Home Office officials are considering a database that would record all e-mail and telephone communications in the United Kingdom. Can that really be true? If it is, it is a matter of deep concern to the Opposition and, I suspect, to those on the Liberal Democrat Benches. How can such a proposal have emerged, even if, on due reflection, the Government think again?
Why do the Government have so much difficulty with this area of individual rights, personal data rights? Is it because as a party for so long their focus has been not on the individual but on the collectiveand they find it exceedingly difficult to adjust to the idea of privacy and the protection of personal data? The Government have lost an enormous amount of ground in this area and, in a very traditional Victorian image, they need to pull their socks up.
The Parliamentary Under-Secretary of State, Ministry of Justice (Lord Hunt of Kings Heath): My Lords, it is a great pleasure to respond to yet another fascinating and highly informed debate. Little did I guess at the beginning that I would be able to debate collectivism and all its joys with the noble Lord, Lord Kingsland, but of course we are new Labour now, so I shall desist. I echo his remarks in thanking the noble Baroness,
12 Jun 2008 : Column 742
I suppose that the heart of the debate is the question, which has sometimes been suggested, about us being in some kind of surveillance society and the fears that come from that. It is interesting that the noble Lord, Lord Kingsland, quoted from the JCHR report. I read the recent Home Affairs Committee report of 9 June with great interest; it looked at this whole question of whether we have a surveillance society. It said:
We reject crude characterisations of our society as a surveillance society in which all collections and means of collecting information about citizens are networked and centralised in the service of the state. Yet the potential for surveillance of citizens in public spaces and private communications has increased to the extent that ours could be described as a surveillance society unless trust in the Government's intentions in relation to data and data sharing is preserved. The Home Office in particular and Government in general must take every possible step to maintain and build on this trust.
It was a balanced and mature conclusion and one which, I suspect, all Members of this House agree with. That there is a sense that we are catching up with a massive social and technological advancement, which we have seen in the last few decades, is not in doubt. It is not surprising, but none of us quite knows exactly how we do that and where to get the right balance. I am clear that the Government are not in the business of storing and sharing information simply for the sake of it. There has to be a purpose.
There is much to be gained from the proper use of the data, to which noble Lords have referred, but there has to be a balance between the positive outcome of much of that data use with proper respect for the individuals privacy. We have a sound legislative framework to preserve that balance, through the Data Protection Act and the Human Rights Act. We will be informed by the representations made by the reviews taking place, on which I will respond in a few moments, but we have the essential foundation right.
The noble Lord, Lord Erroll, raised some important issues, including anonymisation potential and our regulatory culture. He also raised the issue of the regulatory councilthe culture of uniformities, as he described it, versus flexibility. He particularly related it to the use of information. I will just say to him that the Hampton review propounded the concept of proportionate regulation. My experience is that that is
12 Jun 2008 : Column 743
A number of other databases were mentioned. On ContactPoint, the noble Baroness, Lady Walmsley, while raising concerns about the amount of data, did not argue against the principle. The Climbié report detailed up to nine public authorities, all of which had information which, if it had been properly shared, might have saved Victoria Climbiés life. It was a very powerful message. It is, however, clearly important that the security of data within ContactPoint is maintained to a very high level. When I was in charge of the NHS IT programme, we had a lot of discussions with officials in ContactPoint to make sure that the levels of security were commensurate. On the NHS IT programme, I understand the sensitivity of personal health data held about us by a system as large as the National Health Service, but there is a huge potential in this programme. We have already seen it with X-ray data exchange. The Department of Health is criticised for the delays that have occurred but much of that delay is about needing to take people with it to assure people and give them confidence about the integrity of the data that are held.
The noble Baronesses, Lady Walmsley and Lady Miller, and others raised the issue of the national DNA database, but it has had a very positive, powerful impact on the number of crimes detected. The courts have recognised that the retention of samples and DNA profiles involves a triangulation of interests. The privacy of those subject to DNA data is important but also the purpose of criminal law to permit everyone to go about their daily lives without fear of harm to person or property. Getting the balance right is vital.
The issue of the national identity scheme has been raised. We could have many hours debate on that. The Identity Card Act 2006 has very strong provisions about unauthorised disclosure. Maintaining confidence in the integrity of the process, the efficiency and the protection of data will be very important to any successful implementation. There are concerns about how much closed circuit TV is used but again, where it is used efficiently and the right systems are in place, it has proven to be hugely important in the investigation of serious crimes. Again, getting the balance right is very important.
|Next Section||Back to Table of Contents||Lords Hansard Home Page|