Data Protection

Part of the debate – in the House of Lords at 3:00 pm on 12th June 2008.

Alert me about debates like this

Photo of Baroness Miller of Chilthorne Domer Baroness Miller of Chilthorne Domer Spokesperson in the Lords, Home Affairs 3:00 pm, 12th June 2008

rose to call attention to the volume of personal data collected and retained by governmental agencies and private companies, and the protection of personal data and privacy; and to move for Papers.

My Lords, this debate could not be more timely. Perhaps that is my good luck and the Government's bad luck. We and the public have just been shocked by yet another catastrophic example of data loss, where literally millions of the records that individuals have entrusted to the state have gone missing. The case in the Statement concerned state security, which is slightly different but potentially more serious. I am going to concentrate on the affect that these losses have on individuals, on their confidence in giving data to the state and on the state's responsibility for looking after that data properly.

At the moment, the UK probably leads the developed world in data loss. The point of the debate is to ask the Government what tools are in place to prevent that loss, whether they are using them and what more tools are needed. We on these Benches believe that the culture must change dramatically before losses of this magnitude stop occurring. As the Minister will know, because he agreed to it, we succeeded in getting a change to the Criminal Justice and Immigration Bill that gives the Information Commissioner more powers to deal with reckless and careless losses. It is a small step which needs to be followed by many others.

In the debate, we will call for an urgent updating of the Data Protection Act, which is 10 years old. In that time there have been phenomenal technological changes and it is not surprising that neither legislation nor thinking have kept pace. It was timely for this debate that last Tuesday an exhibition in Portcullis House showcased some of the advances in both the private and government sectors. I expect the Minister visited the exhibition. I certainly met his counterpart from the other place there and we had an interesting discussion. We are all agreed that the public have the right to expect that government agencies which demand their data, and private agencies which request personal data, should have systems to keep them safe and staff who are well aware of how best to use such safeguards. Legislation is certainly not the only answer; there must be a widespread cultural shift across public and private sectors.

Going back into history, it was in 1965 that George Moore, a co-founder of the giant computer chip manufacturer Intel, made a prediction: he said that information technology would grow, and continue to grow, at an exponential rate and would herald a revolution in human, social, political and commercial life. He was absolutely right. The increasing ease with which data can be collected, stored and processed presents countless new and exciting opportunities. I am not suggesting that we should not welcome this but, as more and more data and information relating to us are collected and stored, protecting the security of that information becomes ever more difficult. A real tension emerges between engaging with the opportunities offered by these new technologies and ensuring that any information that is collected, stored and processed is treated with due regard to its sensitivity. That tension is most pronounced in e-government, which is convenient and efficient when it works and disastrous when it does not.

The introduction of ContactPoint, otherwise known as the Children's Index, about which my noble friend Lady Walmsley will speak, provides a database of every single child in England and Wales. Spine, the NHS central medical record database, represents a dramatic widening of the circumstances under which the genetic information of individuals may be retained. And, of course, there is also the proposed national identity card scheme.

Data are also collected as part of CCTV operations, cameras record us in our cars in the street, satellites watch over our homes, police helicopters operate face-recognition technology above crowds and technology now exists which allows tiny drones to swoop in and photograph indoors. I must ask the Minister whether recent reports are true that the Government are considering the construction of a database which will hold details of every phone call made and every e-mail sent by the public, allegedly as part of the fight against crime and terrorism, although that might be part of the wilder imaginings of the press.

Mass data collection and retention is not the sole domain of government. The private sector has been years ahead in seeing the commercial potential in data collection. However, collection is one thing but the problems arise in its retention—how is it stored, how is it accessed and by whom? Even the technology that I understand and use—the memory stick, for example—allows vast amounts of data to be downloaded in one place and removed to another, just as we were talking about in the Statement. More sophisticated is the collection of information by Google, for example, in developing targeted advertising. There are all kinds of technological advances which are hard to grasp.

I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it. Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. It is a company on the cutting edge of what can protect the public. A bit of controversy surrounds its work because, with its client BT, it intercepted people's online business without BT customers knowing. But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. This is what Phorm is trying to develop with major telecommunications clients on a global scale.

The focus should now be on what is stored and how because once there is a breach it is too late. A robust assessment of new databases and other initiatives could be effected through the use of privacy impact assessments, which, essentially, are privacy specific audits, which identify areas of e-government but have the potential to conflict with the provisions of data protection legislation. These are in their infancy in Europe but are commonplace in Australia and Canada and, to a lesser extent, in the US. I ask the Minister whether PIAs—which have been warmly welcomed by the Government, who have acknowledged that they can be useful in maintaining the balance between the needs of today's society for more information to be shared and protecting privacy—have been conducted in any aspect of e-government. As far as I can establish, none has been conducted on the proposed national ID card scheme, ContactPoint—nor has that been done on Spine or the forthcoming implementation of the automatic number plate recognition system. Is the Minister able to say why not?

