Data Protection
3:00 pm

Photo of Baroness Miller of Chilthorne Domer

Baroness Miller of Chilthorne Domer (Spokesperson in the Lords, Home Affairs; Liberal Democrat)

rose to call attention to the volume of personal data collected and retained by governmental agencies and private companies, and the protection of personal data and privacy; and to move for Papers.

My Lords, this debate could not be more timely. Perhaps that is my good luck and the Government's bad luck. We and the public have just been shocked by yet another catastrophic example of data loss, where literally millions of the records that individuals have entrusted to the state have gone missing. The case in the Statement concerned state security, which is slightly different but potentially more serious. I am going to concentrate on the affect that these losses have on individuals, on their confidence in giving data to the state and on the state's responsibility for looking after that data properly.

At the moment, the UK probably leads the developed world in data loss. The point of the debate is to ask the Government what tools are in place to prevent that loss, whether they are using them and what more tools are needed. We on these Benches believe that the culture must change dramatically before losses of this magnitude stop occurring. As the Minister will know, because he agreed to it, we succeeded in getting a change to the Criminal Justice and Immigration Bill that gives the Information Commissioner more powers to deal with reckless and careless losses. It is a small step which needs to be followed by many others.

In the debate, we will call for an urgent updating of the Data Protection Act, which is 10 years old. In that time there have been phenomenal technological changes and it is not surprising that neither legislation nor thinking have kept pace. It was timely for this debate that last Tuesday an exhibition in Portcullis House showcased some of the advances in both the private and government sectors. I expect the Minister visited the exhibition. I certainly met his counterpart from the other place there and we had an interesting discussion. We are all agreed that the public have the right to expect that government agencies which demand their data, and private agencies which request personal data, should have systems to keep them safe and staff who are well aware of how best to use such safeguards. Legislation is certainly not the only answer; there must be a widespread cultural shift across public and private sectors.

Going back into history, it was in 1965 that George Moore, a co-founder of the giant computer chip manufacturer Intel, made a prediction: he said that information technology would grow, and continue to grow, at an exponential rate and would herald a revolution in human, social, political and commercial life. He was absolutely right. The increasing ease with which data can be collected, stored and processed presents countless new and exciting opportunities. I am not suggesting that we should not welcome this but, as more and more data and information relating to us are collected and stored, protecting the security of that information becomes ever more difficult. A real tension emerges between engaging with the opportunities offered by these new technologies and ensuring that any information that is collected, stored and processed is treated with due regard to its sensitivity. That tension is most pronounced in e-government, which is convenient and efficient when it works and disastrous when it does not.

The introduction of ContactPoint, otherwise known as the Children's Index, about which my noble friend Lady Walmsley will speak, provides a database of every single child in England and Wales. Spine, the NHS central medical record database, represents a dramatic widening of the circumstances under which the genetic information of individuals may be retained. And, of course, there is also the proposed national identity card scheme.

Data are also collected as part of CCTV operations, cameras record us in our cars in the street, satellites watch over our homes, police helicopters operate face-recognition technology above crowds and technology now exists which allows tiny drones to swoop in and photograph indoors. I must ask the Minister whether recent reports are true that the Government are considering the construction of a database which will hold details of every phone call made and every e-mail sent by the public, allegedly as part of the fight against crime and terrorism, although that might be part of the wilder imaginings of the press.

Mass data collection and retention is not the sole domain of government. The private sector has been years ahead in seeing the commercial potential in data collection. However, collection is one thing but the problems arise in its retention—how is it stored, how is it accessed and by whom? Even the technology that I understand and use—the memory stick, for example—allows vast amounts of data to be downloaded in one place and removed to another, just as we were talking about in the Statement. More sophisticated is the collection of information by Google, for example, in developing targeted advertising. There are all kinds of technological advances which are hard to grasp.

I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it. Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. It is a company on the cutting edge of what can protect the public. A bit of controversy surrounds its work because, with its client BT, it intercepted people's online business without BT customers knowing. But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. This is what Phorm is trying to develop with major telecommunications clients on a global scale.

The focus should now be on what is stored and how because once there is a breach it is too late. A robust assessment of new databases and other initiatives could be effected through the use of privacy impact assessments, which, essentially, are privacy specific audits, which identify areas of e-government but have the potential to conflict with the provisions of data protection legislation. These are in their infancy in Europe but are commonplace in Australia and Canada and, to a lesser extent, in the US. I ask the Minister whether PIAs—which have been warmly welcomed by the Government, who have acknowledged that they can be useful in maintaining the balance between the needs of today's society for more information to be shared and protecting privacy—have been conducted in any aspect of e-government. As far as I can establish, none has been conducted on the proposed national ID card scheme, ContactPoint—nor has that been done on Spine or the forthcoming implementation of the automatic number plate recognition system. Is the Minister able to say why not?

