House of Lords - Constitution Committee

Surveillance: Citizens and the State - Constitution Committee Contents

Additional memorandum by the Government

INTRODUCTION

1. This additional memorandum provides cross-governmental information on policies and practices on data sharing and collection. It covers the relevant work and information systems from the Departments for Business; Enterprise and Regulatory Reform; Her Majesty's Revenue and Customs; Communities and Local Government; the Government Fraud Review; Children, Schools and Families; Innovation, Universities and Skills; Health; Work and Pensions; and Transport for London. It also covers information on the work that has been undertaken in the data sharing and data protection area since the publication by the Government of its Information Sharing Vision Statement in September 2006.

DATA SHARING UPDATE

2. In September 2006, Government published its Information Sharing Vision Statement (the work of MISC 31, the Cabinet Committee on data sharing). This set out the Government's intention to improve public services, tackle crime and terrorism, and protect the vulnerable through increased public sector data sharing. It also reaffirmed the commitment to provide a robust framework for protecting the individual's rights to privacy.

3. Since then, Ministry of Justice (MoJ) has been undertaking work to inform the Service Transformation Agreement.

4. On 9 October 2007, the Government published its Service Transformation Agreement (STA), which will underpin the 30 Public Service Agreements (PSAs) which were announced as part of the Comprehensive Spending Review. The STA sets outs the Government's vision for the transformation of public services around the citizen and specific actions for individual Government departments.

5. As part of the Service Transformation Plans, the MoJ will lead a cross-government programme to deliver a package of measures over the next three to five years to overcome the current barriers to information sharing within the public sector. The aim of this programme is to "develop frameworks and mechanisms that enable public sector organisations to share information to improve personalised public services, increase public safety and tackle social exclusion in an environment of openness and respect for citizens' privacy and access rights".

6. On 25 October 2007 the Prime Minister asked the Information Commissioner, Richard Thomas, and Dr Mark Walport, Director of the Wellcome Trust, to undertake a review into how personal information is used and protected in both the private and public sectors. The review will consider whether there should be any changes to the way the Data Protection Act 1998 operates in the UK and the options for implementing any such changes. The recommendations will seek to take account of technological advances and strike a balance that ensures appropriate privacy and other safeguards for individuals and society, whilst enabling sharing information to protect the public, increasing transparency, enhancing public service delivery as well as the need to minimise the burden on business. The review report and recommendations will be submitted to the Secretary of State for Justice in the first half of 2008.

7. On 22 November 2007, following events at HMRC, the Prime Minister asked Kieran Poynter of PricewaterhouseCoopers to undertake a review into HMRC's data handling procedures. The interim report sets out the work Keiran Poynter has already put in hand and makes recommendations as to the immediate steps that HMRC must take to protect data security. HMRC has aready put in place a number of measures these include:

(a) the imposition of a complete ban on the transfer of bulk data without adequate security protection, such as encryption;

(b) measures to prevent the downloading of data without adequate security safeguards; and

(c) HMRC disabling all the personal and laptop computers it uses to prevent downloading of data on to removable media. These will only be reactivated with approval of a senior manager, and for a specific business-critical purpose.

8. A full report from Keiran Poynter is expected in Spring 2008.

9. The PM also announced that the Government would give the Information Commissioner the power to carry out spot-check inspections of Government Departments' compliance with the Data Protection Act 1998. These spot checks will start early in the New Year.

10. Also, the PM announced that Sir Gus O'Donnell would be undertaking a review to consider procedures in departments and agencies for the protection of personal data; consider their consistency with Government-wide policies and standards; consider the arrangements for ensuring that procedures are being fully and properly implemented and making recommendations on improvements. The first stage concluded on 10 December, involved Departments undertaking an analysis of their systems and procedure for complying with policies and standards on data protection, including making recommendations for practical improvements.

11. On 17 December the Sir Gus O'Donnell Review published Data Handling Procedures in Government: Interim Progress report which set out the findings of the review so far, an update of progress and detailed the next steps. In particular the next steps committed on extending the spots checks to the entire public sector and in principle to the introduction of new sanctions under the Data Protection Act for the most serious breaches of the principles. Both of these commitments will be consulted on early in 2008. Stage two of the Review will look collectively at improved standards and procedures across Whitehall. This is due to be completed in early 2008.

EVIDENCE FROM DEPARTMENT FOR BUSINESS, ENTERPRISE & REGULATORY REFORM (BERR)

SUMMARY

1. The Department for Business, Enterprise & Regulatory Reform (BERR) is committed to fostering competitive markets in the UK, EU and worldwide. By fighting anti-competitive practices and promoting open markets, we enable companies to compete freely and fairly, giving UK consumers more choice and better value. To support this aim, BERR has an enforcement and regulatory capacity to investigate, prosecute and regulate a range of activities, including criminal offences relating to company and personal insolvency fraud and in relation to suspected fraud of health related compensation schemes for former employees of British Coal, who are now the responsibility of the Department; and the regulation of misconduct or unscrupulous practice in actively trading companies.

2. This response to the House of Lords Call for Evidence will only comment from the viewpoint of the regulatory and enforcement arm of BERR as described above. Any reference from this point onwards to "BERR" should be taken only to include these enforcement and regulatory arms of the Department. This response will examine the various ways in which BERR utilises private data, including that obtained by covert techniques, and assess the relative impact on the right to privacy of the individual and their corresponding relationship with the state, through their relationship with BERR. Further, although the Call for Evidence covers the wide topic of personal data issues, BERR's view will be restricted to the competencies of its enforcement and regulatory functions.

DATA COLLECTION

3. BERR has a need to access personal information to fight crime and protect both the consumer and the UK open market economy. Although some parts of BERR collect personal data to enable compensation claims to be assessed, in the main, BERR does not collect and hold personal and private information on citizens in the traditional sense, however generally gathers information to be used in an evidential format to found and support both civil and criminal actions. Thus, personal information is held for the length of time necessary to prove or disprove allegations and the concordant time after judicial process to facilitate any such appeals as may occur.

4. BERR obtains information under a variety of legislative permissions—the Data Protection Act 1998, the Anti-Terrorism, Crime & Security Act 2001, the Companies Act 1985 (although this relates to company material and not personal or private information), the Police and Criminal Evidence Act 1984 and the Regulation of Investigatory Powers Act 2000. In all of its dealings, BERR is subject to the checks of the Human Rights Act 1998, the European Convention on Human Rights and Fundamental Freedoms, the DPA 1998, PACE 1984 and the various auspices of administrative law governing public authorities.

5. Personal information which is required by BERR is requested with reference to the Data Protection Act 1998, if there is no more specific legal gateway in which information can be obtained. BERR uses the exemption at section 29 to request information (that might otherwise be withheld) for the explicit purpose of the prevention and detection of crime and the apprehension and prosecution of offenders, whilst section 35 is used where the information is required for the purpose of legal proceedings. The reasons for the request are outlined, giving the recipient of the request a choice whether to release the information or not, dependant on their opinion on the necessity of the information and whether they agree that the exemption applies to the request. A safeguard is inherent therefore in that information does not have to be provided unless the provider feels that disclosure is justified and necessary to further the enquiry. It is submitted that any information gathered in such a way by BERR has therefore been impartially audited to protect privacy of citizens and minimise any risk of collateral intrusion.

6. The same audit process is conducted for any requests made under the Anti-Terrorism, Crime and Security Act 2001, section 19, again providing a level of assurance that the requested information is necessary, legally sought and for a specified, guaranteed purpose. Further, BERR guarantees that the information sought cannot be obtained by any other means, that it is of substantial value to the enquiry and that lack of the information would prejudice the enquiry. Again, these are safeguards used to protect the public from unnecessary intrusion into their private life and to ensure that BERR is complying with the requirements and ethos of the HRA and ECHR.

