Baroness Miller of Chilthorne Domer (Spokesperson in the Lords, Home Affairs; Liberal Democrat)
rose to call attention to the volume of personal data collected and retained by governmental agencies and private companies, and the protection of personal data and privacy; and to move for Papers.
My Lords, this debate could not be more timely. Perhaps that is my good luck and the Government's bad luck. We and the public have just been shocked by yet another catastrophic example of data loss, where literally millions of the records that individuals have entrusted to the state have gone missing. The case in the Statement concerned state security, which is slightly different but potentially more serious. I am going to concentrate on the affect that these losses have on individuals, on their confidence in giving data to the state and on the state's responsibility for looking after that data properly.
At the moment, the UK probably leads the developed world in data loss. The point of the debate is to ask the Government what tools are in place to prevent that loss, whether they are using them and what more tools are needed. We on these Benches believe that the culture must change dramatically before losses of this magnitude stop occurring. As the Minister will know, because he agreed to it, we succeeded in getting a change to the Criminal Justice and Immigration Bill that gives the Information Commissioner more powers to deal with reckless and careless losses. It is a small step which needs to be followed by many others.
In the debate, we will call for an urgent updating of the Data Protection Act, which is 10 years old. In that time there have been phenomenal technological changes and it is not surprising that neither legislation nor thinking have kept pace. It was timely for this debate that last Tuesday an exhibition in Portcullis House showcased some of the advances in both the private and government sectors. I expect the Minister visited the exhibition. I certainly met his counterpart from the other place there and we had an interesting discussion. We are all agreed that the public have the right to expect that government agencies which demand their data, and private agencies which request personal data, should have systems to keep them safe and staff who are well aware of how best to use such safeguards. Legislation is certainly not the only answer; there must be a widespread cultural shift across public and private sectors.
Going back into history, it was in 1965 that George Moore, a co-founder of the giant computer chip manufacturer Intel, made a prediction: he said that information technology would grow, and continue to grow, at an exponential rate and would herald a revolution in human, social, political and commercial life. He was absolutely right. The increasing ease with which data can be collected, stored and processed presents countless new and exciting opportunities. I am not suggesting that we should not welcome this but, as more and more data and information relating to us are collected and stored, protecting the security of that information becomes ever more difficult. A real tension emerges between engaging with the opportunities offered by these new technologies and ensuring that any information that is collected, stored and processed is treated with due regard to its sensitivity. That tension is most pronounced in e-government, which is convenient and efficient when it works and disastrous when it does not.
The introduction of ContactPoint, otherwise known as the Children's Index, about which my noble friend Lady Walmsley will speak, provides a database of every single child in England and Wales. Spine, the NHS central medical record database, represents a dramatic widening of the circumstances under which the genetic information of individuals may be retained. And, of course, there is also the proposed national identity card scheme.
Data are also collected as part of CCTV operations, cameras record us in our cars in the street, satellites watch over our homes, police helicopters operate face-recognition technology above crowds and technology now exists which allows tiny drones to swoop in and photograph indoors. I must ask the Minister whether recent reports are true that the Government are considering the construction of a database which will hold details of every phone call made and every e-mail sent by the public, allegedly as part of the fight against crime and terrorism, although that might be part of the wilder imaginings of the press.
Mass data collection and retention is not the sole domain of government. The private sector has been years ahead in seeing the commercial potential in data collection. However, collection is one thing but the problems arise in its retention—how is it stored, how is it accessed and by whom? Even the technology that I understand and use—the memory stick, for example—allows vast amounts of data to be downloaded in one place and removed to another, just as we were talking about in the Statement. More sophisticated is the collection of information by Google, for example, in developing targeted advertising. There are all kinds of technological advances which are hard to grasp.
I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it. Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. It is a company on the cutting edge of what can protect the public. A bit of controversy surrounds its work because, with its client BT, it intercepted people's online business without BT customers knowing. But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. This is what Phorm is trying to develop with major telecommunications clients on a global scale.
The focus should now be on what is stored and how because once there is a breach it is too late. A robust assessment of new databases and other initiatives could be effected through the use of privacy impact assessments, which, essentially, are privacy specific audits, which identify areas of e-government but have the potential to conflict with the provisions of data protection legislation. These are in their infancy in Europe but are commonplace in Australia and Canada and, to a lesser extent, in the US. I ask the Minister whether PIAs—which have been warmly welcomed by the Government, who have acknowledged that they can be useful in maintaining the balance between the needs of today's society for more information to be shared and protecting privacy—have been conducted in any aspect of e-government. As far as I can establish, none has been conducted on the proposed national ID card scheme, ContactPoint—nor has that been done on Spine or the forthcoming implementation of the automatic number plate recognition system. Is the Minister able to say why not?
I am sure the Minister is aware that some use of online data is absolutely disgraceful. The worst private sector example that I have come across recently is the utterly pernicious national staff dismissal register. I know my noble friend Lord Roberts of Llandudno will make some remarks on this new development and so I will simply say that this new database, where tittle-tattle, rumour and potentially defamatory material concerning ex-employees can be stored for access by other prospective employers, is a dangerous development. We on these Benches take business crime seriously but there is a court system to deal with it. A website which is run for profit and which is trying to take the place of the police, prosecution, judge and jury is a serious issue. I hope the Government will do something about safeguarding the interests of workers who have little ability to pay for expensive access to the courts in order to do something about it.
Of immediate public concern, too, is the HM Revenue and Customs debacle last year—this has been referred to on numerous occasions in your Lordships' House—when the records of 25 million people were lost in the post. There have been further incidents of significant losses from the DVLA and the MoD. In the context of data mismanagement, the public do not have the confidence that they need to feel if the Government are going to take their next step in e-government. That next step, which was demonstrated at Portcullis House in the exhibition on Tuesday, is centralised registration online guarded by secure access, along the lines of what noble Lords may be used to using with their online bank accounts. It sounds good and looks convenient, but if something goes wrong and it proves to be insecure it will be a total disaster. The fact is that nothing can be regarded as totally secure. Does the Minister agree with that?
One of the things the Government have tried to do is bring in data guardians. On the advice of Kieran Poynter of PricewaterhouseCoopers, who was commissioned to conduct the review into what went wrong at HM Revenue and Customs, the Government have appointed a number of dedicated data guardians charged solely with ensuring that large quantities of data, held by whichever department, are treated in compliance with good practice set down in the Data Protection Act. That is a welcome move. How is it progressing?