I am sure the Minister is aware that some use of online data is absolutely disgraceful. The worst private sector example that I have come across recently is the utterly pernicious national staff dismissal register. I know my noble friend Lord Roberts of Llandudno will make some remarks on this new development and so I will simply say that this new database, where tittle-tattle, rumour and potentially defamatory material concerning ex-employees can be stored for access by other prospective employers, is a dangerous development. We on these Benches take business crime seriously but there is a court system to deal with it. A website which is run for profit and which is trying to take the place of the police, prosecution, judge and jury is a serious issue. I hope the Government will do something about safeguarding the interests of workers who have little ability to pay for expensive access to the courts in order to do something about it.

Of immediate public concern, too, is the HM Revenue and Customs debacle last year—this has been referred to on numerous occasions in your Lordships' House—when the records of 25 million people were lost in the post. There have been further incidents of significant losses from the DVLA and the MoD. In the context of data mismanagement, the public do not have the confidence that they need to feel if the Government are going to take their next step in e-government. That next step, which was demonstrated at Portcullis House in the exhibition on Tuesday, is centralised registration online guarded by secure access, along the lines of what noble Lords may be used to using with their online bank accounts. It sounds good and looks convenient, but if something goes wrong and it proves to be insecure it will be a total disaster. The fact is that nothing can be regarded as totally secure. Does the Minister agree with that?

One of the things the Government have tried to do is bring in data guardians. On the advice of Kieran Poynter of PricewaterhouseCoopers, who was commissioned to conduct the review into what went wrong at HM Revenue and Customs, the Government have appointed a number of dedicated data guardians charged solely with ensuring that large quantities of data, held by whichever department, are treated in compliance with good practice set down in the Data Protection Act. That is a welcome move. How is it progressing?

The Government also have—this was a surprise to me—a dedicated Data Protection Minister, currently Mr Michael Wills MP. It was revealed, subsequent to the HMRC data loss, that the first he heard about that incident was when a Statement was made by the Chancellor in another place. Mr Wills candidly admitted that in the light of the Revenue and Customs data loss the Government are going to have to learn lessons—but I am afraid it is part of his job to teach them.

I am not excluding the private sector. There have been some shocking examples of the misuse of data by a number of banks and companies entrusted with sensitive data. HSBC is facing the prospect of a Financial Services Authority investigation and a hefty fine after it lost the key details of some 370,000 customers in April. Nationwide customers, not directors, are going to have to pay for security lapses with a £980,000 fine.

I must also draw the House's attention to a crossover between the private and public sectors in the comments of the Joint Committee on Human Rights, which said in a recent report on data protection:

"Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals ... and, bearing in mind that secondary legislation cannot ... be amended, would increase the opportunity for Parliament to hold the executive to account".

I would be grateful for the Minister's comment on that.

The Information Commissioner has made a good start in changing attitudes in all public bodies, but he is labouring, as I have said, under a rather outdated Data Protection Act. He is also pretty limited in his resources. Are the fees that the Information Commissioner can raise sufficient to deal with the volume of work that he now has to cope with? The regulator is charged with not only educating data controllers about their obligations but their compliance with the Act itself. I would be surprised if the resources that he was set up with were adequate for the job he now has to do. Arming the commissioner with new legal powers is essential. Although I know that by convention the Minister will not comment on what is going to be in the Queen's Speech, it would be useful to know how urgent the Government feel that updating is.

I shall mention the situation raised in the European Parliament by my noble friend Lady Ludford, who is concerned about exchanges of passenger data and DNA from different European countries. She is concerned about the operation of the data retention directive, which is an effective and constructive dialogue that is very much needed, and the UK Government's contribution to that, particularly as our primary data protection legislation is derived directly from Europe.

In conclusion, the pace of technological advances has been ferocious. The benefits are great in convenience, but equal dangers or, probably, greater ones are posed by data misuse, theft or improper exploitation. The tools are not yet in place to give the public confidence in even what the public and private sectors hold now, and, as PFIs and partnerships allow more and more data to move between the two, any regulatory system must apply equally to both and be constantly reviewed. In the short term, money is far better spent on that than on creating an identity card system that brings further challenges. In the longer term, the far more technologically literate younger generation are those who should decide whether or not that should proceed. I beg to move for Papers.


