Professor Angela Sasse, Professor Martyn Thomas and Dr Ian Forbes

27 FEBRUARY 2008

  Q400  Lord Lyell of Markyate: I was picking up your argument and it seems to me you are getting over-theoretical and that there are actually practical effects. Okay, if there are more in a middle class rich area than there are in poor areas, that is an argument for having more in poor areas too. It is not an argument for not having it at all.

  Dr Forbes: That is the fallacy of composition (to be theoretical). If I take a box to a football game because it will help me see over the people and then if everybody takes a box, I still will not be able to see over everybody. So merely displacing it, if you are not reducing it, is going to keep it moving around and keep happening.

  Q401  Lord Morris of Aberavon: May I tell you, as a former constituency member for many years, that the public are very pleased to have CCTV? I am pleased to have CCTV in the development where I live in London and we do not distinguish between violence, however you describe it, and car crime. May I ask you whether there has been a cost benefit analysis of street lighting and CCTV as regards to their effectiveness?

  Dr Forbes: Not a direct one.

  Q402  Lord Morris of Aberavon: Is that not important?

  Dr Forbes: The cost of street lighting is cheap compared with CCTV.

  Q403  Baroness O'Cathain: What about emissions and light pollution?

  Dr Forbes: CCTV uses light, it uses power, it uses people, it uses resources. By comparison, street lighting is relatively cheap. I agree that people want and like CCTV and if they want it and they like it, there is no reason why they should not have it. However, there is no reason for us to say to them that it will do things it will not; they think it will do, but it will not actually do. We cannot also give it to them and lie to them about it. We should say if they want it, they pay for it.

  Q404  Lord Woolf: Anybody would agree that in this country we are good at carrying out research as to the sort of things we are talking about and I am sure the benefits of the research would be very considerable and enable us to use our resources better. May I just come back to DNA? The situation with DNA is very different from what we have just been talking about with CCTV cameras. You look sceptical, but why I say that is that there are crimes which are almost impossible to prove without DNA where the man says "I never had sexual relations with the woman" and the woman, because of the nature of the crime, is in a situation where there is no external corroboration of what she says in many situations and therefore DNA can play a critical part. I am not saying that there is not still an evaluation to be done but that is a huge benefit. Would you agree that we must not lose the baby because of some of the things that you have been talking about and what really is needed is greater care as to how we use data and how we protect it when it is not being used?

  Dr Forbes: I agree with that.

  Professor Sasse: The DNA database is certainly also an example, if we are talking about the legal framework for it, where there is a great amount of insecurity. I was at a meeting two weeks ago where one of the chief constables associated with running that DNA database said that a High Court judge had issued an order for DNA out of the DNA database to be released to be used in a paternity case. If a High Court judge can make that mistake, that the legal foundation of the DNA database is solely for the detection and prevention of crime, the law just is not very clear. May I say that police officers, for instance, are all fingerprinted and their fingerprints go into the National Fingerprint Database for the purpose of exclusions. The Police Officers' Federation has consistently refused to do the same for DNA exactly because they are worried about potential mission creep, potential further developments of the technology and they say, for instance, they are worried about it being used in paternity cases.

  Q405  Baroness O'Cathain: That is a crime too.

  Professor Sasse: What, paternity?

  Q406  Baroness O'Cathain: Yes, it certainly is.

  Professor Sasse: Today a case is being heard in the European Court of Human Rights. Originally the legal basis for the DNA database was that only people who were convicted of an imprisonable offence would have their DNA retained in the database. That was subsequently changed and now we have this discussion about the fact that once you have dropped litter your DNA is going in the database and people have had to go to court and go to quite serious lengths to have their DNA removed from the database because they were questioned but never even charged and they certainly were not convicted of anything, yet their DNA remains in the database. The fact is that that information is not just unlocked when you have a match, that is that there has been a crime and there was DNA at the crime scene and now there is a match to something in the DNA database that basically unlocks your record, you can also search and the name is against the individual. It has all sorts of implications that are often not thought about, such as the number of people whose DNA is in the database is completely disproportionate at the moment. You will remember for instance that something like 50 per cent of black males between the ages of, you know. One High Court judge said that we should either put everybody's DNA into it or rethink how we collect it, because it is clearly unfair at the moment.