7. BERR is authorised under the Regulation of Investigatory Powers Act 2000 to conduct directed, non-intrusive surveillance, to authorise the conduct of covert human intelligence sources and to obtain communications data. BERR considers that these methods are fundamental, basic and crucial utensils of any investigative toolbox. During the period January 2006 to November 2007, BERR made six directed surveillance applications and four applications for the use of Covert Human Intelligence Sources ("CHIS"). During the same period, 68 notices to communication providers were issued, for communications data to be used in 17 enquiries. This may give the impression that BERR is not the most prolific user of RIPA. However, it is submitted that the potential to employ such a powerful tool is a basic requirement of investigation; effectively disarming BERR without the capacity. BERR places much emphasis on the criteria of proportionality and necessity, using the tool sparingly as a last resort after all other methods of obtaining the information have been exhausted. It can be argued that even if just one offender was brought to justice using information obtained under RIPA, the capacity would be justified. The information obtained is compelling, powerful and often irrefutable, for example in the case of company directors allegedly paying for goods from suppliers with stolen cheques. Communications data obtained regarding both telephone and Post Office box numbers proved links to the defendants, resulting in a guilty plea. Additionally, the example of the disqualified director running a haulage business, whereby telephone numbers on vehicles were demonstrated, through gathering communications data, to be diverted to the telephone number of the suspect assisted in bringing the offender to justice. The facility of RIPA results in fairer, swifter, more effective justice by proving or disproving allegations, reducing investigation times, obtaining guilty pleas where appropriate so freeing up court time and relieving witnesses of the trauma of having to give evidence.

8. BERR only interferes with the exercise of the right to respect for private and family life in accordance with the exemptions provided for in the ECHR, ie in accordance with the law of the HRA and RIPA. BERR is of the view that there will always have to be some sacrifice of personal privacy on the part of the individual in order to protect the welfare of society, citizens and the public purse and believes the public accept this trade-off. However, the sacrifice is only made in proportion with the seriousness of the allegation under investigation and if it is necessary as a line of enquiry of last resort. There is objective scrutiny by a Senior Investigating Officer impartial to the investigation, and in some cases impartial to the Unit undertaking the enquiry, before covert conduct is authorised. This accountability is provided for in RIPA and is further monitored by the Offices of the Surveillance and Interception Commissioners. It is submitted that there is little more that can be done to protect individual privacy from unnecessary intrusion whilst still affording a level of protection from fraud to the community at large. Removing this investigative tool would be tantamount to rendering BERR investigators ineffective, whilst allowing fraudsters to defraud with impunity. Further, it is suggested that any such action would be deeply unpopular with the general law abiding taxpayer who has a right to, and a legitimate expectation of, protection.

9. BERR also accesses private data by way of search warrants and orders for production of special procedure material under the Police and Criminal Evidence Act 1984, sections 8 and 9. Again, although the material obtained is often personal and private to the individual, the judicial scrutiny required before obtaining these orders and the inherent requirement of the court to construe and implement all decisions in line with the fundamental rights identified by European law and conventions provides independent analysis of BERR's requests to access personal information. The court adjudicates on the necessity and proportionality of any such request to protect the rights of the individual from unwarranted state intervention; thereby it is submitted, preserving their relationship of trust with the state.

10. It is submitted that it is the responsibility of each and every public authority to conduct any interaction with the public with legal care, consideration and a respect for fundamental human rights, particularly with regard to the collection, retention and sharing of personal data. The public judge the effectiveness, efficiency and integrity of the state on the basis of their dealings with public bodies. BERR takes the mantle and responsibility of public confidence very seriously, both understanding and acting to maintain the delicate balance between individual liberties and the safeguarding of the community in a democratic society. BERR therefore feels that although the relationship between citizen and state is, of necessity, changing as society and crime is changing, it is still a relationship of trust and confidence.

EVIDENCE FROM HER MAJESTY'S REVENUE AND CUSTOMS (HMRC)

1. Her Majesty's Revenue and Customs (HMRC) is responsible for the collection and administration of Capital Gains Tax, Corporation Tax, Environmental Taxes, Income Tax, Inheritance Tax, National Insurance Contributions, Excise duties, Insurance Premium Tax, Petroleum Revenue Tax, Stamp Duty (including Land Tax and Reserve Tax) and VAT. HMRC also has functions in relation to Child Benefit, Child Trust Fund and Tax Credits, National Minimum Wage and the collection of student loans on behalf of the Department for Innovation, Universities and Skills. HMRC collects data in pursuit of all of these functions and this is held on secure databases.

2. A review is currently underway into security processes and procedures, as announced by the Chancellor on 20 November. The review which is being led by Kieran Poynter, Chairman of PricewaterhouseCoopers, will be looking at HMRC practices and procedures in the handling and transfer of confidential data. It will make recommendations on how internal processes can be strengthened and whether HMRC's wider processes for liaison with other organisations should be changed to reduce the risks. Details on these issues are not included in this report therefore, to avoid compromising the findings from this Review.

3. HMRC collects data in order to carry out its functions. The data ranges from tax information about the earnings of individuals, the turnover of businesses, data about employees and employers (tax codes, pay schemes etc), those entitled to tax credits and child benefit and child trust fund payments. Data is collected about transactions eg supplies of anything subject to tax including the sale of goods and services, the purchase of homes (stamp duty) and inheritance tax whilst HMRC's work at the frontier involves the collection and analysis of data about the import and export of goods, the movement of passengers and vehicles, suspected or proven smuggling activity and other relevant information.

4. In order to improve the extent to which individuals and businesses pay the right amount of tax due and receive the credits and payments to which they are entitled, and to reduce the compliance burden upon them, the data collected may be internally pooled where there is a legitimate need to do so and it is proportionate and appropriate.

5. HMRC conduct surveillance activity to obtain information in both civil and criminal investigation cases. Their directed and intrusive surveillance activity is conducted in accordance with the provisions of the Regulation of Investigatory Powers Act, the Police Act and the relevant codes of practice. The conduct of this surveillance activity is subject to scrutiny by the Interception of Communications Commissioner and the Surveillance Commissioner. All this surveillance activity is authorised in accordance with the codes of practice and, where appropriate by the relevant Commissioner and the Home Secretary.

6. HMRC aims to ensure that data is only used where lawful to do so and for the purposes for which it is intended. HMRC aims to balance the collection of data and use of surveillance activity with the need to protect privacy and maintain confidence that data will be used only where it is relevant, necessary and proportionate to do so and is adequately protected against misuse.

EVIDENCE FROM DEPARTMENT OF COMMUNITIES AND LOCAL GOVERNMENT (CLG)

1. The Department of Communities and Local Government within its day-to-day operations may manage and hold personal information for various purposes. The most common form of personal information held is name and contact details on stakeholder consultation lists. For example the Gypsy and Traveller Stakeholders list is kept for the purpose of consultation and keeping our stakeholders informed and involved in our policy making processes. Such lists are maintained and updated by the policy officials in the relevant policy teams and are unlikely to be shared with officials across the department. Names are added and maintained on a stakeholder on request of the individual and consent can freely be withdrawn at any time.

2. It may be worth the committee noting, that although the department collects limited personal information in comparison to some other departments, we do provide guidance (where it has been identified as helpful or needed) to Local Authorities on the management and use of personal information which they control. For example the department is currently working on guidance for use and sharing of personal information for revenues and benefits departments within Local Authorities. Guidance is not legal advice but is designed to help Local Authorities determine the best position possible in respect to their particular circumstances and purposes.

3. Below are two examples of relevant work and information systems in CLG which the committee may find of interest.

SUPPORTING PEOPLE (SP)

4. SP was launched in 2003. It is a grant programme which enables the provision of housing support services to help vulnerable people maintain or improve their ability to live independently in their homes and their communities.

5. Providers complete a form recording standard information for each new service user they take on and send it to the Centre for Housing Research (CHR) in St Andrews University where the data collection, processing and preliminary statistical analysis is carried out. Summary statistics are sent to each Administering Authority and CLG on a quarterly basis and non-personal data is uploaded to a website hosted by St Andrews.