The Government also have—this was a surprise to me—a dedicated Data Protection Minister, currently Mr Michael Wills MP. It was revealed, subsequent to the HMRC data loss, that the first he heard about that incident was when a Statement was made by the Chancellor in another place. Mr Wills candidly admitted that in the light of the Revenue and Customs data loss the Government are going to have to learn lessons—but I am afraid it is part of his job to teach them.
I am not excluding the private sector. There have been some shocking examples of the misuse of data by a number of banks and companies entrusted with sensitive data. HSBC is facing the prospect of a Financial Services Authority investigation and a hefty fine after it lost the key details of some 370,000 customers in April. Nationwide customers, not directors, are going to have to pay for security lapses with a £980,000 fine.
I must also draw the House's attention to a crossover between the private and public sectors in the comments of the Joint Committee on Human Rights, which said in a recent report on data protection:
"Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals ... and, bearing in mind that secondary legislation cannot ... be amended, would increase the opportunity for Parliament to hold the executive to account".
I would be grateful for the Minister's comment on that.
The Information Commissioner has made a good start in changing attitudes in all public bodies, but he is labouring, as I have said, under a rather outdated Data Protection Act. He is also pretty limited in his resources. Are the fees that the Information Commissioner can raise sufficient to deal with the volume of work that he now has to cope with? The regulator is charged with not only educating data controllers about their obligations but their compliance with the Act itself. I would be surprised if the resources that he was set up with were adequate for the job he now has to do. Arming the commissioner with new legal powers is essential. Although I know that by convention the Minister will not comment on what is going to be in the Queen's Speech, it would be useful to know how urgent the Government feel that updating is.
I shall mention the situation raised in the European Parliament by my noble friend Lady Ludford, who is concerned about exchanges of passenger data and DNA from different European countries. She is concerned about the operation of the data retention directive, which is an effective and constructive dialogue that is very much needed, and the UK Government's contribution to that, particularly as our primary data protection legislation is derived directly from Europe.
In conclusion, the pace of technological advances has been ferocious. The benefits are great in convenience, but equal dangers or, probably, greater ones are posed by data misuse, theft or improper exploitation. The tools are not yet in place to give the public confidence in even what the public and private sectors hold now, and, as PFIs and partnerships allow more and more data to move between the two, any regulatory system must apply equally to both and be constantly reviewed. In the short term, money is far better spent on that than on creating an identity card system that brings further challenges. In the longer term, the far more technologically literate younger generation are those who should decide whether or not that should proceed. I beg to move for Papers.
The Earl of Erroll (Crossbench)
My Lords, I apologise for being a couple of minutes late. I thought we were going to start at half past, and I was reading something downstairs.
One thing that interests me about this debate is how few people seem to be interested in it. That really worries me. This subject goes to the heart of a lot of things to do with the relationship between the citizen and the state, about which there are many highly independent Back-Benchers on both sides who get deeply upset. Because the debate has the word "data" in it, however, they do not see that actually this is the future—it is exactly the sort of thing that could tip the balance of power in the wrong direction if we do not get it right. That is why it is critical.
The House has just had a debate about youth justice, which unfortunately I was not able to take part in. What really worries me about that is what data are kept long-term. A year ago I became aware that both a reprimand and a caution are admissions of guilt to a criminal offence. You may say to a youth aged 14, "Don't worry, it's a reprimand, it will come off your record", but in fact it does not. They have a criminal conviction that stays on their record for life for the purpose of American or Australian visas. They can never work with the law. They can never get a job as a policeman, in the Army or as a teacher. That last situation depends slightly on the offence but, since we saw the other day that they were considering firing a headmaster for fishing without a rod licence, we can gather that, with regard to the relevance of the criminal offence to what you can do in the teaching profession, common sense has been suspended—as usual.
We need to worry about this. We are criminalising a generation of young people who will be completely disbarred from seriously useful professions in the future. Many of those people are the brighter ones. It is the people who are risk-takers, more outgoing and a little bit more punchy who get into trouble, and they are probably the people who you want as your leaders in the future. We need to look at how we expunge records properly, for all purposes, so that they cannot be recovered. There may be one or two offences that we consider sufficiently serious that records for them should be kept—for example, sexual interference with a person—but an awful lot of them should be written off properly. We used to have a statute of rehabilitation, but we seem to have forgotten that. Moments of madness now live with you for ever. We have to think about that. It is underlying aspect of my thinking on this. I shall talk about the principles that worry me.
What do the Government want to do—by this I probably mean the Executive rather than Parliament, but Parliament is to a certain extent covered as well? They say that they want proactively to protect people from harm. That sounds good—it is a very laudable intention—but who is going to harm them? Is it a bad guy out there, or some little inspector or regulator who is going to destroy their career through some rule in the future? Sometimes the Government can be the most dangerous person to deal with. Was it not Reagan who said that one of the most terrifying things for a small business to hear is: "We're from the Government and we're here to help you"?
I shall deal with two aspects of this question: first, with the sharing and amalgamation of data. There is a great belief that sharing and amalgamating data across large government systems will deliver useful results and help people. The second aspect is legitimate access to those data. I shall revisit the Regulation of Investigatory Powers Act regulations because they are no longer fit for purpose. I hope that the Government may come back to us with some sensible suggestions with checks built in—I shall deal with that later.
We in Parliament should be interested in the efficient, effective enforcement of our laws, but the trouble is that we pass the laws in principle and then hand over responsibility to the Executive to produce statutory instruments and rules which dictate what happens. We all know the old saying about rules: "Rules are made to be broken". We say it because it is impossible in this complex world, with its complex human relationships, to define every single thing that exists. A lot of mathematical chaos theory shows that rules cannot be used to control a complex system, yet we mistakenly think that to run a good bureaucracy and provide certainty—for example, that one will get one's passport on time or that things will run smoothly—one can apply them to all the interactions in human life. One cannot. This comes down to the problem of big databases and data-mining across them.
At the end of the day, the rules will be used by inspectors. We all know what inspectors are like: they believe in level playing fields—they are quite right to do so because the world should be fair. They think that you have to obey the rules absolutely so that they apply to everyone. However, we know that human life is too complicated for that. We know that the watchwords should be "flexibility", "understanding", "interpretation", "intention", "impact", "outcome" and "empathy". They will help people, Britain and all the other aspects of society move forward. Instead of that, one gets the little Hitler. When we talk about these things in Parliament, we do so as if reasonable people are the enforcers. Reasonable people are not good enforcers—they break too many rules and are too understanding—but the good enforcers will destroy everything that you think is good. We have to get that balance back again.