  Q407  Viscount Bledisloe: May I take you to another passage in the research paper, paragraph 21, where you say " ... few public-sector developments ... plan or budget for adequate security of personal data". Two questions. First of all, could that be overcome by better public procurement specification but, secondly, is it the planning of the system that is the real problem or, as was rather suggested to us last week, is the real problem careless or occasionally ill-intentioned people who have access to the system and either leave the data lying around or actually extract it to give to their associates not in the business who want to see it?

  Professor Thomas: The short answer is: all of the above. There is a fundamental weakness at the heart of the transformational government agenda which is that you cannot build large databases that are accessible to a wide number of people and maintain a high degree of security. That is something that the military acknowledge; they would never allow a secret database to be accessible to a wide number of people, for example. For technical reasons it is very difficult to build a database that is technically secure on top of commercially available, off-the-shelf software components, because almost all of them were not designed to support such a use, and to connect such a database to the internet simply creates a honey pot that virtually guarantees that the data will be extracted from it in a way that was not planned for or intended. Something that I would hope you could influence is that there is guidance in the Manual of Protective Security on how to carry out impact assessments on what the likely impact is of loss of personal data and on how such data should be protected. That manual is classified. As a consequence, it has not been peer-reviewed because it is only available to people whom government departments believe have a need to inspect it and that is largely restricted to companies who are engaged commercially in building such databases for the Government and who therefore have a vested interest simply in going along with it. If you could enable at least the personal data part of that to be made publicly available so that could be thoroughly peer-reviewed, I would expect that that peer review would lead to significant strengthening of the protection that was required of personal data because it would be seen to be clearly inadequate.

  Q408  Viscount Bledisloe: Assuming that were achieved, would that then accurately succeed in protecting the data or would one still be at the mercy of the negligent or ill-intentioned individuals?

  Professor Thomas: You will always be at the mercy of the negligent and the ill-intentioned. If data has a value to somebody and it is accessible to a wide number of people, there will always be somebody who can be corrupted to make illegal access to that data.

  Professor Sasse: The Information Commissioner's Office recommends that a privacy impact assessment is carried out prior to the design and implementation of any system where personal data would be held. I believe that if that were done competently and honestly, it would lead to much better protection and it would lead to less off-the-cuff decisions about what data to collect and how long to keep them for. If it is done competently and honestly, it also has a big pedagogical effect on the people in a company, so they learn how to do things better, they learn what to care about. Finally, would people really care? That partly depends on the legal safeguards that you have. The fact is at the moment that the fines the Information Commissioner's Office can hand out when they find that people are breaking the law are very small compared to the profits that are being made by trading illegal data. In some European countries in about 2002 they changed the law to make it a criminal offence, first of all, if personal data were not being looked after properly or if they were collected in contravention of their data protection act. Secondly, what happened was that the responsibility was assigned at board level, so effectively what a country like Germany has is the equivalent of corporate manslaughter legislation for irresponsible illegal use of personal data. It certainly had a huge effect in that country. In those countries, what you now get is people at the top of the organisation really taking an interest and making sure that the company is run and processes are set up in a way that takes proper account of these things because they do not fancy going to jail.

  Q409  Viscount Bledisloe: I want to go back to the point you were making earlier, that if the penalties for it being misused are high enough and hit the people at the top, then more elaborate specifications would be made and fewer people would have access to it.

  Professor Thomas: Yes, and some systems will not be built because it will be seen that the risk to the public is greater than the benefit that they would bring.

  Q410  Lord Lyell of Markyate: This is very interesting. Could you just give a practical example of how the companies make money and ignore the small penalties?

  Professor Sasse: Selling information that they have collected without consent on to other companies. The biggest penalty is passing it outside the EU, for instance transferring data outside the EU which is specifically prohibited unless there is a very good reason and case for it.

  Q411  Lord Lyell of Markyate: What is the penalty?

  Professor Sasse: They are relatively small fines.

  Q412  Viscount Bledisloe: Limited by Parliament?

  Professor Sasse: Limited by the DPA, the Data Protection Act, and by the powers the ICO has. It is just purely financial.