6. Additionally since 2007, providers complete a form for each service user who leaves their service (or on a sampling basis for clients in receipt of long-term services), which indicates how successful the service was in meeting the clients' needs (to assist them to achieve greater independent living). Forms are sent to St Andrews and are processed as above.

7. The personal information collected for this programme includes:

— Age (but not date of birth).

— Gender.

— Economic status.

— National Insurance number (optional and agreed by DWP, introduced at beginning of 2006-07).

— Ethnic origin (optional).

— Disability (optional on Outcomes form and will be introduced as an optional question on Client Records form for 2008-09).

— Which client group the client is defined by.

— Whether client has been accepted as requiring services under statutory frameworks.

— Whether client has been assessed as a higher risk.

— Whether client is subject to requirements under an ASBO.

— Source of referral.

— Type of referral (from within same authority or from another).

— Accommodation occupied prior to receiving support service.

— How long client has lived in authority where the service is being provided (if less than six months, where they lived before).

— Clients religion (optional and on Outcomes form only).

— How successful the support was in achieving a number of outcomes.

BENEFITS TO THE CITIZEN

8. Combining Client Record and Outcomes data allows analysis of patterns of clients moving through different services throughout England. Therefore, it provides a measure of progression which can:

— be used to assess clients' needs and so identify the level of need for services and in which areas;

— assist in the development of services—to ensure they are tailored to clients' needs;

— monitor performance of services—identifying where improvements can be made to services or the provision of services for clients;

— monitor effectiveness of the programme in delivering positive outcomes for individuals; and

— inform commissioning and contact management.

9. CLG ensures the following safeguards or methods of data management to ensure the sharing of personal information is kept to a minimum;

— National Insurance Numbers will not be linked to any database that would allow the identification of individual clients and National Insurance Numbers, and are not shared with anyone but CLG.

— CLG will not be able to identify any individuals from the national insurance number—the client's name and date of birth are not recorded.

— CLG owns the data and permission must be sought before disclosing it to any other organisation (as outlined in the terms of the contract with St Andrews).

INFO4LOCAL WEBSITE

10. www.info4local.gov.uk is a one-stop web portal that gives local authorities and others quick and easy access to information from across central government. It is managed by a partnership of seven departments (Communities and Local Government, the Department for Children, Schools and Families, Defra, the Department for Transport, the Department for Work and Pensions and the Home Office). More than 70 departments, agencies and public bodies add information to info4local, including links to news, consultations, policy documents, guidance, circulars, newsletters, events, research, related links and more.

(a) Personal information collected for the programme includes:

11. An email alert service is sent twice a day to more than 53,000 subscribers. People can choose whether or not to subscribe to this free service. Subscribers fill in an online form in order to register and give the following information:[13]

— Full name.

— Email address.

— Password.

— Whether they work for a local authority and, if so, which one.

— Whether they work in central government, the voluntary and community sector, the NHS or other field. If so, they are asked which region they are based in.

12. They are asked to supply the following information:

— Job title.

— If they respond that the work in an "other" field, they are asked to specify which.

— Whether they wish to be included in future research.

All other parts of the form relate to information the subscriber would like to receive in their email alert.

13. We also have a contacts form. We ask people to include their telephone number if they want to discuss their query. The form asks for information, including the following:

— Full name.

— Email address.

— Area of work (central government, local government, local-government related organisation, NHS, voluntary and community sector, other): this is not a mandatory field.

14. We also collect information through customer satisfaction surveys and site usage information, using cookies, log files and page tagging techniques, including JavaScript.

BENEFITS TO THE CITIZEN

15. Subscribers to email alerts receive a service they have asked to receive and we need some personal information (eg email address) to deliver the service. Other information, such as details about their work, helps us to build up a picture of who is using info4local that we can use to target future promotion.

16. Customer satisfaction surveys are voluntary. They are a way of asking users' views about the service we provide and consulting them about future developments so that we can improve the service to them.

17. Site usage information also helps us to improve the service we provide. They show, for example, which information users have been most interested in.

SAFEGUARDS

18. CLG publish their privacy policy on info4local so that users understand the intended uses of any information that may be collected. CLG also has a commitment in place to communicate any changes to the privacy policy.

19. The information is stored on an externally hosted database server on DCLG's corporate hosting infrastructure. The only people who have access to the information as the site developers and authorised CLG personnel.

20. Access is restricted by user accounts so it is possible to trace back a change to a particular user account. In addition to the site developers' security credentials, CLG has also recently conducted a penetration test carried where we identified no outstanding vulnerabilities to be addressed.

EVIDENCE FROM THE GOVERNMENT FRAUD REVIEW (AG)

1. In 2006 a cross cutting interdepartmental group established by the Attorney General and the Chief Secretary conducted a Review of the way we combat fraud in England and Wales. It recommended a Government led, national anti fraud strategy to manage a holistic programme of shared knowledge, co-ordinated action and improved prevention across both the public and private sectors.

2. The damage caused to society and the economy is known to run into many billions of pounds annually. Fraud is known to fund and support most forms of organised crime and even terrorism. In addition, individual fraud victims suffer acute anxiety and stress and may lose confidence both in the security of financial services products and systems and in the Criminal Justice System itself.

3. Following extremely supportive public consultations, the key recommendations of the Fraud Review were accepted by the Government and will be implemented following funding being made available as part of the 2008-11 Comprehensive Spending Review. The principal architecture for the national strategy comprises a National Fraud Strategic Authority (NFSA), a National Lead Force for Fraud and a National Fraud Reporting and Intelligence Centre (NFRC).

4. These are being designed by joint public-private sector working groups and will be established serially during 2008-10. The working groups are under the direction of the Attorney General's Programme Board, which includes senior members of the Home Office, British Bankers' Association, the Association of Chief Police Officers Economic Crime Portfolio, Department of Work & Pensions, Association of British Insurers, Serious Fraud Office, Financial Services Authority, the Ministry of Justice and HM Revenue and Customs; and is chaired by the Director of Policy at the AG's Office.

5. The NFSA will provide the leadership for the National Strategy and will bring together all the key stakeholders (public and private), whose combined power and authority will ensure that co-ordinated action is taken to implement the agreed strategies.

6. Concerted action will be taken across the entire existing system, comprising deterrence, prevention, detection, investigation, law enforcement, sanctions and redress for victims. The Strategy will aim to protect public money, businesses and individual consumers from fraud and to increase the impact of joint anti fraud efforts and law enforcement.

7. Key to the success of the National Strategy will be the sharing of information and knowledge about fraud, enabling weaknesses to be addressed and anti fraud actions—be they preventive or deterrent—to have greater impact on fraud incidents and repeated offending. It is of fundamental importance to the success of the project that the rights of citizens be protected. Therefore, these information sharing arrangements must be compliant with both the Human Rights Act 1998 and Data Protection Act 1998 so that there is proper management, use and disclosure of the personal information in a manner which is necessary, reasonable and proportionate to achieve the intended aims of the national fraud strategy.

8. Existing sector strategies of this kind have already resulted in considerable success in reducing financial fraud in particular areas:

— The NHS counter fraud and security management service (CFSMS) achieved £189 million savings in 2005.

— The Audit Commission's National Fraud Initiative saved over £111 million in 2005-06.

— The DCPCU (Dedicated Cheque & Plastic Crime Unit, sponsored by APACS) saved £10 million.

9. Each 1% reduction in fraud losses in the Banking sector (which contributes some 8% of GDP annually) secures £2.8 million in extra Corporation tax. CIFAS (The UK fraud prevention service, operating in the financial sector) has estimated that more data sharing between the public and private sectors has the potential to deliver between £137 million and £273 million annually in benefits to the public sector. The Serious Crime Act 2007 contains power for the Secretary of State to designate fraud prevention organisations for this purpose.

10. The NFSA will also have an important role in providing public information about fraud and in measuring and publicising the success of actions taken to prevent, deter and punish fraud offences. It will be able to build on lessons learned in frontline investigation and feed these into both policy making and the design of anti fraud systems. Businesses, Government Departments and individual potential victims will benefit from greater awareness of fraud losses and from the experiences of others in reducing these.