We are talking about balance and protecting people. RIPA falls into three parts. There is the reverse-look-up bit: you want to find out who someone is; there is a telephone number; you have got to look it up; it is no big deal; it is just a reverse directory inquiry look-up. There are no great protections against that and I am not very worried about it. Self-authorisation is fine. However, the problems arise when it comes to the second aspect, traffic data. Who called whom for how long? Those data give you a feel for the significant connections. You can build up quite an accurate pattern of someone's life if you data-mine intelligently. Yet local councils can self-authorise for some of those data.
The final aspect is surveillance, which local councils are using RIPA to carry out. At the moment, they are carrying out physical surveillance, but let us not imagine that that will not extend to electronic surveillance very soon if it has not already done so. Let us take an example from the other day, of Poole borough council and the school catchment area case. Someone filled in a form. The council felt that they had got it wrong, so it watched them for five days, at the end of which it found out that they had not been telling lies. However, the children became aware of it. One can imagine the bad effect of that on individuals. Perhaps one could say that it would have been better to do it electronically and monitor all the mobile telephones in the house to see where they were. However, how many noble Lords are registered for the congestion charge in London? Have they looked up the rules for how many nights they can spend in London? Do they not think that it would be fair for Capita to do some data-mining on their mobile telephone location records to find out whether they have spent the correct statutory amount of time in London or whether they are one day short over the year, at which point, they must of course, because they have been a burden on the public purse, be fined and possibly locked up?
The point is that we have got the proportion wrong. We are criminalising too many things. You get a criminal conviction for leaving your dustbin lid four inches open. You get a criminal record for trivial things like a playground fight. You get a criminal record for stupid things that we do not think are criminal. The law needs to align itself with what is criminal and what is not. Until we do that, we cannot unleash automatic systems that decide who they will convict. That is my first point.
One big thing that you cannot do is to retrofit security into a complex system. If you design it from the start and work out where your boundaries, firewalls and stop lines are, what is permissible and what is not, you can do it. Under the Communications Data Bill, which will come to us soon in order to implement part of an EU directive, they will be able to keep a record of all the websites that you visit on the internet, once they have fitted the net-flow equipment. The information will go to the Home Office, along with all your telephone stuff. At the moment, they have to go to the individual telcos to find out who you rang and when; and it goes through a process where someone checks that the request is valid. If this all goes into one central Government-controlled vault—it will slip through somewhere in the small print of a Bill that you are not interested in, or in a statutory instrument that you have to vote out in its entirety, and are you really going to go to the wall for that?—then suddenly they will be able to data-mine it.
There is stuff out there now that looks at business relationships and relationship trees—who you know and who you might know. On this subject, I warn noble Lords that they are all two jumps away from Osama bin Laden. I thought that I was four jumps away from him, because I sat on a committee with someone whose brother-in-law was married to his first cousin. At the end of my little talk, someone came up to me and said, "I'm terribly sorry, Merlin, I taught him English when he was young". So I am one jump away and noble Lords are two.
That sounds silly, but noble Lords will know how the press says, "Queen's fifth cousin caught for drugs". This is the next thing that worries me: police targets. When police come under pressure, they have to produce someone, so they look for relationships that may or may not exist. This is the trouble: you get some keen investigator looking for things. You can see how he could draw inaccurate inferences that implicate an individual incorrectly. You take that through to someone else and then put it to the Home Secretary, so that it comes under the Anti-terrorism, Crime and Security Act. You do not have enough evidence to go to court, but it is enough to confine them to barracks, to their home, and cut them off from human contact. That worries me.
I like to keep stuff in silos, because you get extra firewalls and extra checks in there. We need to make sure that stuff is encrypted and that only the right people have the authorisation to get in there. With Varney rippling out and sending one's address all over government, we have to be careful. I have spoken to some people and I think that they are absolutely on the right lines in making sure that stuff is secure. However, we need to ensure that it covers not just obvious things, but also unobvious things that become significant later.
At the moment, the Government are saying, "Trust us, we will look after it, you have no problems". However, it will not take much for that trust to break down. We must keep the trust there. I talk a lot to various groups about CRM—customer relationship management. It is when the people at the centre—the local authority or whoever—manage your query or problem in the way that they think it should be managed. People now talk about VRM, vendor relationship management, where you, the citizen, decide who you want to interact with and how much you are going to tell them. That way you are responsible for your own stuff. If you make a mess of it, so be it; at least you are in control. There are some people who cannot be, and here we come to the real world. Some people need to be looked after, but most of us do not. We have lived for a very long time in a common law system where we take responsibility for our own lives. We should go back to that and stop trying to be protective.
The problem, when things go wrong, is the repair part; how you recall it, how you repair it, how you rescue things—how you get your credit rating back, how you get your reputation back. It is very difficult. Until we solve that, we have to be very careful about how we concentrate everything in one place.
Many things that the Government want to achieve can properly be done by anonymisation. There are technologies out there that can anonymise totally—although they can be reverse engineered in certain critical situations. We could bring in RIPA Part 2 and specify that, instead of a system of self-authorisation, you have to do it properly and go out to a second party. If you are a local authority wanting to look at who someone has been talking to, you have to go to a policeman to authorise it. The police will be willing to do it. If you are the police, you go to a magistrate. This was how we always worked it. We had an outside body checking. We should go back to that. With reverse anonymity, you go to a judge and say, "We have detected the probability of something very serious here and need to reverse engineer this to find out who was involved". There are lots of technical ways in which these things can be done, but we must engineer in safeguards at the start. We must not rush into this. We must not build things that we will regret in five years' time. I know from history that every time you hand over too much power to the state, things go wrong.
My last point is that the people who look after us, who try to protect us—such as the Information Commissioner, the Interception of Communications Commissioner and the Surveillance Commissioner—should report to Parliament and to somewhere outside any other executive line of reporting. Otherwise, you do not have proper procedure. All of that is complicated. You have to remember that there is not just one bad guy or one good guy. There are bad guys inside the system and good guys outside. We need to make sure that we protect our people in future.
