Previous Section Back to Table of Contents Lords Hansard Home Page

More importantly, perhaps, is that the Government are not, I believe, an inflexibility on this issue. I agree with the noble Lord who has spoken that it is not sensible to have a partisan approach to these issues. They are of such a scale that it is more effective if we are of one mind about what needs to be done rather than simply to poke holes in each others’ cases.

I have to say that I was considerably impressed by the final report, produced last June by the Cabinet Secretary, Sir Gus O’Donnell, Data Handling Procedures in Government. There seemed to be little wrong with

2 Apr 2009 : Column 1185

what was proposed in those procedures. What we have yet to know, and it is the most important question, is how they will be implemented in practice.

It was said at the time that the intention was to describe the implementation of the principles enunciated in that central report in an annual report by the Cabinet Office to Parliament. They included the use of encryption and penetration testing of systems, standardising and enhancing management of information risk, and identifying individuals in the departments and public agencies who would be personally responsible. They also promised quarterly risk assessments within the department, mandatory training for staff and, perhaps most importantly for this House and another place, privacy impact assessments when new policies or processes are being considered.

It was also generally concluded that greater scrutiny and monitoring, including of information risk, were required in statements on internal control which would be made available to the National Audit Office and the Information Commissioner. Furthermore, it was recognised that there needs to be very great transparency about these matters in annual reports to Parliament. A number of other things have happened since then, including the recognition that the Information Commissioner should have the power to carry out spot checks on public departments and agencies, but alas not in line with the recommendation of the Constitution Committee. Such powers have not been considered yet for extension to the private sector. In the light of the evidence that has been accumulating of such things as blacklisting of workers who are held by employers to be unsuitable for employment and the trading in such information, there is good reason to believe that, notwithstanding the cost of these inspections, it would be appropriate to give consideration to extending the right of intervention beyond the public sector.

As the noble Earl, Lord Northesk, made plain, everyone who reflects on these matters is aware of the value of information in policy making. It is certainly right that we should not bring that to a halt, but it is also right in parallel to consider on every occasion the implications for privacy of the extension of these developments. Since the development of technological capability is proceeding at such a pace, we have a duty to consider processes that enable a very full understanding to be enjoyed by the decision-makers and proper accountability for the amplification of this process, particularly the process of sharing information for purposes that were not intended when it was collected and which are not strictly the reason for the data being stored. It is right to ask what the Government’s thinking is about that cross-use of information and whether a system of opting in and opting out by the individuals affected might be both practical and desirable.

I recently heard the Minister dismiss the Joseph Rowntree report in an answer. I do not want to exaggerate, but his response suggested that he doubted the methodology. That being so, we have to ask him how he proposes to view the findings of the Joseph Rowntree Reform Trust, because it was a powerful report. Its findings indicated that a very large number of the systems that are in place would not pass muster if they were tested against the Data Protection Act, never

2 Apr 2009 : Column 1186

mind the Human Rights Act. The trust said that 11 of 46 database projects examined almost certainly breached human rights legislation and 29 systems were considered problematic, including having legal problems. I imagine that very few of us will have done any serious trawling over the precise examples that the trust gave. I have not done so myself. None the less, that is a significant charge by a body that consisted of significant specialists in the area with strong not merely academic but commercial backgrounds in the field. The individual challenges that have been made by the trust need to be examined and answered, because I know that it is not the Government’s intention that their practices in this sphere should run counter to the legislation, which they themselves are responsible for enacting and, in some cases, modifying in the light of experience.

Speaking of the legislation which the Government have enacted, I very much hope that the Minister will take the opportunity of this debate to explain what the Government regard as necessary and proportionate in evaluating the “holding of data protection”, those being the words from the jurisprudence of the European Court of Human Rights. Another point made by the Constitution Committee of this House was that the Government should give a clear definition. That is right because what is necessary and proportionate can vary very much from one department to another. It is quite clear that, in seeking to prevent crime, the Home Office will have a very different view of information from that of the Department for Work and Pensions. Consequently, we need clarity about the criteria being applied across the board if data is to be shared across the board.

There are wider questions about whether data should be so shared. A number of bodies, including some in this House, have recommended that it is a mistake to seek to accumulate data right across government and to centralise it and that it is better for it to be held locally. Those arguments need to be addressed and consideration needs to be given to whether locally accumulated evidence cannot also be useful centrally, perhaps with some of the personal information extracted from it, so that the proper concerns of the public about invasion of privacy are addressed.