11. The NFRC will be a police led organisation, housed within the City of London Police; whose existing role as the lead force for fraud in London and the South East will be extended to provide the National Lead Force. The NFRC will contain a fraud intelligence analysis capability, to support the national anti fraud strategy, as well as providing an important service to the public in general and to fraud victims in particular. It will be essential to the success of the strategy to build knowledge and understanding of fraud methods, typologies and repeat offenders, so that vulnerabilities can be identified and addressed.conf

12. The NFRC is being designed in close co-operation with the Information Commissioner's Office. Its final form and processes have yet to be decided by the Programme Board; but its overriding object will be to manage the knowledge we have, and can obtain, about fraud; ie about those who commit frauds, their methods and their fields of operation, in order to maximise the impact of all anti fraud action across the entire law enforcement and crime prevention "system". One of the options for the NFRC's call centre functionality is a partnership with an existing government department call centre, such as the OFT's Scambusters network, the FSA's consumer hotline or those operated by DWP or HMRC.

13. The NFRC will eventually receive all reports of fraud offences or incidents, either directly from victims (individual or corporate) or in bulk from organisations that already record suspected or actual offences and incidents: the Police, SOCA, Government departments, specialist units such as CIFAS, the DCPCU and the Insurance Fraud Bureau, Regulators and their equivalents overseas. This will enable it to contribute important data for measuring fraud losses which will in turn direct a future risk based national strategic response to fraud. The analyses of fraud incidents performed by the NFRC will support and inform the NFSA's public awareness work and ensure a better service to all victims. A survey conducted during the Fraud Review indicated that fraud victims are anxious to ensure that others do not fall prey to the same frauds. The NFRC will have an important role to play in publicising fraud methods and informing the public of the specific weaknesses and vulnerabilities that fraud exploits.

14. Some of the technology to link the various databases may not yet exist; for example the Police National Database project; so it is likely that the NFRC's capability will be built in stages and that it will be the last building block supporting the National Strategy to become fully operational. The programme will be subject in due course to a Gateway Review conducted by the Office for Government Contracts.

15. The NFRC will analyse the reports of fraud received, adding intelligence received from police and other sources to provide packages for action by law enforcement, Regulators and the public and private sectors. It is anticipated that the organisation will benefit from secondments of experienced civilian staff from all these sectors, to ensure that appropriate packages are designed for maximum impact on fraud reduction.

16. The NFRC will adhere strictly to any Codes of Conduct produced by the Information Commissioner and/or the Ministry of Justice's Information Sharing Strategy projects. Its intelligence packages will be conforming to the National Intelligence Model (NIM).

EVIDENCE FROM DEPARTMENT FOR CHILDREN, SCHOOLS AND FAMILIES (DCFS) AND THE DEPARTMENT FOR INNOVATION, UNIVERSITIES AND SKILLS (DIUS)

1. Effective sharing of data and information is central to the Department for Children, Schools and Families' (DCSF) ability to deliver better outcomes for children and learners. Better information sharing is crucial to safeguarding children and supporting the drive to personalise learning and to improve service delivery; it also contributes to improvements in efficiency and effectiveness, in reducing burdens on the front line, and in ensuring effective accountability. It is a cornerstone of the Every Child Matters (ECM) strategy to improve outcomes for all children and for delivery of many of our reform programmes such as specialised diplomas and vocational qualifications reform.

2. Better information sharing brings many benefits and the DCSF is determined to ensure that the benefits are balanced against the need for privacy and the safety and security of personal data and information. This is reflected in the design and delivery of programmes and the systems that support them. This includes legislation when appropriate, guidance and training for practitioners, authorisation and authentication of users, and secure systems.

3. Much of DCSF activity depends on effective information sharing, both at the level of Government databases, and between individual practitioners. Every Child Matters is a cross-Government programme, led by DCSF, of system-wide reform of children's services that supports working across professional boundaries to co-ordinate services around the needs of individual children and young people. Similarly, the devolved nature of the education, skills and children's services sector, and large number of public bodies and institutions within it make effective sharing of data and information particularly important. This is increasingly the case as services are organised around the needs of customers.

4. Many of the major DCSF programmes depend on effective sharing of data, all of which aim to improve services to children, families and learners. Some are an essential force for protecting children and young people—ContactPoint and the Common Assessment Framework, and the new Vetting and Barring scheme, which is a cross-Departmental programme with the Home Office in the overall lead and DCSF and DH sharing the policy lead for children and for vulnerable adults respectively.

5. In July the Government announced that it will provide to front-line professionals in children's services support by implementing a single national IT system to support the Common Assessment Framework (eCAF).

6. The Common Assessment Framework (CAF) is a key element of the Every Child Matters programme to transform children's services by supporting more effective prevention and early intervention. Its goal is to provide a standardised approach for practitioners in the holistic assessment of a child's needs and the design of an integrated service to meet those needs.

7. eCAF will allow a practitioner to create electronically, store, and share a CAF securely. Completion of CAFs by different agencies and the subsequent exchanges of data between relevant agencies promote multi-agency working and early interventions. The complexities of cross border work are removed, as eCAF provides a consistent approach for all practitioners working in different agencies and locations, thus facilitating the effective and efficient delivery of a coordinated service. eCAF will only hold information about some (not all) children, with consent, and for a limited period of time.

8. Access to it will be granted only to authorised users who have undergone appropriate checks, including those provided by the Criminal Records Bureau. Practitioner use of the eCAF system will be audited to ensure information is only accessed where it is necessary for practitioners to do so, and so guard against inappropriate access by authorised users.

9. Sharing of data is central to the introduction of major reform programmes such as the Specialist Diplomas for 14 to 19 year olds. For example, this programme may result in a learner completing courses with a number of learning providers and qualification awarding bodies. Students may have a personal portfolio of evidence drawn from different sources. This portfolio (probably web based) would be portable and owned by the student. It would be capable of being updated from different sources (learning providers, employer assignments) and shared by the student with others including universities, colleges and employers. In this instance the sharing of data brings real benefits to the learner through greater transparency, choice and ownership and supports greater efficiency and effectiveness in the system.

10. We have recently led on work with partners across government, and more widely (including the Information Commissioner's Office (ICO)), to develop a practitioner guide on information sharing. The guidance is published as part of the Every Child Matters strategy and is proving a valuable tool for practitioners to enable them to know when and how they can share information legally and professionally, in compliance with the Data Protection Act, the Human Rights Act and the Common Law Duty of Confidentiality. It addresses sharing information as part of preventative services and enables practitioners to reach an informed and appropriate decision about whether information should be shared.

11. The Integrated Children's System (ICS) is a framework for working with children in need (as defined under the Children Act 1989) and their families. ICS provides a conceptual framework, a method of practice, and a business process to support practitioners and managers in undertaking the key tasks of assessment, planning, intervention and review, for looked after children and other children in need. It is based on an understanding of children's developmental needs in the context of parental capacity and wider family and environmental factors. It has full regard to current legislation. Because the work with children in need requires skilled use of detailed and complex information, ICS is designed to be supported by an electronic case record system.

12. A key aim of ICS is to provide frontline staff and their managers with the necessary help, through information communication technology (ICT), to record, collate, analyse and output the information required. There is no "ICS database". Each of the 150 top-tier local authorities has been required to adopt the best practice principles enshrined in ICS, of assessment, planning, intervention and review. Authorities are required to ensure that the information needed for each of these key processes for responding to children in need in their own area is held electronically according to appropriate exemplars. This has meant that each authority has been developing it own existing IT systems to meet this challenge.

13. ICS users are not exempt from the legal requirements governing either the sharing of personal data or social care practice. The Children Act 1989 is clear that, whenever an assessment of a child's needs, either for services, accommodation, or protection, is made, the child's wishes and feelings must be taken into account.