Lord Roberts of Llandudno (Spokesperson in the Lords, International Development, Spokesperson in the Lords, Welsh Affairs, Whip; Liberal Democrat)
My Lords, I am grateful to my noble friend Lady Miller for giving us the opportunity to speak in this debate. There are so many areas of concern relating to data. Recently, 25 million records were lost, which is incredible. A laptop was stolen and more data were lost, and, only this week, we heard about the missing data on the train. We have had all those situations. Sometimes, there is deliberate lawbreaking. There are hackers who can find out a great deal about us, such as our bank details and identities, and that can lead to fraud. At other times, it is pure human error, and we are all capable of that. It is not the conspiracy but the cock-up that causes so much difficulty.
I sometimes feel as though privacy is nearly something of the past. They tell me that if I walk around London I will be photographed by a CCTV camera about 300 times in a day. Gosh, I hope that I am behaving myself when the camera catches me. Then you see the cross-referencing of information. I did something that I should not have done this year: I renewed my car tax by telephone. I did not go to the post office. Many post offices no longer deal with car tax. That is another thing that we should continue battling for. The people that I was dealing with knew nearly everything about my car. They knew me and then they cross-referenced something else on the database and knew the make of the car and whether it was insured. They also knew whether it had an MOT. There was all that cross-referencing and you wonder sometimes how far that cross referencing goes. How secure are you? How undermined is your own privacy with all these databases that can be linked one to the other. Then there are private businesses. Somebody phones you up and they want to know where you live and all they need is your postcode and then the whole cross-referencing starts again. There is already that danger.
My noble friend mentioned the national staff dismissal register, which is ominous. Action Against Business Crime was set up with Home Office backing and we know that even today the Home Office logo is still on that particular organisation's literature. The Home Office backed Action Against Business Crime. I received an Answer on
The register is used by employers when they are vetting applicants for jobs. They can see not only whether there is any criminal record or offence that could be punished in a criminal way, but if there is any suspicion—not proof. The person might have been dismissed not because of any theft or fraud, but often because of rumours and unfounded suspicion. If we go back to human error, how often is incorrect information or unfounded rumour included in a person's data?
How often is there a miscarriage of justice? When that happens, you may be recorded by one company as having been suspected of something. Maybe the person was a Methodist Minister who preached non-Wesleyan theology—that happens sometimes. Then you are suspected. That can be recorded against you. If you tried to get another job someone might say, "He is not sound; he is suspected of something". People's lives, and more seriously in some ways, their livelihoods, can be jeopardised.
I am not going to mention the private companies which already contribute to the national staff dismissal register, but they include some of the best-known names in the kingdom. Representing many thousands of employees, they have signed up to—and use—this database. It is open to abuse. I know that one of the companies, a shop mentioned on the database, does not have a great deal of good to say about the Royal Family. I do not know what would happen if they suggested that a member of the Royal Family was under suspicion. These are unfounded rumours. There is no basis for the allegations. There might be dislike of an employee, and even the possibility of blackmail. The most vulnerable people who come to these shores are those likely to be misunderstood and blacklisted in this way. People who might not understand English or know their rights could be at a tremendous disadvantage if their names were included on this register.
What influence—I would not use the word "control"—does the Home Office have over the national staff dismissal register? What information about their rights is given to employees when they are taken on by one of the companies that are part of this network? What steps is the Minister taking to ensure that employers do not abuse the register? Will employees be able to take legal steps to have their names removed and, if falsely accused, sue for defamation? What information is given to them? What control do the Government have to ensure that nobody is ill-treated or abused under this scheme? Why is the Home Office logo still on this literature?
I express another cause for concern, of which I have spoken previously in this House; namely, the passport personal interviews. Sixty-eight or 69 permanent offices have been established to interview people face to face, for the first time, when they apply for a passport. About 600,000 passports are applied for each year. This is to stop terrorist activity or anything of that nature. These permanent offices have facilities to take one's photograph. As time goes on and these offices become the network for identity cards, fingerprints, and possibly iris scans, will be taken there. This is all part of the Government's proposals. How secure are these databases? How secure will the national identity card database be? We are already told that people are issued with the wrong passport. I read that somebody had been sent somebody else's personal details instead of a passport. There are many human errors.
My final concern is over what happens where there are not enough applicants for a permanent passport interview office. Then there will be a remote-area interview facility, which will use a webcam. Possibly a council office will be available. The applicant will go there and be photographed, but how will their fingerprints be taken, and their iris scans obtained? I think it will be impossible to do that by webcam. We will have a database that is totally unfit for purpose and does not give those who are interviewed remotely the same record as those in permanent passport interview offices. Places where remote-area interviews will be carried out include Arran, Bute, the central Highlands, Orkney, Pembrokeshire and north Anglesey. They will have these remote facilities. Can the Minister give us assurances on these facilities, as well as on the national staff dismissal register, before giving them additional support or encouragement? The more surveillance we have, the more mistakes we can make. The more mistakes that we make, the more innocent people will suffer.
Baroness Walmsley (Spokesperson in the Lords (Education and Children), Children, Schools and Families; Liberal Democrat)
My Lords, I congratulate my noble friend Lady Miller of Chilthorne Domer on introducing this important debate and on her excellent speech. It is great pity that the other parties did not believe that this matter was very important. I share the disappointment of the noble Earl, Lord Erroll, on that and I thank him for his interesting contribution.
Few subjects can be more important than the freedom and integrity of the individual, which is what we are talking about in this debate. On the "Today" programme this morning, the noble and learned Lord, Lord Goldsmith, spoke movingly in an interview on the 42-days issue about the importance of our fundamental freedoms, which we have enjoyed in this country for hundreds of years, and the danger of destroying them. Our identity and the integrity of our personal information fall into that category; we must protect them from an overintrusive, meddling and incompetent Administration. Sadly, the human rights group Privacy International rates Britain, along with China and Russia, as an "endemic surveillance society".
There are five main issues about which we should have concern. We have heard about them all during this debate. They are: first, the sheer magnitude of the information held about us; secondly, the fact that there are some people, such as children, whose information is held on databases with no justification at all, not even a proportionate response to need or threat; thirdly, the demonstrably poor security of the information—as we have just heard in the Statement, the Government cannot even trust the competence of senior officers in the Cabinet Office to protect sensitive information; fourthly, the question of knowledge, consent and ability to opt out; and, fifthly, the lack of adequate powers and funding of the Information Commissioner to protect the individual from this intrusion by the state and commerce. I shall take those one by one.