David popper
Posted on 14 Jun 2008 10:13 am (Report this annotation)

dear Baroness Miller of Chilthorne Domer, i realise this Tech web stuff might seem overwelming at times, but i must inform you that through you and others "poorly equipped for this debate", the house and "the other place", are being manipulated and mislead by Kent Ertugrul CEO of Phorm.

you will be far better informed by asking Lord Northesk about Phorm/Webwise, as many of the Anti Phorm/DPI Interception For Profit, End users membership (the Anti-Phorm Campaign)have been in full Correspondence (paper and Email etc) and i think the Earl of Erroll may have also had some contact with the the Anti-Phorm Campaign group collecting at the Cableforum too.

"I was talking with the chief executive of Phorm this week who told me that once something is stored you have lost control over it."

the part he's not telling you is he is the company thats potentially Intercepting 70% of the whole Uk Broadband network, and Every Single web page you ever visit, be it , .

your office web Email, or your grandchildrens homework browsing sites, even your password protected Http:// websites, nothings safe from Kent and his webwise ISP installed Interception device pluged into the other end of YOUR Internet service Providers Broadband wire.

and finally

"Phorm has been the subject of an interesting article in the Economist recently which some of your Lordships may have read. "

"Interesting" is rather and understatement dont you think?, perhaps you might look a little wider to get a better picture.

they dont call it the "Phorm Storm" for nothing on the Net

for instance and all the Phorm related story links at the bottom of that page.

or here for all many End user web Blogs and comments

"It is a company on the cutting edge of what can protect the public."

is that your words or that of Kent and his Phorm PR teams (he contracts the top 5 PR firms to try and obfuscate and hide the facts of his legal breaches of UK law that appeared online)

he and his so called "blue chip" Board of Directors at Phorm and on the wider view ,the Deep Packet Inspection/Interception devices are infact the LARGEST Threat to the whole Internet citizens, both young surfers ,and silver surfers alike, since the world war 2 german party (that shall not be named)came to power, and started indexing data and collating lists of citizens for their own purposes....

"A bit of controversy surrounds its work because, with its client BT, it intercepted people's online business without BT customers knowing. "

it did far more than that, see the most informed and
longest discussion thread on the web.

"But Phorm is certainly correct when it says that if consumers knew what was actually stored they would decide to opt for true anonymity online. "

it only through hard work and vidulance that we Anti-Phorm/DPI have managed to uncover and try and inform and educate the less technical internet users to this present and immediate thread, dont be fooled, as Hank says
Letter to Baroness Miller of Chilthorne Domer expressing grave concern that she has apparently met with a [b]'Wolf in sheeps clothing'[/b] and simply referencing the history of Phorm as 121Media with a non-technical short explanation of what rootkits are.

Get writing all!!

"This is what Phorm is trying to develop with major telecommunications clients on a global scale."

i can only assume he TOTALLY mislead you there Baroness, we understand you may not be in a position to fully grasp the Tech situation,

(just as we are looking to you and the lords mentioned to cut through the redtape and buck passing as regards who is Actually going to take the many reported breaches of UK Law investigate and pass to the CPS ?),

but from many angles, Phorm and the ex BT CTO "Stratis Scleparis" now at Phorm as their CTO, are clearlly building (through BT, TalkTalk, Virgin Media…) a legally challenging business model

allthough we cant afford as mear end users paying our fees avery month to the ISPS's for the services to take it though the legal system for you lords and court barristers to see it.

this post from SimonHickling
cf.member makes it plain.

1984 (Nineteen Eighty-Four) here we are.....a little late but here non the less. ;(

Simon Hickling
Posted on 17 Jun 2008 2:06 pm (Report this annotation)

I have many views I may express here, but most pressing at the moment considering the reticence of BT to provide any firm details about their next trial of Phorm's systems are the views regarding Phorm.

Everyone who has met with Phorm seems to be spun the same line regarding data protection and "anonymisation". Of more concern than the data protection issues are the issues surrounding the initial interception of the data. As a UK citizen, it was my understanding that it is illegal for my communications to be recorded without either the consent of both parties in the conversation, or a court order. Phorm attempt to circumvent this by asking the user for consent and assuming consent from the website by virtue of it's being available for general consumption.

Without going into detail, although I am available to meet with any of the Lords to explain if required, they cannot in all good faith assume this, given the manner in which they intercept the data.

Once intercepted, the data is then copied and processed. It does not matter for how long the copy is kept, it is a copy of a web-site which is protected by the Copyright, Designs and Patents Act. As such it cannot be used for commercial gain without the authority of the copyright holder. This should not be assumed.

The very processing of any personal data is covered by the data protection act, but Phorm seem to want to ignore that and have stated

This is the internet equivalent of the post office taking copies of all my post, copying it and then telling a junk mail outfit which particular bits of rubbish to send me.

There appears to be no body to investigate this before it is rolled out, which concerns me. It would appear that the system must be live and actually break the law before it can be stopped. We should not allow such abuses to take place, certainly not on such a large scale.