14. The CCIS (Client Caseload Information System) is a well established operational system. It is currently managed by Connexions and is capable of monitoring the activities of young people at local authority and even ward level. CCIS was primarily designed as a tool for Connexions personal advisers and lead professionals to support effective intervention and identify the most vulnerable young people and their needs. It provides a framework for the consistent recording of information, which is used for performance management and measuring progress towards local targets for supporting those not in education, employment or training.

15. There are also programmes within the Department for Innovation, Universities and Skills (DIUS) which are about enabling efficiency, and improving educational attainment. The most notable is the Managing Information Across Partners (MIAP) programme will enable information about post-14 learners to be shared more efficiently between bodies such as schools, colleges and exam boards.

See Annex 2 for more details of MIAP.

16. The examples above demonstrate some of the benefits of data sharing to both the citizen and administrative systems. The DCSF aims to balance these benefits with the need to maintain privacy and security of data. We are very aware that if citizens are to take up the education, skills and children's services to which they are entitled they must have confidence in the way their personal data is handled and shared. While all services are subject to the appropriate legislation on privacy and security of data, we have also put in place a range of measures that aim to provide this confidence and accountability. This is achieved through a range of measures including appropriate legislation, guidance to practitioners, access control through authorisation and accreditation of practitioners and building security into system design.

17. Following the recent events in HMRC, DCSF undertook a review of its internal processes which is led by the Chief Information Officer reporting directly to the Permanent Secretary. We have also asked Deloitte to carry out an independent review of information security for ContactPoint, where we know people will want additional assurance.

18. We have strong arrangements in place to protect data held by the Department. The Departmental Security Unit has primacy on all security matters including IT security and Information Assurance, and reports directly to a Board member. Our Data Services Group leads on statistical returns and analysis and safeguards this material. Our Internal Audit Division is a major player in managing risk and ensuring compliance.

19. Data security is being built into the design and implementation of all the major DCSF programmes. A prime example is ContactPoint which will be the quick way for authorised professionals working with children to find out who else is working with the same child or young person, making it easier to deliver more coordinated support. This basic online directory will be available to authorised staff who need it to do their jobs. It is a key part of the Every Child Matters programme to improve outcomes for children.

20. The use of biometric systems can bring benefits to schools including reductions in bullying and better attendance, along with administrative efficiency and can have other advantages in this regard over other systems such as smart cards. The British Educational Communications and Technology Agency (Becta) is producing guidance on our behalf, and in consultation with the ICO, on the use of biometric systems in schools. This is in response to the growing numbers of schools that are using biometric systems to improve school management; mainly to register attendance, pay for meals or access the library. The guidance advises School governing bodies and headteachers (although parents and carers will also find the information useful) on the practical and legal steps they need to follow should they decide to introduce biometric systems. The guidance aims to ensure parents are fully informed about what the school is planning, that appropriate data security measures are in place and that parents and children have alternative access should that be necessary.

21. Becta has also published a technical specification for school infrastructure which sets out the security steps for ensuring that electronic data is kept secure, and safeguarded against a range of potential threats, including identity theft. These steps include establishing ICT security policies and procedures, and implementing appropriate physical security, data security, network security and Internet and remote access security.

22. ContactPoint will not hold assessments, record statements of need, academic performance, attendance, diet any subjective material or clinical observations about a child, nor will it hold opinions or views about a child's parents or carers. It will hold only the contact details of the child's carers, general practitioner surgery, school and other professionals working with the child. Authorised users will have to have had relevant training and to have undergone appropriate checks, including enhanced Criminal Records Bureau (CRB) certification and will be subject to the requirements of the new Vetting and Barring Scheme, established following the Bichard Inquiry to avoid harm, or risk of harm, to children and vulnerable adults.

See Annex 1 for more details of ContactPoint.

23. The National Pupil Database (NPD) is another example of the way in which data security is central to DCFS systems. The NPD has been recording information on pupils' attainment in education over a number of years. This information can be used effectively to see how pupils have progressed and whether particular initiatives—such as the Aim Higher programme, which aimed to increase participation in higher education—have had an impact.

24. Crucially, this information is held securely and researchers have to apply for access. Any data provided is anonymous: it shows comparative attainment levels, not the details of the pupils and can help researchers identify trends and evaluate policy initiatives.

25. Becta has worked closely with the Qualifications and Curriculum Authority (QCA) to ensure that the revised secondary curriculum includes references to the teaching of e-safety. This is reflected in the revised level descriptors for each of the key stages. Becta and the QCA have also developed an Internet Proficiency scheme for Key Stage 2 pupils.

26. The Child Exploitation and Online Protection Centre (CEOP) have also developed ThinkUKnow a primary and secondary education programme for schools which focuses on developing safe and responsible behaviours online. This has been delivered to over one million children.

27. Becta works closely with Local Authorities and schools to ensure that there are appropriate measures in place to cover education and training for teachers, leaders and pupils, a safe secure infrastructure, effective policies and monitoring procedures all underpinned by robust standards and frameworks.

28. Becta's approach to this issue has adopted two fundamental principles—protect children when in school and educate them for their lives outside of school. These principles have been supported in the four main areas of policy and practice, education and training, infrastructure and inspection and standards. In conjunction with the QCA, we have developed an Internet Proficiency scheme for Key Stage 2 pupils. We have evaluated safety products and built safety into our standards and frame-work contracts, most recently advising British Standards on a safety standard for home computers.

VETTING AND BARRING SCHEME

29. The Vetting and Barring Scheme to be introduced under the Safeguarding Vulnerable Groups Act 2006 and following the Bichard Inquiry aims to help avoid harm, or risk of harm, to children and vulnerable adults. It aims to do this by preventing those who are deemed unsuitable to work with children and vulnerable adults from gaining access to them through their work. This will be done by:

— Providing employers with a more effective and streamlined vetting service for potential employees.

— Barring unsuitable individuals from working, or seeking to work, with children and vulnerable adults at the earliest opportunity.

30. The responsibility for taking barring decisions will lie with a new Independent Safeguarding Authority which will be an independent statutory body. The application processes for vetting and barring decisions will be run by the Criminal Records Bureau (CRB).

31. The Department takes issues around security and confidentiality of data very seriously. We want to ensure that it is only used for the purposes for which it is intended. Effective data sharing enables the delivery of better outcomes for children and learners, and helps to protect them from harm by preventing those who are barred from working with children having contact with them or data about them. The measures we are putting in place are designed to provide effective services while also addressing both the legislative requirements on privacy and security and building the confidence of citizens about the education, skills and children's services to which they are entitled.

Annex 1

CONTACTPOINT

1. The purpose of ContactPoint is to support Children's Services Authorities and their partners in their duties to co-operate to promote the well-being of children, and to safeguard them and promote their welfare, as set down in Sections 10 and 11 of the Children Act 2004 and in the safeguarding duty on school and colleges in Section 175 of the Education Act 2002. The purpose of ContactPoint is not to support the fight against crime.

2. ContactPoint is being established under section 12 of the Children Act 2004. Regulations made under this section came into force on 1 August 2007.

3. The intention is that ContactPoint will be available in all Local Authority areas by the end of 2008. ContactPoint will be a basic online directory containing a record for each child up to the age of 18 in England. With their consent, the records of young people leaving care or with learning difficulties can be retained up to the age of 25. The record will contain basic demographic information about the child, details of the parent/carer(s) and the name and contact details of practitioners working with the child. It will not contain case information. The purpose of ContactPoint is to save time and support early intervention by allowing authorised practitioners to see who else is working with the same child.

4. ContactPoint will be populated with data from a range of existing national and local systems. Section 12 and the draft regulations set out what data is to be held and lists the persons and bodies who are permitted or required to supply this data. It is anticipated that these data sources will include case management systems used by Youth Offending Teams and in the future the e-Borders system currently being established by the Home Office.

5. ContactPoint will not be used to profile children or young people. No support for profiling is being designed into the system. Through extensive work with practitioners ContactPoint has been designed to help practitioners to find out who else is working with the same child or young person, making it easier to deliver more coordinated support.