The first is the magnitude of the problem. A report in April this year from Richard Thomas, the Information Commissioner, said that the public need to be made more aware of the "creeping encroachment" on civil liberties created by e-mail monitoring, CCTV and computer tracking of our buying habits. One of the concerns in the report is the use of special listening devices that can be placed in lamp posts, street furniture and offices. More than 300 cameras with built-in microphones have been fitted in benefit offices and city centres. Westminster City Council has already started piloting the listening devices, but experts say that the use of these microphones raises questions about how surveillance can be used to intrude into the private lives of citizens. An official report by the commissioner has revealed that nearly 800 public bodies are between them making an average of nearly 1,000 requests a day for communications data, including phone taps, mobile phone records and e-mail or web-search histories, not to mention old-fashioned snail mail.
Unlike in the vast majority of European democracies and the US, in the UK bugging and telephone wire taps can be set up without recourse to a judge The Home Secretary authorised more than 3,500 operations of this sort in 2005-06. A massive government database holding details of every phone call, e-mail and time spent on the internet by the public is being planned as part of the fight against crime and terrorism. In light of the various security breaches, of which I will say more, there will be concern about the ability of the Government to manage a system holding billions of records. About 57 billion text messages were sent in Britain last year, while an estimated 3 billion e-mails are sent every day.
Brussels officials are considering controversial anti-terror plans that would collect up to 19 pieces of information on every air passenger entering or leaving the EU, which already supplies that information to the United States, as my noble friend Lady Miller mentioned. Britain has 4.2 million CCTV cameras—one for every 14 people. As my noble friend Lord Roberts said, each person is caught on camera an average of 300 times every day. I, too, hope that he was behaving himself. The Royal Academy of Engineering has warned that, if a national standard for CCTV cameras were created, it would make it possible for all information gathered by these cameras to be shared and accessed by anyone with the means to do so.
Then there is the DNA database. Britain's is purported to be the largest in the world. Approximately 2.4 million people have their DNA permanently retained on the NDNAD, which is alleged to contain more than 100,000 DNA samples taken from children who have never been charged or convicted with any crime. Black and ethnic minority males are overrepresented on it.
This brings me to my next point: people who should never be on these databases. The number of children on the DNA database has risen from 8,484 in 1995-96 to 179,441 in 2006-07—a 21-times increase. About 160,000 young people aged between 10 and 17 were added to the National DNA Database last year after being arrested for the first time, of whom at least 81,000 were innocent. There are at least 105,000 innocent 10 to 17 year-olds on the database in total. All these young people will have their DNA profiles kept permanently on the computer. Many adults who have been arrested on suspicion of sometimes very minor offences, but never charged, are on the database, and some do not even realise it. The children's database ContactPoint is a matter of concern not because it is inappropriate for professionals to share information about children who need services but because of its size, universality and questions about the lack of security. It should never replace meaningful discussions between professionals and lead to complacency that the job has been done.
I now turn to the lack of security and the consequent loss of privacy and cash by individuals, as well as the economic cost to the state. Let us consider the cash first. In 2005, identity fraud cost the economy £1.5 billion, according to the Cabinet Office. The amount lost by individuals and companies to fraudsters reached £535.2 million during 2007. Although the introduction of chip and PIN has reduced card fraud on the UK high street, the increase was driven by a 77 per cent jump in fraud carried out abroad using cloned versions of cards that belong to British shoppers. Card fraud abroad rose from £90 million to £207.6 million last year—39 per cent of total losses. In the UK, card fraud rose 6 per cent last year, largely driven by "card not present" fraud. We have all been lured into buying something over the phone that we want.
To many of us, the loss of our personal information and privacy matters much more than mere money. There have been numerous high-profile cases. In December 2007, the Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. Private account numbers, PINs and security codes were offered as tasters by illegal hacking sites. The Times found more than 100 websites trafficking British bank details; a fraudster offering to sell 30,000 British credit card numbers for less than £1 each; and a British "e-passport" for sale, although the Government insist that these are unhackable.
The News of the World disclosed in December 2007 that it had been handed two disks mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants. In February 2008, Skipton Financial Services lost an unencrypted laptop containing personal information on 14,000 customers. We have heard from my noble friend of a number of other cases involving banks and building societies. Haringey Council files, many of which were marked "Confidential", were found in a squat in February 2008. The documents included the names, phone numbers, addresses, dates of birth, pay slips and bank details of more than 20,000 people. Local government is not immune from this problem.
The DVLA in Swansea in 2006 admitted that one-third of entries contained at least one error and that the proportion was getting worse. In December last year, the DVLA in Northern Ireland lost the personal details of 6,000 people and the details of 3 million theory test candidates. Southend-on-Sea Borough Council is reviewing its procedures after a laptop computer containing social service case notes on local children turned up on eBay in May. Marks & Spencer has warned 26,000 of its staff that their personal data are at risk following the theft of a laptop computer.
It was revealed in December that sensitive details about adults and children were lost in 10 incidents at nine separate NHS trusts; this is particularly sensitive information. There was the loss of a CD with 160,000 children's names and addresses by a trust in east London. In Norfolk, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. Only last month, a laptop computer holding personal and financial information on 10,000 NHS staff was stolen from a hospital in Cornwall. Some of these organisations cannot protect their own staff, let alone their own patients.
There have been lots of breaches of financial information. The Bank of Ireland lost four laptops containing unencrypted sensitive personal information about up to 10,000 customers. The Information Commissioner said that he had been told of 94 data breaches since November last year. The breaches included the loss of laptops, computer disks, memory sticks and paper records. Some were stolen, while others were lost in the post. The combination of the lost disks with 25 million people's financial details, the 5,000 illegal immigrants cleared to work in the security industry and the 500,000 false names on the DNA database has convinced people that putting all their most private information in the hands of the British state might not be the best of way of keeping it safe and secure.
The database to beat all databases is the one behind the planned compulsory identity cards. The ID cards project is one of the biggest computer systems yet envisaged, far more complex than the NHS system. Apparently, iris scans, fingerprints and face-recognition software will all work perfectly and be amazingly cheap to implement, although, apparently, the noble Baroness, Lady Anelay, did not think so when she recently tested out the system in this building. I am not sure what it would make of my husband's false eye and the rather startling coloured contact lenses that some young people wear these days.