I am sure the Minister is aware that some use of online data is absolutely disgraceful. The worst private sector example that I have come across recently is the utterly pernicious national staff dismissal register. I know my noble friend Lord Roberts of Llandudno will make some remarks on this new development and so I will simply say that this new database, where tittle-tattle, rumour and potentially defamatory material concerning ex-employees can be stored for access by other prospective employers, is a dangerous development. We on these Benches take business crime seriously but there is a court system to deal with it. A website which is run for profit and which is trying to take the place of the police, prosecution, judge and jury is a serious issue. I hope the Government will do something about safeguarding the interests of workers who have little ability to pay for expensive access to the courts in order to do something about it.

Of immediate public concern, too, is the HM Revenue and Customs debacle last year—this has been referred to on numerous occasions in your Lordships' House—when the records of 25 million people were lost in the post. There have been further incidents of significant losses from the DVLA and the MoD. In the context of data mismanagement, the public do not have the confidence that they need to feel if the Government are going to take their next step in e-government. That next step, which was demonstrated at Portcullis House in the exhibition on Tuesday, is centralised registration online guarded by secure access, along the lines of what noble Lords may be used to using with their online bank accounts. It sounds good and looks convenient, but if something goes wrong and it proves to be insecure it will be a total disaster. The fact is that nothing can be regarded as totally secure. Does the Minister agree with that?

One of the things the Government have tried to do is bring in data guardians. On the advice of Kieran Poynter of PricewaterhouseCoopers, who was commissioned to conduct the review into what went wrong at HM Revenue and Customs, the Government have appointed a number of dedicated data guardians charged solely with ensuring that large quantities of data, held by whichever department, are treated in compliance with good practice set down in the Data Protection Act. That is a welcome move. How is it progressing?

The Government also have—this was a surprise to me—a dedicated Data Protection Minister, currently Mr Michael Wills MP. It was revealed, subsequent to the HMRC data loss, that the first he heard about that incident was when a Statement was made by the Chancellor in another place. Mr Wills candidly admitted that in the light of the Revenue and Customs data loss the Government are going to have to learn lessons—but I am afraid it is part of his job to teach them.

I am not excluding the private sector. There have been some shocking examples of the misuse of data by a number of banks and companies entrusted with sensitive data. HSBC is facing the prospect of a Financial Services Authority investigation and a hefty fine after it lost the key details of some 370,000 customers in April. Nationwide customers, not directors, are going to have to pay for security lapses with a £980,000 fine.

I must also draw the House's attention to a crossover between the private and public sectors in the comments of the Joint Committee on Human Rights, which said in a recent report on data protection:

"Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals ... and, bearing in mind that secondary legislation cannot ... be amended, would increase the opportunity for Parliament to hold the executive to account".

I would be grateful for the Minister's comment on that.

The Information Commissioner has made a good start in changing attitudes in all public bodies, but he is labouring, as I have said, under a rather outdated Data Protection Act. He is also pretty limited in his resources. Are the fees that the Information Commissioner can raise sufficient to deal with the volume of work that he now has to cope with? The regulator is charged with not only educating data controllers about their obligations but their compliance with the Act itself. I would be surprised if the resources that he was set up with were adequate for the job he now has to do. Arming the commissioner with new legal powers is essential. Although I know that by convention the Minister will not comment on what is going to be in the Queen's Speech, it would be useful to know how urgent the Government feel that updating is.

I shall mention the situation raised in the European Parliament by my noble friend Lady Ludford, who is concerned about exchanges of passenger data and DNA from different European countries. She is concerned about the operation of the data retention directive, which is an effective and constructive dialogue that is very much needed, and the UK Government's contribution to that, particularly as our primary data protection legislation is derived directly from Europe.

In conclusion, the pace of technological advances has been ferocious. The benefits are great in convenience, but equal dangers or, probably, greater ones are posed by data misuse, theft or improper exploitation. The tools are not yet in place to give the public confidence in even what the public and private sectors hold now, and, as PFIs and partnerships allow more and more data to move between the two, any regulatory system must apply equally to both and be constantly reviewed. In the short term, money is far better spent on that than on creating an identity card system that brings further challenges. In the longer term, the far more technologically literate younger generation are those who should decide whether or not that should proceed. I beg to move for Papers.