6. Access to ContactPoint will be restricted to authorised staff who need it as part of their work. The regulations detail the categories of practitioner who are eligible to be granted access to ContactPoint, these include police officers, members of youth offending teams and staff at secure training centres. An individual will only be granted access if it is clear that they need access to support their work on safeguarding or improving wellbeing for children. It will not be acceptable for users to access the system to support enforcement activities. This will be made clear to all users through training and guidance (due to be issued in early 2008).

7. Before being granted access, individuals will also have to attend training and have received an enhanced disclosure from the Criminal Records Bureau (or equivalent vetting for police). All users will be authenticated to ContactPoint using strong (2-factor) authentication techniques in line with the e-Government Unit (eGU) guidance. Every access will be monitored and audited. Potential misuse will be subject to investigation and if necessary disciplinary and criminal proceedings.

8. There are no plans for data sharing between ContactPoint and the National Identity Register. The bulk disclosure of data from ContactPoint will only occur in anonymised or psuedonymised form. This is to support statistical analysis and for research purposes.

9. The regulations provide for the Secretary of State or a local authority to disclose information from ContactPoint where this is required by a court order or where this disclosure is necessary for the prevention or detection of crime of the prosecution of offenders. These provisions are intended only for limited circumstances are will be subject to a judgement on a case-by-case basis. As stated previously, ContactPoint is not intended to provide a tool for use in the fight against crime.

Annex 2

MANAGING INFORMATION ACROSS PARTNERS

1. Managing Information Across Partners (MIAP) arose from the post-16 reforms following the Learning and Skills Act 2000 and the legacy of disparate data policies and systems sector wide. There was a recognition that effective data management would help realise the benefits of the Government's reform agenda. MIAP now brings together over 40 post-14 learning and skills sector organisations who have signed up to a new framework for data sharing.

2. The MIAP service is very much in line with the Government's thinking around Information Sharing, and has been developed in full consultation with the Information Commissioner's Office (ICO). It is all about managing information sharing in a transparent and controlled way, with legal and process controls in place to ensure that information is shared appropriately. It is also about sharing information for the benefit of individuals whilst ensuring there are sufficient safeguards in place; with an appropriate balance being maintained between the need for appropriate sharing of information and the potential risks to privacy. Data Governance arrangements have been developed and published and are accessible on the MIAP website www.miap.gov.uk

3. The MIAP programme of improvement to data collection and sharing will be introduced over several years and will result in information being collected once, used many times and used by all organisations that are entitled to it. The MIAP service will remove bureaucracy for learners by making their interaction with the education and training sector easier; enabling them to access directly, for the first time, information held on them and to share that information with others so that they can receive a better service and/or confirm their qualification levels.

4. In practical terms MIAP is an internet based and technology enabled set of services, supported by common data definitions. It has three core parts:

UK Register of Learning Providers

Learner Registration Service (LRS)

Learner Record

5. The Learner Registration Service and the Unique Learner Number support better processing of data. The Unique Learner Number will be held by both awarding bodies and learning providers making the transfer of data about enrolment on exams and achievement information more efficient and accurate. It will support the way that units of qualifications (being developed by the QCA through the Qualifications and Credit Framework and 14-19 Diplomas) can be brought together overtime at the individual level to confirm achievement towards full qualifications.

6. For Information Advice and Guidance and Learning Providers, including schools with post-14 pupils, MIAP offers operational benefits in communicating with other educational bodies, such as examinations boards, and will enable them to understand how their learners progress in future learning. The National Client Caseload Information System (NCCIS) will contain the Unique Learner Number and will be able to share the number with local Connexions systems, enabling transfer of information about individuals between schools/providers and Connexions to be much easier. This will facilitate better monitoring of local targets for supporting those not in employment, education or training.

7. MIAP is represented on the cross DCSF/DIUS Identity Management Stakeholder Group, which is looking at identity management across all ages in education. Work is ongoing to look at how MIAP can support that strategy.

8. It must be recognised that crime has become more sophisticated, complex and subsequently more difficult to prevent and detect, reflecting society's advances, changes in moral values and advances in technology. Citizenship and individualism in the 21st century is evolving with alacrity. As this individualism advances, it is submitted that interdependence between individuals and state actually increases, as traditional aspects and cohesiveness of society break down.[14] The measure of society is that criminal acts continue to offend deeply held aspects of the collective conscience and so increasingly citizens look to the state for protection; to enable crime to be prevented and detected under these conditions, the relationship between citizen and state cannot remain static. Some aspects of individual privacy must be sacrificed to protect the welfare and safety of society, citizens and the public purse and it is submitted that citizens respect and understand this. As long as the investigators of a democratic state continue to undertake their duties honestly, fairly, with integrity and in accordance with law, both domestic and European, public faith will be maintained.

EVIDENCE FROM DEPARTMENT OF HEALTH (DH)

1. The Committee has requested written evidence from the Department of Health on surveillance and data collection activities and, in particular, the safeguards that are in place to protect privacy and the rights of the citizen.

2. The primary purpose for NHS data capture is to maintain a record of the care provided and the drugs prescribed by its staff. This informs subsequent care, provides an evidence base to resolve complaints and litigation, allows the quality of care provision to be monitored and supports a wide range of health service management activities including financial management, planning, research and epidemiology.

3. The NHS is currently in the midst of a major modernisation programme in respect of its information technology. It is moving away from organisational, or in many cases sub-organisational departmental records, which have been largely paper based, to a modern digital infrastructure. A core component of this programme is the development of the NHS Care Records Service (NHS CRS) which will, in due course, provide a nationally available, secure, lifelong patient record. Access to the NHS CRS is controlled via secure smartcard technology, available at the point of need by healthcare professionals who have a role based, legitimate relationship with the patient.

4. The NHS CRS will incorporate stringent security controls and safeguards to prevent unrestricted or uncontrolled access to personal information. Beyond that, patients will have the right, subject to rare public safety exceptions, to restrict access to their clinical information. The NHS CRS holds detailed clinical information locally, with a summary of key information held nationally so that it is available wherever and whenever it is needed. Citizens may choose not to have a national summary care record and can control how the information in their local detailed records is shared.

5. The Department of Health is a recipient of non-personal statistical data drawn from activity reports that are generated for management purposes within and across the NHS. The Health and Social Care Information Centre is the NHS body responsible for analysing NHS, and to a lesser extent, social care performance data. The Department also holds the contracts for the maintenance of a number of national databases which hold personal data, and which are accessed by NHS staff in the course of delivering, administering and planning care. These databases are only accessed centrally by Departmental staff to perform essential maintenance, resolve data quality issues or where required by law eg when a citizen asks to see what data is held.

6. An important additional component of the NHS IT modernisation programme is the creation of a Secondary Uses Service (SUS) which is used to generate anonymous or coded data to support management and research purposes—purposes usually described as "secondary" to the provision of care. This is an important new development in the context of safeguarding the personal data of citizens as it enables important activities to be supported without breaching privacy or confidentiality rules.

The overarching approach to privacy and safeguards

7. The NHS and the Department of Health treat patient privacy and confidentiality extremely seriously and there is a robust framework—usually referred to as information governance—which sets exacting standards and monitors organisational performance. This comprises:

— A National Information Governance Board, which advises Ministers on significant issues and monitors organisational performance. This board incorporates the statutory Patient Information Advisory Group that has provided a more limited leadership since 2001.

— Publication of a Care Records Guarantee that sets out the privacy and confidentiality commitments that the NHS makes to patients.

— Audits of information governance performance by the Healthcare Commission, the body responsible for assessing organisational compliance with key standards.

— Performance assessment of NHS organisations against detailed standards for legal compliance, security, data quality and records management set by the Department of Health in collaboration with key regulatory bodies, with performance data collected through an on line information governance toolkit.

— The appointment in each NHS body of a senior clinician, termed a Caldicott Guardian, who is responsible for championing patient confidentiality and advising management boards.