I wish to put a number of other questions to the Minister in this relatively brief intervention, considering the scale of the subject. I wonder whether the Government can give any information about their intention to put communication data, concerning e-mails, telephone communication and the internet, on a large, centralised database. The general expectation about an anticipated Bill has given rise to considerable concern because it is widely recognised that those who access these things can scan people’s life histories with very little advantage accruing to the individuals but much accruing to those who want to advertise.

I would like to ask the Minister whether the Government will think again about the response made some time ago to the recommendation of the Joint Committee on Human Rights and whether, when they propose to extend their data collection in a particular sphere, they should include that proposal in amendable primary legislation rather than in subordinate law. I have heard and read the arguments about the need for

2 Apr 2009 : Column 1187

flexibility. The trouble with subordinate legislation is that you take it or you lose it and it is not really the best way of ventilating concerns on a complex issue of this kind. I know that things are moving rapidly, but that is part of the general public concern. There is a real need to reassure the public that these matters are taken seriously by all political parties and that we are anxious to build in procedures which enable us to anticipate the difficulties and the intrusions into privacy which may arise.

12.04 pm

Lady Saltoun of Abernethy: My Lords, on Saturday 14 March there appeared on the front page of the Daily Telegraph as the principal news item the headline:

“Trips abroad to be logged”.

The report continued:

“Every holiday, Channel hop or sailing weekend must be registered in advance ... The travel plans and personal details of every holidaymaker, business traveller and day-tripper who leaves Britain are to be tracked by the Government ... Anyone departing by land, sea or air will have the trip recorded and stored on a database for a decade. Those leaving from any international station, port or airport will have to supply detailed personal information as well as their travel plans. So-called ‘booze cruisers’ who cross the Channel for a couple of hours to stock up on wine, beer and cigarettes will be included. Weekend sailors and sea fishermen will have to comply if they plan to travel to another country, or face possible criminal prosecution. The owners of light aircraft will also be brought under the system, known as e-borders, which will eventually track 250 million journeys annually. Even swimmers attempting to cross the Channel and their support teams will be subject to the rules. Travellers will have to supply information such as passport and credit card details, home and email addresses and exact itineraries”.

The Government propose that these rules might apply to the Crown dependencies, such as the Isle of Man and the Channel Islands, as well as Northern Ireland, but after yesterday’s defeat of the Government in this House, I do not know how that stands, and I doubt whether they do.

There are no prizes for guessing what all this is supposedly in aid of. It is for catching terrorists—catching at the ports, or wherever, suspects whom the security services are supposed to be keeping an eye on, but have not kept a sharp enough eye on. Rather than focus on the people they need to catch, the Government propose a blanket screening of everyone. It is part of the e-borders programme. I can understand the usefulness of keeping tabs on people coming into this country, but to log every single inhabitant of Britain who goes on holiday seems to me to be a log too far. I, and I expect some of your Lordships, should like to know how much all this is going to cost.

I have a letter from the noble Lord, Lord Bach, in which he tells me that it is not the case that travellers will have to apply for permission to travel or to submit an itinerary, as reported by the Daily Telegraph, but that the information will be collected from booking agents, who will have to ask travellers for their passport details and to provide such other information as they may possess, like telephone numbers, e-mail addresses and credit card details. I am sure that your Lordships would be delighted for the Government to hold their credit card details, since their record of keeping personal data secure is nothing short of abysmal. As most people buy travel tickets with credit cards nowadays,

2 Apr 2009 : Column 1188

the booking agents are very likely to have the details. Details of baggage are also requested, including the number and description of pieces. I wonder what that means—Vuitton or Marks & Spencer?

All this is in the Immigration and Police (Passenger, Crew and Service Information) Order 2008, which concerns information required about people coming into this country. Can the Minister kindly tell the House under what order these regulations are to apply to people leaving this country—that is, emigrants? The order that I have just referred to concerns immigrants.

Once upon a time, not so long ago, this was a wonderful country to live in. Our ancient freedoms, fought for for nearly 800 years, were the envy of the world. And what has happened to them? Habeas corpus, dating from 1215, has been severely curtailed. The presumption of innocence has been eroded. Freedom of speech and pen is only permissible as long as your views are politically correct. Our e-mails and the internet sites we visit on our computers are tracked by the security services. The police and certain petty officials may break into our houses. A lot of this appears to be cribbed from the German Reichstag Fire Decree of 1933. When thieves break into our homes, we are not allowed to hurt them, whatever they may do to us. We have to get permission to make comparatively minor alterations to our homes. Health and safety rules interfere with everything we do, even the temperature of our bathwater. I could go on.