The bigger the system, the greater the opportunity of failure. There is also the fact that databases pick up errors and then build data error upon error. Have noble Lords ever tried to get the spelling of their name corrected on a company's database when some illiterate has got it wrong the first time that it was input? I am sure that your Lordships will understand that it has often happened to me, with a name like Walmsley. It is very frustrating.
It is not the ID card itself but the ID register that is the problem. What I am most frightened about is that each entry will eventually take on a legal status, even if it is wrong. I know somebody who flies around the world with a passport with his incorrect name on it. He has tried to get it corrected but the agency will not do it. Once it is fixed, it is fixed. Have noble Lords ever stood in front of anyone and told them their facts and had them say that the computer says something else? Why do they always believe the computer instead of a perfectly honest and trustworthy person who could have no possible reason to lie?
The really worrying thing is that the perpetrators of 80 per cent of all computer security lapses are not hackers but employees. This multiplies the dangers. People working on the ID database might be corrupted, threatened or blackmailed into creating perfectly legal ID cards for international terrorists and criminals. Then the ID card, far from eliminating problems, will be a one-stop shop for identity fraud and possible terrorist crime. Is it any wonder that we have no confidence in these databases? Even nine out of 10 doctors do not have confidence in the NHS system.
What would we on these Benches like to see? First, we believe in the primacy of the right to privacy and informational autonomy; we see a close relationship between that right and the liberty of the individual. Therefore, we believe that, while every reasonable step must be taken to detect crime and deter terrorists, infringement of those rights must be necessary and proportionate and be done to the highest level of professionalism and security. We believe in the principle of consent, with people fully informed about the information held on them and with appropriate rights to opt out in many cases and to correct wrong information.
Anyone who knows anything about human development knows how important the sense of self and personal autonomy is to the human race. The breaches to which we are subjected in this country today are of the most fundamental sort and go to the heart of a free society. I hope that today's breach will be the fatal sword in the heart of plans for the national identity database and the stimulus for the rethink of the whole sorry mess that my noble friends and I have advocated today.
Lord Kingsland (Shadow Minister, Justice, Shadow Lord Chancellor, Parliament; Conservative)
My Lords, first, I pay tribute to the noble Baroness, Lady Miller, who, in addition to introducing this debate, played an important part in defining the offences of deliberate or reckless mishandling of personal data in the late, and entirely unlamented, Criminal Justice and Immigration Bill.
It has to be accepted that the Government have an appalling record of negligence in the handling of retained personal data. The most graphic incident in recent times was reported to another place by the Chancellor of the Exchequer in November 2007 when he revealed that Her Majesty's Revenue and Customs had lost personal data, including bank account details, relating to families in receipt of child benefit, affecting around 25 million people in total. Although the information that the disks contained was password-protected, they were not sent by registered or recorded delivery. As your Lordships have heard this afternoon, there have been many other examples, on a somewhat more modest scale, of equally meretricious conduct on behalf of government departments.
Those are the facts, and in my view one is led to the inevitable conclusion that these lapses flow from the low value that the Government place on the protection of personal data. That is certainly the conclusion to which the Joint Committee on Human Rights came in its report printed on
"it would be wrong to see these errors and lapses as unfortunate 'one-off' events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect personal data in the public sector".
The report goes on to reflect on why that is so. It places responsibility in two areas: first, in the manner of legislating; and, secondly, in the nature of the relationship between the Ministry of Justice, the various departmental ministries and the Information Commissioner. On the first reason, I understand it has been the Government's view that adequate protection is already provided to the citizen by a combination of Article 8 of the Convention on Human Rights and the various relevant articles in the Data Protection Act 1998. Consequently, the Government conclude there is no need for a detailed framework of primary legislation in each particular Bill which deals with personal data retention and distribution.
This attitude is a fundamental misreading of Article 8 which gives the citizen a general right to privacy. This right is qualified by various public interest factors such as public security, public health, public order and so on. The relationship between the general right and the particular way it is constrained will vary enormously, depending on the area of legislation and the kind of data we are talking about. The noble Baroness, Lady Walmsley, talks about data in relation to children; that raises quite different issues from, for example, DNA data. These issues should be dealt with discretely and specifically by a proper analysis by the Government of the way in which Article 8 works in each case.
The point is again made by the JCHR report at paragraph 20 on page 12. The committee says:
"We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account".
The second area addressed by the committee is the relationship between the Ministry of Justice, the individual departments and the Information Commissioner. It is plain, as a result of the evidence taken by the committee, that these relationships are in a state of deep occlusion. The Minister of State at the Ministry of Justice was interviewed by the committee. It summarise, at paragraph 24 on page 13 of its report, what the honourable gentleman, Mr Wills, believes is the nature of his ministry's task:
"Mr Wills went on to explain that he was responsible for overseeing the data protection legislation and did not have a role in relation to specific breaches of data protection:
'My responsibility is not for stopping any breaches of data protection personally, individually or even corporately within the department wherever and whenever they may occur. What this department is responsible for is the construction of a proper legislative apparatus which has proper protections in place.'
Departments have 'operational independence' to implement their own data protection arrangements, within the legal framework maintained by the Ministry of Justice, explained the Minister: 'we are not policemen in this department'".
It is plain that, operationally, the view of the Ministry of Justice is that responsibility for these matters really lies with the individual departments.
Mr Wills went on to explain that, more generally, apparently, individuals called human rights champions are located in every government department grade 3 level; and, later, evidence was given to the Joint Committee by an official that each department had an action plan for the delivery of in-house training to front-line staff. When representatives of the Information Commissioner were interviewed, they appeared to be totally unaware of such a network. The Joint Committee concluded at paragraph 34 that they had,
"so far seen no evidence that the human right to champions in departments have made any impact, particularly in relation to frontline staff".
In view of this confused picture, the JCHR concluded that the Information Commissioner needs a much enhanced role in this area. At paragraph 39 on page 17, the JCHR makes the following observation:
"We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the National human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively".
I should like the Minister to address himself to that conclusion of the committee and tell us whether he agrees with it.
Finally, I turn to the Government's draft legislative programme outlined in May in which, among many other things, is proposed a communications data Bill. It appears that Home Office officials are considering a database that would record all e-mail and telephone communications in the United Kingdom. Can that really be true? If it is, it is a matter of deep concern to the Opposition and, I suspect, to those on the Liberal Democrat Benches. How can such a proposal have emerged, even if, on due reflection, the Government think again?