  Q413  Lord Peston: The distinction that needs to be made is between the public and private sectors and in the private sector things are commercial in confidence which they enforce very strongly, but then of course, if their commercial secrets get out, that costs them real money so they build up a climate of what has to be confidential. Your argument seems to be that in the public sector, there are not the same incentives to create the culture of privacy because those who suffer if some data gets out are not the people in the organisation, it is people who are suffering. So the question we have to ask is how to set up a culture of taking privacy seriously. Lord Woolf totally demolished your view that you impose enormous penalties on the people because you could never enforce those penalties in practice could you? Therefore the point is how do you? Do you have views on how we develop this culture—I use the word on purpose—within the public sector of taking privacy very seriously indeed? There is the other side of course that in some sense you can overdo it. I had to ring the Inland Revenue this morning and we did not go through any of the usual nonsense of asking for my code number. I said "It's me", they said "What's on your mind?". I said "I think the tax calculations are wrong" and he just pressed a button "Oh yes, it has all come up here" and we are in business. If he were to take me through a whole list, as Barclays Bank will, of my favourite word and my number and this, that and the other, I would get so angry with them and so on. There is a two-sided thing that the individual actually benefits from not overdoing the privacy thing and I am just wondering whether you have worked through how you get the balance of creating the culture of privacy in the public sector right, with the desire of the customer wanting—in my case tax affairs, but it could be almost anything—dealt with very quickly indeed. Have you done work in this area on how you balance the two? You are not going to fire the head of the Inland Revenue. As far as I know, the head of the Inland Revenue was not even ticked off for losing those disks.

  Professor Sasse: You do a risk assessment and you put in protection that is adequate for managing the risks that you care about. You can do that in a very economically guided way by doing an economic assessment of it and putting in certain protections, but also including values that individuals place on that privacy. Very often, where people say they do not actually care about it, it is because people are not very good at assessing risks in the future, because they have not experienced the impact or nobody they know well whom they would understand and empathise with has experienced these bad effects. When they do happen, and I have done research in this area, people get very angry when they were not aware what of themselves or their family was at risk because data was disclosed. If you have a chance to accept the risk and you say you would rather not go through all these questions and if any private investigator or anybody is trying to target you, any identity thief rings up the Inland Revenue and gets this valuable information, then you will live with it.

  Q414  Lord Peston: I am merely saying there is a problem of balance.

  Professor Sasse: You have to accept it.

  Dr Forbes: Yes, the balance is something that has to be struck over and over again between the individual citizen and the agency and it seems to me that the way to go is to set up a charter of understanding such that every individual has to learn that they are making quite key choices here. If they give up certain information in certain ways, then that is going to have an impact on their privacy and their security because the Government cannot promise the earth in these situations. There needs to be much more of a realistic debate and discussion between Government and the citizenry about what it will put up with and what it will give and what it can expect and the Government need also to say that they cannot offer complete security on these things, that they can offer functionality up to a point and they have a range of options for you to look at and to develop and things will go wrong and if they go wrong, these are the things that will happen. It seems to me we have to move to a much more adult way of dealing with this. What strikes me when I look at this is that there is always a tremendous amount of media attention on government agencies losing data. I have never really seen any evidence of harm caused by that whereas I bet everybody around here has had credit card fraud perpetrated on them as an individual at some point. That is not Government. That is where the problems lie. That is not what gets into the media. There is a kind of disproportionate view about what risks people are prepared to take on a daily basis in terms of their money and the general outrage if there is some sort of citizenship information being bandied about or just lost; it is not really being stolen as far as I can see. I would like to see a much more open debate about what Government are offering and they have to be much more accurate in what they claim a system can do because some systems are just impossible to create.

  Q415  Baroness O'Cathain: On the basis that issues like this set up completely opposite reactions, my reaction to the comment that Lord Peston made is completely different. I would be furious if I rang up the Inland Revenue and they knew all about me without going through checks. When I get onto my bank, I am delighted that I am asked what my favourite colour is. That is fine. I am wondering, back at the ranch, about the training of information professionals. Are they really aware of the need for privacy and, for example, going back to the HMRC and the DVLA data that were stolen, why were they not encrypted and is there some reason that it is too difficult or is too much power in one or two hands who could do the translation into normal data? If we can start off with a good training programme for people who are involved in the industry, that is where it has to start. I just wondered what your views were on that?

  Professor Sasse: My view would be that I would be concerned that in the training of information professionals, if the training worked properly, they should not design a system that allowed any junior person to walk up, stick in a CD and take a whole copy of records without any alarm bells going off anywhere. Martyn knows a bit more about this. Training of security professionals is something that has been developing more rapidly in the past few years, but ultimately it is also down to the customer. It is the people who are commissioning and paying for the system who should have to be clear about what their security requirements are. Ultimately, the company who is building the thing will only give the customer what they ask for. They may raise a few points but currently we really have a problem that the customers often do not articulate their security requirements, they do not think about them.