Much of that emanates from the boys in Brussels. Then very soon we are all to have identity cards and, while the information on them to start with will be fairly basic, the Government have not ruled out adding more personal details at a later date: see the answer of the noble Lord, Lord Brett, to the noble Baroness, Lady Hanham, last Thursday. The travel-based database, on top of all the rest, is too much. Britain is getting more and more like Soviet Russia before glasnost, and a totalitarian Government—which no country is completely safe from—will find everything already in place for total control. I think the terrorists have won.

12.10 pm

The Lord Bishop of Chelmsford: My Lords, this is a welcome and timely debate and I join others in thanking the noble Earl for offering it to us. It is no good being luddite about modern communication systems. Government at all levels is not only bound to make full use of them but has a duty to do so because citizens have a right to the best possible service from public authorities. The benefits are multiple. Such systems help bodies such as the National Health Service to fulfil its primary purpose of care and are crucial to research in disease, the monitoring of public health and the protection of patients.

I suspect that the public widely accept the need for information collection—the collection of DNA or the use of cameras, for example—for law enforcement and for the safety and security of the citizen. However, we know that there are costs: the unnecessary gathering of personal information; overloaded and insecure systems; and data being inaccurate and out of date. There is also the persistent problem of security, as we have seen in recent times. That is why I believe that it would help

2 Apr 2009 : Column 1189

us enormously if the Government would set out the principles and values that will always underpin their use of modern information systems and data gathering and continually affirm what is set out in the Data Protection Act and such places as Article 8 of the ECHR.

At the centre of this is a contract between the citizen and the public authorities. If I want the National Health Service to provide me with a service, I must accept that it will need information about me that helps it to provide what is needed. Matters concerning the life of each of us as individual citizens are of course the property and responsibility of the person concerned. We do not hand over those property rights to the state. The contract must be clear that the information held by the service will be used for the purposes for which it has been given and by persons with a direct interest in the service offered. If I am to have confidence in the service holding that information, I must be assured about its confidentiality and security. I have no difficulty in the information being widely used, provided that it stays within the broad framework of the service.

Inevitably with modern systems there will be a lot of data held without direct consent. Much of this, as with the 2009 data retention regulations, is concerned with security and tackling crime. However, we need publicly known, understood and accepted regulation of such systems, which needs to protect the privacy of the individual and to reassure the public that no abuse of power is either intended or possible. For example, I will be interested to know from the Minister the Government’s response to the July 2008 Data Sharing Review Report from the Information Commissioner and Dr Mark Walport, which I think proposed that the commissioner should be given a statutory duty to produce a code of practice on data sharing and to issue context-specific guidance on its consistent application. That is the sort of field that we need to be in.

That leads me to talk about transparency and accountability. These two are inextricably linked. If the authorities are clear about who and what is involved, where information is held and what the values and rules are under which all this happens, then real public accountability is possible. I assume that the Information Commissioner has a key role and needs the powers necessary in assuring us of that accountability.

My last point—my contribution is at a more general level in this debate—concerns what is manageable. The problem with modern communication systems is that we think that they will do it all for us, so increasingly vast sums of money are poured into them and there are growing levels of frustration as complex and massive systems do not work as well as had been hoped. We do not ask: what are the boundaries around what can be delivered through these systems? Therefore, not only must we be clear about the potential benefit that any new system will bring but we must also be clear that it can be managed and delivered and that it will be safe.

As all of us know in the organisations of which we are a part, it is all too easy in complex modern democracies for powerful state bodies, for perfectly good reasons, to launch new systems, only for us all to

2 Apr 2009 : Column 1190

wake up and realise that questions about the rights and liberties of the citizen have not been addressed but are looming ever larger and undermining public confidence. That is why I believe that we need to affirm the contractual nature of this issue: the need for clear and publicly stated values and principles, for openness and effective accountability, and for systems that we can both manage and have real confidence in. In that way, we can make full use of the benefits of contemporary communications and information systems, thereby strengthening the capacity of public services to deliver good services to the people and strengthen our common life in our society.

12.16 pm

Baroness Neville-Jones: My Lords, I join those who have already thanked my noble friend for securing this important and timely debate. I wish to say how much I agree with the powerful points that he made.