Why do the Government have so much difficulty with this area of individual rights, personal data rights? Is it because as a party for so long their focus has been not on the individual but on the collective—and they find it exceedingly difficult to adjust to the idea of privacy and the protection of personal data? The Government have lost an enormous amount of ground in this area and, in a very traditional Victorian image, they need to pull their socks up.
Lord Hunt of Kings Heath (Parliamentary Under-Secretary, Ministry of Justice; Labour)
My Lords, it is a great pleasure to respond to yet another fascinating and highly informed debate. Little did I guess at the beginning that I would be able to debate collectivism and all its joys with the noble Lord, Lord Kingsland, but of course we are new Labour now, so I shall desist. I echo his remarks in thanking the noble Baroness, Lady Miller, for giving us an opportunity to debate this most important subject, and pay tribute to her work on the late but, I would say, beloved Criminal Justice and Immigration Act and her formidable and persuasive powers, combined with the rather difficult deadline we were up against on the protection of personal data. I have to congratulate her on her timing for this debate which, as we have seen from the Statement, brings home to us the importance of the integrity and protection of data. The noble Lord, Lord Kingsland, suggested that this Government are less concerned with the individual protection of personal data but, far from that, I very much share some of the concerns that have been raised. I in no sense seek to mitigate or underestimate the genuineness of those concerns. The noble Lord, Lord Roberts, and the noble Baroness, Lady Walmsley, gave some very powerful examples of some of those matters, and I listened with great enjoyment to the interesting comments of the noble Earl, Lord Erroll.
I suppose that the heart of the debate is the question, which has sometimes been suggested, about us being in some kind of surveillance society and the fears that come from that. It is interesting that the noble Lord, Lord Kingsland, quoted from the JCHR report. I read the recent Home Affairs Committee report, of
"We reject crude characterisations of our society as a surveillance society in which all collections and means of collecting information about citizens are networked and centralised in the service of the state. Yet the potential for surveillance of citizens in public spaces and private communications has increased to the extent that ours could be described as a surveillance society unless trust in the Government's intentions in relation to data and data sharing is preserved. The Home Office in particular and Government in general must take every possible step to maintain and build on this trust".
It was a balanced and mature conclusion and one which, I suspect, all Members of this House agree with. That there is a sense that we are catching up with a massive social and technological advancement, which we have seen in the last few decades, is not in doubt. It is not surprising, but none of us quite knows exactly how we do that and where to get the right balance. I am clear that the Government are not in the business of storing and sharing information simply for the sake of it. There has to be a purpose.
There is much to be gained from the proper use of the data, to which noble Lords have referred, but there has to be a balance between the positive outcome of much of that data use with proper respect for the individual's privacy. We have a sound legislative framework to preserve that balance, through the Data Protection Act and the Human Rights Act. We will be informed by the representations made by the reviews taking place, on which I will respond in a few moments, but we have the essential foundation right.
The noble Lord, Lord Erroll, raised some important issues, including anonymisation potential and our regulatory culture. He also raised the issue of the regulatory council—the culture of uniformities, as he described it, versus flexibility. He particularly related it to the use of information. I will just say to him that the Hampton review propounded the concept of proportionate regulation. My experience is that that is informing most regulatory bodies. I am going to take a punt and really champion the Health and Safety Executive—not the most popular of agencies, but one which has come under considerable criticism recently for not prosecuting enough people. That is an example of a proportionate regulator that wishes to put most of its emphasis on working with people to improve their health and safety regimes, reserving prosecutions for the most serious offences. That is appropriate and proportionate regulation. I understand the comments the noble Lord made about RIPA. There are currently 795 authorised public authorities, including 474 local authorities. On the one hand, this is a very valuable tool for the investigation and prevention of all crime; on the other hand, I understand the concerns about the way some authorities are using it. Noble Lords will know that a new code of practice for the acquisition of communications data came into effect in October 2007 which gives much clearer guidance. We are committed to working with the police and other public authorities to create awareness of why and how such data should be used, which is only, of course, in a lawful way.
A number of other databases were mentioned. On ContactPoint, the noble Baroness, Lady Walmsley, while raising concerns about the amount of data, did not argue against the principle. The Climbié report detailed up to nine public authorities, all of which had information which, if it had been properly shared, might have saved Victoria Climbié's life. It was a very powerful message. It is, however, clearly important that the security of data within ContactPoint is maintained to a very high level. When I was in charge of the NHS IT programme, we had a lot of discussions with officials in ContactPoint to make sure that the levels of security were commensurate. On the NHS IT programme, I understand the sensitivity of personal health data held about us by a system as large as the National Health Service, but there is a huge potential in this programme. We have already seen it with X-ray data exchange. The Department of Health is criticised for the delays that have occurred but much of that delay is about needing to take people with it to assure people and give them confidence about the integrity of the data that are held.
The noble Baronesses, Lady Walmsley and Lady Miller, and others raised the issue of the national DNA database, but it has had a very positive, powerful impact on the number of crimes detected. The courts have recognised that the retention of samples and DNA profiles involves a triangulation of interests. The privacy of those subject to DNA data is important but also the purpose of criminal law to permit everyone to go about their daily lives without fear of harm to person or property. Getting the balance right is vital.
The issue of the national identity scheme has been raised. We could have many hours' debate on that. The Identity Card Act 2006 has very strong provisions about unauthorised disclosure. Maintaining confidence in the integrity of the process, the efficiency and the protection of data will be very important to any successful implementation. There are concerns about how much closed circuit TV is used but again, where it is used efficiently and the right systems are in place, it has proven to be hugely important in the investigation of serious crimes. Again, getting the balance right is very important.
I am grateful to the noble Lord, Lord Roberts, for giving me some advance warning that he would be raising the issue of identity and passport services. I understand his point about remote communities and video-linked offices and the question that arises about taking fingerprints. I have not been able to get all the information that the noble Lord would require, so I wonder if I could write to him.
On the national staff dismissal register, the point is that the Home Office did provide funding to the organisation, but that was related to setting up crime/business partnerships. However, the department was not consulted about setting up the staff dismissal register and will not be involved in any way in its operation. It is very much for the Action Against Business Group to ensure that its register complies with all relevant legislation. Further, I shall draw the question of the logo to the attention of the Home Office and get back to the noble Lord when I have a response.