The NHS IT modernisation programme

8. The NHS IT Modernisation Programme has several components, a number of which are covered by the broad heading of the NHS Care Records Service:

— The Personal Demographics Service (PDS). This is a national register of all NHS patients. It does not contain clinical information, but holds the contact details, date of birth, unique NHS number and registered GP for each patient.

— The National Summary Care Record (SCR). This is a national database of key clinical information considered by clinicians as being important when providing care to a patient in the absence of full notes.

— Detailed Care Records. These are the digital replacements for traditional GP or hospital patient records, available across health communities and along care pathways. The SCR is derived from these records.

— The Secondary Uses Service (SUS). This is a database of clinical information that can be used to generate anonymised or pseudonymised (coded but not identifiable) data sets for research and management purposes.

There are a number of other components which modernise the services available for citizens which are not directly relevant to this Committee:

— Electronic Transfer of Prescriptions. This service supports paperless prescribing and collection of repeat prescriptions.

— Choose & Book. This service allows patients to be booked directly into clinics when referred by a GP, supporting choice and enabling appointments to be set around the requirements of citizens.

9. International security standards are applied across all system implementations. These include the use of encryption to communication links between systems, and to user interfaces with systems. The security of data centres is assured using both international and British standards, and all suppliers to the NHS IT Programme are contractually bound to auditing their adherence to these.

10. Users are vetted and sponsored by their local organisations for specific access appropriate to their job role and area of work. There is a strong registration process compliant with the highest government standard (eGif level 3) which means the user has to initially appear in person to prove their identity before access is assigned by the "Registration Authority" with accountability at local NHS Trust level. On successful completion of the registration process, a user is issued a smartcard—a secure token that, together with a passcode, confirms the identity of a user at the time of access. The registration process assigns them a role profile consistent with their area of work and responsibilities and establishes a unique electronic footprint when used to access systems. These records can be analysed to identify suspect behaviours.

11. There are a limited number of circumstances where systems may permit users with appropriate role profiles to access more data than their basic access privileges will permit. These circumstances are tightly defined and do not, for example, allow administrative staff to override controls in order to access clinical information. They include, for example, circumstances where a clinician is involved in the provision of emergency care and there is no time to establish appropriate access rights. When this occurs, the system generates an alert which is sent to designated privacy staff who will investigate to ensure there has been no misuse of the system.

Types of patient information collected, the options available to patients in respect of each, and the specific safeguards that apply

12. Patients' demographic details (name, address, NHS Number etc) are held nationally in the Personal Demographics Service (PDS), a key component of the NHS Care Records Service that is already in place and working well. These details are required to ensure that any previous records are located and that patients can be contacted when necessary. Regulations require the NHS to keep a record of which GP practice each person is registered with and reasons of efficiency and probity require this to be held centrally (eg to prevent multiple GPs from being paid for the same patient and to ensure that the correct commissioning body meets the cost of care provided). A register is also needed to enable the Secretary of State to meet legal obligations to provide healthcare, free at the point of contact, for those patients who are ordinarily resident in England.

13. Whilst NHS patients cannot exercise choice about their demographic data being held, they can ask for their contact details to be treated as sensitive. This prevents local NHS staff from seeing these details. This facility is used primarily to support those in witness protection programmes and military personnel, but is also available to anyone who is concerned about the ease with which NHS staff may be able to determine where they currently live eg people hiding from abusive partners.

14. Access to the Personal Demographics Service (PDS) by NHS staff is restricted to those issued with a smartcard and an appropriate role as described above. To locate a specific individual's records it is necessary for these staff to input sufficient information to obtain a unique match, generally only possible where the individual concerned is present and can be asked for details. If this proves difficult because there are too many individuals with similar details, a list can be accessed but doing so generates an alert to other staff responsible for ensuring and checking that the system is not being misused.

15. Clinicians are required by their professional regulator bodies to keep clear, accurate, legible and contemporaneous patient records which report the relevant clinical findings, the decisions made, the information given to patients, and any drugs or other treatment prescribed, and which serve to keep colleagues well informed when sharing the care of patients.

16. The NHS IT modernisation programme is replacing local stand alone systems or paper processes with modern digital systems that are integrated at a local level to support the care delivered by health communities. These new systems also enable key summary data to be extracted and held nationally to support care outside of the boundaries of the local health community and/or in unscheduled circumstances.

17. Only the duly authorised staff of organisations that are involved in providing care will have access to clinical information held within the NHS Care Records Service (NHS CRS). No system functionality will be available to an individual who does not possess a smartcard and know the associated pass code. The role profile that has been assigned to an individual through the registration process determines which system functions, and consequently which parts of a record, an individual who has logged on to the system can access.

18. A central record is also maintained within the systems of which patients each staff team—workgroup—are currently caring for. A GP Practice, an A&E Department or a clinic would be typical workgroups. This relationship, termed a "legitimate relationship" (LR) is a prerequisite of access to a specific patient's record. Without such a relationship access is prevented.

19. Full audit trails of who has done what, made possible by the unique identity associated with each smartcard, are maintained within systems and it is intended that these will be available to patients on request, as well as to staff charged with checking for system misuse by authorised staff. This is a considerable advance on what exists now with either paper or electronically held records.

20. These technical controls are complex to implement and there is a trade-off between usability and ease of access to data and questions relating to security and patient safety. The Department is therefore proceeding cautiously and consultatively to ensure that the right balance is struck.

21. Uniquely, the Department is also providing security controls that are set at the direction of patients. This provides unprecedented confidentiality management for patients of the NHS in England. Patients have a number of options. They were developed following extensive research and consultation with patients/carers/citizens and the NHS. Patients may choose—

(i) Not to have a national Summary Care Record by requesting this through the GP Practice where they are registered.

(ii) To direct that controls are set to prevent data sharing. In this case the SCR can only be viewed with the individual's express permission or in accordance with the exceptions to English common law confidentiality obligations. Local sharing of Detailed care records across organisational boundaries will also be prevented—essentially recreating the pre-NCRS situation.

22. In time, patients will also be able to designate some data items within a record as sensitive so that they cannot be viewed outside of the team that recorded the information without the individual's express permission, or where concerns are extreme, that they are not available at all outside of that team. These types of control are referred to as "sealed envelopes" and "sealed and locked envelopes" respectively.

Use of data held on the new systems for purposes other than the delivery of care eg clinical research

23. Exceptionally, disclosure of clinical information outside of a health context may be considered in cases of serious crime or where there are significant risks to other people, following the guidelines set out for the NHS in the Department of Health publication Confidentiality: NHS Code of Practice, a guidance document that was agreed with the Information Commissioner and the General Medical Council.

24. The primary purpose of the NHS Care Records Service (NHS CRS) is to support the delivery of care to patients. However, as a by-product of collecting information for operational patient care, the architecture of the NHS Care Records Service (NHS CRS) provides the opportunity to rationalise data abstraction, data flows, data management, analysis and reporting. This supports management and clinical purposes other than direct patient care, such as healthcare planning, commissioning, public health, clinical audit, benchmarking, performance improvement, research and clinical governance. The system by which this is done is called the Secondary Uses Service (SUS).

25. Wherever possible, data will extracted automatically as a by-product of NHS services supporting direct patient care, including the NHS Care Records Service (NHS CRS), Choose and Book and Electronic Transmission of Prescriptions. Initial Secondary Uses Service (SUS) content will cover the NHS in England and will be patient-specific. It will build on operational information already being shared by the NHS such as commissioning of healthcare services (eg diagnosis and procedures), cancer waiting times, clinical audit and supporting demographic data. Data will in due course cover all care settings (primary, community and acute) and all NHS-commissioned activity, including services provided for the NHS by the independent sector.

26. The aim is for this data to be made available either in aggregate form or, where detailed information is provided, in anonymised or pseudonymised form. This process removes patient identifiable information and allocates a consistent "pseudonym" so that individual cases can still be tracked, but only with explicit approval and still without identifying the individual concerned.