  Q416  Baroness O'Cathain: Because they do not know. Those people who are commissioning something like the National Health database would not really know. Why would they, because that is not their job? It is a very difficult thing and I wonder how you bridge that.

  Professor Thomas: It is a complex issue but it is an issue like safety. Safety is equally complex and it requires proper hazard analysis to be carried out by people who are skilled in carrying out hazard analyses and then an appropriate set of protections to be put in place to address each of the hazards. That is what taking privacy seriously involves. It means using the appropriate technical means and the appropriate social means to ensure that, firstly, you have understood the level of privacy that you are seeking, what level of breaches of confidentiality do you regard as tolerable for example, and then, having set some targets, that you actually build the business processes, the social systems, the training and the technology to deliver that level of confidentiality in the systems that you are building. At the moment, that analysis appears not to be being done. There is no technical barrier to it being done, but it would lead to a lot of systems turning out to be a lot more expensive or not practical.

  Q417  Baroness O'Cathain: That is actually counter to the way society as a whole is going. We are told all the time to be transparent, we have investigative journalism, we have all these issues where people gossip, knowledge is power and all this mass of information going around on the net. None of it is like those posters that you see in the Imperial War Museum "Keep quiet and don't talk", or whatever it was. I just feel the genie is out of the bottle and I am wondering how the genie is going to be put back into the bottle.

  Professor Thomas: We have done some work with the Y Touring Theatre Company which is the YMCA's touring theatre company which is trying to introduce the messages from the Royal Academy of Engineering report to schoolchildren. That has been really very revealing because, for example, we met with a group of schoolchildren and explained to them that if they put photographs on their Facebook page and then a few days later took them down, they did not go away, and they were shocked. We have a generation of people, not just the young people but their parents as well, who simply do not understand the risk that they are running because there is not a full understanding of how the internet works and therefore, information is revealed which feels as though it is local to Tesco or, yes, it is on my web page but I can always take it down. No you cannot; Google has got it, it is in the cache, it will be there forever.

  Q418  Lord Peston: Two years on Google.

  Professor Thomas: Perhaps.

  Dr Forbes: That is what we can do: require people to have policies that say stuff expires, that technologically it is going to expire. We could insist on that, certainly in this country, and then get it through Europe and the world is a problem of course but that is one of the things you can do. If I may give another aspect of the genie being out of the bottle, there are lots of elements in the public sector which do have a culture of privacy which have been brought up with understanding the importance of an individual's collection of information in the Health Service, some parts of the criminal justice system and schools. A lot of basic training has already happened. The problem is that they are not fully able to understand the technology and too many times it is just too easy to shift some data without ever thinking about the privacy implications of it. That is where the training goes. We do not have a deep problem with no culture of privacy in our key organisations. The problem is that the way the technology is intervening has made it just something that does not happen at a very low level, a seemingly trivial level too often.

  Chairman: The wartime slogan you were thinking of was "Careless talk costs lives".

  Q419  Lord Norton of Louth: Looking at a slightly different aspect, the relationship between commercial data and data that are kept by the state, UKCRC's evidence stresses the extent to which personal data are collected, stored, exchanged among commercial companies but in paragraph 13, you say "Once collected, commercial data is available for use by the state". That statement is not qualified. Can you give examples of where that happens and, conversely, how much data collected by the state is then made available to commercial companies? I can think of one or two examples where that happens, but how extensive is it and what protection is there, what safeguards are there that cover the exchange and are they adequate?

  Professor Sasse: A variety of commercial data is used by Government, particularly for criminal investigations: phone records, mobile phone call records, location records and credit reference agencies. In the biographical interviews being conducted for the national identity register they are making quite extensive use of data that credit reference agencies are holding. There have been examples; one of the members of our body reported that his hospital trust sold patient data on to a third commercial party through a combination of ignorance and the temptation to use it for a particular purpose which was just too high.

  Professor Thomas: PCTs have been required to give health data to the Immigration Service, for example, in an attempt to track down people who have overstayed their visas, leading to people who had overstayed their visas and who were, for example, infectious with tuberculosis disappearing because they could no longer risk going to get medical treatment. You do get unexpected side effects from these things.