As the contributions to the debate have already shown, all sides of your Lordships’ House are well versed in and understand the argument that the collection and retention of personal data are necessary for the efficient running of public services, and to aid our security services and the police in the fight against terrorism and serious organised crime. However, as has also been said, unchecked this justification is leading to an exponential increase in the amount of personal information that is collected, retained and accessed by all manner of different bodies. The Information Commissioner has said that personal information has become the “lifeblood” of government and business, and that is certainly the case, but it is also true that this can be tolerable only if the information is used properly and intelligently.

My noble friend mentioned the report produced by the Joseph Rowntree Reform Trust called Database State. It assessed 46 of the UK’s national databases and found that fewer than 15 per cent of them were effective, proportionate and necessary with a proper legal basis for any privacy intrusions. That in itself seems to be quite a statement of the rocky basis on which a lot of present practice now sits. Tellingly, it also found a quarter to be,

because of problems with privacy and effectiveness. These included the National DNA Database and the national identity register. The report recommended that many centralised databases be scrapped or substantially redesigned—again, another point about the basis on which we are operating being rocky.

The Rowntree report is rightly critical of the centralisation of data in the UK. I look forward to the Minister’s conclusions on the report. I agree that some data—I stress “some”—need to be retained and collected. As a shadow Security Minister, I could hardly think otherwise. However, the data have to be stored securely and—the important point—only accessed by legitimate persons for legitimate reasons, under suitable controls and safeguards.

The process must be regulated by law on a detailed basis, not left to the exercise of executive discretion within the far-too-loose regulatory framework of RIPA. In establishing regimes for data collection and retention,

2 Apr 2009 : Column 1191

the Government have not given due regard to privacy or the need for public trust in three areas: the amount of data collected, how it is retained and how it is used. I fear that they are deservedly running into a high level of suspicion.

I will look at one matter with which the House dealt recently and on which further things should be said. I refer to the potential legislation on communications data. Last week, your Lordships’ House considered a statutory instrument that extended the range of communications data that must be retained by service providers, to include details of our internet access, internet e-mails and internet telephony. The Minister—the noble Lord, Lord West—was unable to tell us the meaning of the broad terms that the statutory instrument uses, such as “internet e-mail” and “communications data”, and the extent to which they would cover third-party applications. This is a technical point, but it is important and it affects our freedoms. We need to know the answer to this question and I beg the Minister to address the question of third-party applications.

It is also unclear whether it would be possible to distinguish between the content of a communication and the fact of its occurrence for internet protocols where these pieces of information are contained in the same data stream. This is a technical problem, because in practice, in this kind of data stream, the gap between the so-called envelope and the contents does not exist in the way that it does with other forms of telephony. There is a problem in distinguishing between these things, but it is a distinction on which the Government are relying for their reassurance that people’s rights to privacy over content will not be infringed without a properly processed warrant. If you cannot distinguish between these two things, you cannot protect content and may therefore be invading privacy without a warrant.

This means that we do not know how these regulations, which have now passed into law, will operate in practice. The Government have not been able to satisfy these Benches that last week’s statutory instrument did not create a vehicle through which the interception modernisation programme could be carried into practice without further primary legislation. The draft Queen’s Speech led us to believe that primary legislation would be forthcoming and that the powers contained in the SI would be transposed in a Bill of primary legislation. Instead, the SI has been transposed separately, and against the background of the Home Secretary having cast doubt in a recent speech on the need for primary legislation.

Are we going to get any primary legislation? The Government would do well to come clean on their intentions, since failure to do so obliges one to examine the scenarios that could develop without primary legislation. It is not hard to imagine a scenario—with or without primary legislation—in which, because of the vast quantities of information collected, and an inability to separate communications data from content, it would be argued that access must now be made more efficient by having a centralised database that holds the data in a standardised format. So, without Parliament ever having given its agreement, the Government could then come to hold a vast database of communications. In case the House thinks that I

2 Apr 2009 : Column 1192

am engaging in a flight of fancy, can the Minister confirm the accuracy of reports that a prototype of a centralised database for communications data is under construction? It is vital that he answers this point in his response.

If such a central database were to come into existence, it could be interrogated using data-mining technologies, pattern recognition and deep packet inspection. I am aware of the arguments used in justification for this: for instance, that it would increase the chances of successful pre-emption of crime. That may be so, although we do not have proof of this thesis. However, it is clear that there is a counterpart downside: access so easy and so extensive would carry with it a loss of governance and system control. It could get us very near being treated as guilty unless and until proven innocent.

Next Section Back to Table of Contents Lords Hansard Home Page