27. Access to identifiable information is available only where patient consent has been given, or where specific permissions apply. Permission is required from an expert group called the Patient Information Advisory Group (PIAG), set up under the Health and Social Care Act (2001). This group assesses each application to test that the use of patient information is justified, taking into account issues of confidentiality and consent.

28. As with all other elements of the NHS CRS, access to the Secondary Uses Service requires each user to be formally registered and to use individual smart card access, just as for other systems in the National Programme for IT in the NHS. Each user is allocated a role which determines the functions (ie what reports they can access) and the coverage (eg the organisation or geography of data which may be accessed). Key user activities, eg, logon and performing an extract, are logged.

EVIDENCE FROM DEPARTMENT OF WORK AND PENSIONS (DWP)

1. The Department for Work and Pensions (DWP) is here to promote opportunity and independence for all through modern, customer-focused services. We help people to achieve their potential through employment, so that they are able to provide for their children and to work and save for secure retirement. All this is part of building a fair and inclusive society. DWP's main customer groups are:

— children;

— people of working age;

— pensioners; and

— disabled people and their carers.

2. Just about everyone in Great Britain will deal with the Department or one of its eight businesses at some point in their lifetime.

3. Our business requires us to collect and hold a wide range of personal information. Sir David Varney's report for HM Treasury, Service transformation: A better service for citizens and businesses, a better deal for the taxpayer, published in December 2006, set out a vision for transforming the delivery of public services. It aims to make service delivery channels more responsive to the needs of citizens and business.

4. Our goal is to collect and use information effectively, efficiently and securely and in a way which enables the Department and wider government to fulfil its policy and delivery ambitions.

5. DWP holds personal information on all of its customers to enable it to carry out its business, gathered from customers, or from other government departments and public bodies:

— HM Revenue and Customs (HMRC);

— Department for Children, Schools and Families (DCSF);

— Department of Health;

— the Home Office (including the Immigration and Passport Service (IPS) and the Police);

— HM Court Service;

— NI Social Security Agency; and

— Local Authorities.

6. All data held by the Department is in accordance with relevant legislation including the Data Protection Act.

7. We hold basic identity details—name, address, date of birth etc—for all our customers, and bank account details if that is the customer's chosen method of payment. Other information held will depend on what benefits or services the Department provides for each customer.

8. Staff are provided with access to data in accordance with business requirements. All requests for access are approved by line management. Staff access to data is automatically audited by DWP systems, the audit logs produced are checked, on both a random basis and when particular conditions are satisfied. In addition staff accesses are randomly selected for management checking.

9. DWP shares information with other public bodies for a wide range of different purposes:

— to ensure customers receive their full entitlement, for example by identifying recipients of winter fuel payments and by identifying Housing Benefit and Council Tax Benefit customers who might also be entitled to Pensions Credit;

— to ensure our customers receive other help to which they are entitled, for example providing information to Local Authorities to verify entitlement to free school meals;

— to prevent and detect fraudulent claims, for example by matching death information from the General Register Office with our customer records; and

— to improve the services we deliver to customers, for example by using information to encourage customers to have their benefits paid into bank accounts.

10. DWP also carries out limited data matching with private sector sources, such as Credit Reference Agencies to help detect fraud. The Social Security Fraud Act provides a legal gateway where, under specified conditions, information can be requested from private sector organisations such as banks and building societies as part of gathering evidence in fraud investigations.

11. The Jobcentre Plus Fraud Investigation Service conducts criminal investigations for DWP into alleged benefit fraud. Investigations may involve the use of a number of techniques and access a range of data sources, guidance on the usage of which reflects relevant legislation and codes of practice. Surveillance can only be undertaken if it is necessary and proportionate to the alleged offence and has been properly authorised. This means that all other avenues must be considered first.

12. DWP's approach to data sharing is that new opportunities to improve public services are exploited, while ensuring information is shared legally and in line with public expectations. Joint approaches should be agreed across government and beyond and trusted standards and safeguards should be established and maintained.

13. DWP will only disclose personal data, or receive data from another organisation, where this is permitted in law, and where it complies with the Data Protection Act and Human Rights Act principles.

14. Data sharing is managed in DWP through the use of a simple Data Sharing Protocol, which sets out the information required to test the strategic fit and legality of proposals and ensures appropriate safeguards are in place.

15. The Protocol defines clear standards of behaviour; emphasises the need for a clear well defined case for data sharing; and stresses the need to undertake an assessment of the impact of any proposed data share.

EVIDENCE FROM TRANSPORT FOR LONDON (TFL)

1. As a major organisation and heavy user of over 10,000 CCTV cameras spread across its rail network, stations and roads in London and the fleet of 8,000 buses all equipped with CCTV cameras, Transport for London (TfL) welcomes the opportunity to submit written evidence to this inquiry.

2. TfL has a lawful obligation to provide a safe and efficient transport system in London and as such uses and maintains a number of data sources relating to the transport system to meet this obligation. TfL actively works with its stakeholders, passenger groups and the Information Commissioner to ensure that it holds, processes and discloses information in a transparent, proportionate, fair and lawful manner.

3. CCTV systems in particular are used successfully by TfL for both transport system management and delivering a safe and secure environment for those who travel on London's transport system. In addition to its own rail and bus networks, TfL has helped fund CCTV cameras on some National Rail stations and trains serving London as well as paying the Metropolitan Police £60 million and British Transport Police £50 million for resources to provide a safe transport network. For example, we use on-bus CCTV to deal with crime and anti-social behaviour on buses and have worked in partnership with the Metropolitan Police to deal with individuals perpetrating crime on the bus network. This has led to over 1,000 convictions of individuals on the bus network and helped to deliver a more safe and secure environment for our passengers and staff.

4. In addition, the CCTV coverage of TfL's network proved invaluable to the police and Security Services in the aftermath of the incidents of 7 and 21 July 2005. It provided valuable intelligence to the Security Services and gave vital assistance in the investigation and prosecution of individuals involved in the incidents. The CCTV coverage of the network remains an essential component of protecting the system from terrorism and providing essential intelligence to the Police and security services to support this.

5. TfL also works with the police services in London in order to assist with the investigation of crime and disorder on and around the network and will, where it is lawful provide data to assist the police to investigate crime. There have been a number of recent high profile serious crimes that have been successfully solved with the assistance of data provided by TfL. There are clear procedures in place to govern the transfer of such data and ensure that any transfer is undertaken in a manner that is transparent, proportionate, fair and lawful.

6. TfL takes its responsibilities as the Data Controller of the personal data and CCTV images of our passengers very seriously and will not release data without careful consideration of the implications for Londoners. However, where the release can be undertaken in a transparent, proportionate, fair and lawful way and will benefit London—particularly by making a direct contribution to the safety and security of our passengers—we will work with partners to ensure that this is delivered effectively.

7. Our procedures are developed using legal advice, guidance from the Information Commissioner and our approach has been ratified by TfL Board. We continue to develop these procedures and protocols and they will be continually reviewed in line with case law, legal advice, and any updated guidance that is issued by the Information Commissioner. The bus operators who control in excess of 50,000 on-bus cameras have strict procedures that are agreed with TfL on handing the data and any disclosures made to the police and law enforcement agencies is done a transparent, proportionate, fair and lawful way. These procedures are regularly reviewed by TfL in line with our own. The operators receive regular visits to ensure compliance with these. We strive to balance the benefits we can deliver to our passengers with regard to safety, security, reliability and service responsiveness with the important privacy demands of our passengers.

8. In a TfL survey (carried out by MORI) of 1,003 respondents in December 2006, 87% of people said they supported increasing CCTV coverage and believe it will help to improve passenger safety on trains and in stations.

9. Overall, TfL believes that the use of CCTV data in a transparent, proportionate, fair and lawful manner allows us both to effectively protect our passengers and staff, and information about them, and provide a more safe, reliable and effective transport system for London.

January 2008

13 Not all of this information would constitute "personal data" under the Data Protection Act Back

14 Emile Durkheim (1859-1917) Back