I turn to the question of the illegal trade in people's bank account details. Of course we are concerned about this issue and that is why we brought forward amendments to the Criminal Justice and Immigration Act. We remain keen to ensure everything is done to inhibit the practice.
Noble Lords have paid tribute to the Information Commissioner because the regulatory system we have in place is highly dependent on the commissioner, to whom I pay tribute for his work. He also takes a proportionate approach to regulation, but I understand that in 2007-08 the number of cases received by the commissioner's office was 25,670. Sixty per cent of those cases were resolved within 30 calendar days and 85 per cent in 90 days. On resources, we are considering the matter and a review is being conducted by the commissioner which I will come on to in a moment. It reflects the further question put to me about extending the commissioner's powers.
The noble Lord, Lord Kingsland, was right to draw attention to lapses, but those lapses have not occurred because the culture of the Government puts a low premium on the protection of the individual; it is not that we are using data as a throwback to our belief in the benefits of democratic centralism, if I may use that term. We have been very concerned about the lapses, and that is why the reviews have been set up. On the relationship between my department and other departments, it is right that the responsibility should lie with individual departments, but with the Ministry of Justice in a role as a kind of overseer and co-ordinator. I am not sure how far he was going with his argument, but the potential for a Minister in one department almost taking responsibility for the actions of another is something we would seek to avoid. We are not seeking to avoid responsibility, but it is important that individual government departments should take their responsibilities seriously. On the question of the shape of legislation, even if we were to pursue the course suggested by the noble Lord in relation to specific and separate pieces of legislation, it would still come down to the effectiveness of the machine itself to ensure that whatever was in the legislation was policed effectively.
Lord Kingsland (Shadow Minister, Justice, Shadow Lord Chancellor, Parliament; Conservative)
My Lords, I am grateful to the Minister for giving way. These are not just my own views, but also those of the committee. The particular value of setting out in detail in primary legislation the proper balance between the general principle of privacy and those public interest factors which might in one way or another dilute it is that the individuals in each department would be subject to those detailed rules in a way that they are not at the moment. That would solve in part the problem to which the Minister rightly refers: you cannot have the Minister of Justice interfering every five minutes into the affairs of another fiefdom. But if the officials in each department are properly informed by the legislation under which they are operating, you would not need to have interference of that sort by the Ministry of Justice.
Lord Hunt of Kings Heath (Parliamentary Under-Secretary, Ministry of Justice; Labour)
My Lords, I am grateful to the noble Lord, Lord Kingsland, who spoke eloquently about the committee's report. The Government have responded. I do not know whether the noble Lord has seen our response but I am happy to send it to noble Lords who have spoken. I follow what he says and that approach could be taken. We will have to see in the light of all the reviews currently under way whether there are any more lessons to be learnt about the legislative approach. Whatever approach we take we still come back to individual responsibility, accountability and proper systems in ensuring that those systems are used to full effect.
We clearly do have a number of reviews being undertaken. The Cabinet Secretary has established a review into data handling procedures in government. That is due shortly. We have the HMRC review—the Poynter review—and the Ministry of Defence review by Sir Edmund Burton, which is looking into specific circumstances that have led to data losses. All those reviews are due for publication shortly.
Lord Roberts of Llandudno (Spokesperson in the Lords, International Development, Spokesperson in the Lords, Welsh Affairs, Whip; Liberal Democrat)
My Lords, I am sorry to intervene. We are having these reviews and the Minister will be writing to us about the national staff dismissal register. Can he assure us in any letter that it is being kept under surveillance?
Lord Hunt of Kings Heath (Parliamentary Under-Secretary, Ministry of Justice; Labour)
My Lords, that is not a government register. It is a private concern subject to the legislative provisions that are in force. I will check the use of the Home Office logo, and I will respond to the noble Lord. We have not yet received the reviews. I hope that we will receive them shortly. Alongside that, the Information Commissioner is undertaking spot checks on or audits of central government departments. My department is working with the Information Commissioner at the moment on how that is going to be undertaken. Those of us who in other walks of life have been subject to spot audits will know that they are useful mechanisms, first, for discovering whether there are any problems and also for keeping individual departments up to the mark.
Baroness Walmsley (Spokesperson in the Lords (Education and Children), Children, Schools and Families; Liberal Democrat)
My Lords, will the Information Commissioner also have the resources to carry out spot checks on private companies that handle large amounts of data as well as government departments?
Lord Hunt of Kings Heath (Parliamentary Under-Secretary, Ministry of Justice; Labour)
My Lords, I have already said that we are looking at the Select Committee's recommendation in relation to the Information Commissioner's resources. The one review that I have not yet mentioned is that by the Information Commissioner himself with Dr Walport. That will be looking at the framework for the use of information in both the private and public sector. It will look at issues around the Data Protection Act. One would then have to come back to say whether the Information Commissioner has the right powers and resources.
As the clock strikes 20 minutes, I want to say that this has been an extremely useful debate. It will inform the Government as they consider the reviews that they are shortly to receive. Noble Lords should be under no doubt whatever that we regard personal data privacy as of critical importance. We ensure that we have the utmost security in the use of those data but equally there are considerable uses to which such data can be put for the public good. It is essential that we keep the balance right.
Baroness Miller of Chilthorne Domer (Spokesperson in the Lords, Home Affairs; Liberal Democrat)
My Lords, I thank warmly all noble Lords who have spoken. I have certainly learnt a lot today. I pay tribute to the expertise of the noble Earl, Lord Erroll, who knows a great deal about this subject. Everyone else I know with such expertise is under 25. In my family, only my stepson knows a great deal. The remarks in my speech about the younger generation were made seriously—we are poorly equipped for this debate.
I am grateful to my noble friend Lord Roberts. I can assure him that we will certainly keep the national staff dismissal register under surveillance. I am grateful also for the continuing work of my noble friend Lady Walmsley and for everything that she has done on children's DNA databases. The noble Lord, Lord Kingsland, as ever, was very forensic—a word used accurately by the Minister—about what is needed. I am glad that he dwelt on the recommendations of the report because they are so important. I am grateful to the Minister for his full reply. I concur with what he said about the Health and Safety Executive, which is often much maligned. It is a crucial part of what needs to happen and we can learn lessons in proportionality from it.
I am grateful for the opportunity to hold this useful debate and I look forward to seeing the reports and the next legislation when they arrive. I beg leave to withdraw the Motion for Papers.