Unintentionally, I am sure, but our discussion of this report on the surveillance society has highlighted that surveillance can extend in many different directions. At this stage, we may not have fully accepted, acknowledged or followed through on some of those. I hope that you will accept, Sir John, that the argument, although it strayed a bit far, gave the sense that this is a broad debate and that this afternoon we may be looking at only one part of it.
Information sharing can be hugely beneficial to people. When debating issues around privacy and surveillance, it is important to discuss the benefits that information sharing and data retention can have, as well as the ways in which they can prove to be intrusive. I am sure that the Minister will rightly use the example of the Soham murder inquiry, in which major deficiencies were found in how the police shared information. Several improvements were made to the way in which our law enforcement bodies share information and communicate with each other as a consequence of, we hope, some of the lessons that were learned. However, the question is whether there is then a drift—a further extension that may not achieve the appropriate end results or focus on the purpose for which the initiatives were established. Their extent, scope and purpose characterise the debate, and we very much welcome the opportunity to debate them this afternoon.
The challenge is due to the fact that the pace of change in technology has not been mirrored by the pace of change in public attitudes and debate or, indeed, in the legislative and regulatory framework to govern this highly sensitive area of life. There has been incremental change, but the import and significance of such steady change has been recognised or understood only comparatively recently. There has not been a chance to question whether we want or need such a society.
The debate should not simply be framed in terms of the activities of the Government. It is not only the state that can be over-zealous in its surveillance or data-retention activities; private companies that capture data or information about customers for marketing or other purposes, for example, can overreach themselves or cause significant harm if such information is not secured safely or disposed of effectively. In that context, it is important to recognise the work of the Information Commissioner, Richard Thomas. There is little doubt about his contribution to advancing what is an essential debate, or about his continued work in clamping down on issues about information security and an individual's right to privacy, and in allowing the debate to take place and to further the issues.
The question is about how the Government respond to the debate, and about the wider context of government: the way in which they deliver services in the digital age, and store, retain and share information on all of us. The Committee rightly fastened on to the crux of the argument when it said that
"the Government should adopt a principle of data minimisation. It should collect only what is essential, to be stored only for as long as is necessary."
Notwithstanding the Government's statement on openness and their proposals to create an "ask only for what we need" charter for Departments, the current orthodoxy is, I am sorry to say, based on the concept of "need to know": the Government need to know everything and retain as much information as they possibly can for the more effective provision of welfare, health, education, security and all the other facets of public sector activity; and the state needs to have the ownership rights over that information to do with it what it judges appropriate.
That mindset underpins the national identity card, the interception modernisation programme, the NHS records database and the controversial proposals, debated in Parliament this week, to permit Departments to share such information that they hold with whomever they think fit. I welcome the fact that the Justice Secretary has determined to shy away from those proposals, but that very orthodoxy contains huge dangers and needs, as the Committee's report rightly highlights, challenging and rethinking in the strongest terms—not just on civil liberties grounds, which are important enough in themselves, but on the ground that the orthodoxy puts us all at greater risk.
The creation of ever bigger stand-alone databases, with their concentration of comprehensive personal data in one place, actively establishes a system that is valuable, vulnerable and attractive to attack. That risk is magnified if data sharing is adopted haphazardly and without consideration of the potential weakest link in the data-sharing chain. The more data that are collected and stored in one place, the bigger the challenges in keeping them safe. We have already seen the risks, as other hon. Members have noted this afternoon. In the past year, information on 30 million people has been lost, and public officials are being sacked or disciplined for data protection or data security breaches at the rate of one every working day.
That is why the Conservative party said that it would create an offence of reckless handling of personal data by the Government, potentially making it an offence for a Crown servant or Government contractor to lose personal data under their control. Unless we rethink and re-engineer the centralised model, we will create huge problems for ourselves in the years ahead. What happens when the information is no longer useful or appropriate? Will the systems that are intended for the information be resilient in 10, 20 or 30 years' time? How do we safely dispose of sensitive information once we have it?
I was rather amused by a recent article in the consumer magazine Which? on the best way to ensure that sensitive information on one's computer is safely deleted. Apparently, its advice is that the only foolproof, guaranteed way to ensure that one's personal data cannot be accessed by anyone else when disposing of one's PC is to get a large hammer and bash one's hard drive until it has been smashed into little bits. It is a cautionary parable. Are we really thinking far enough ahead about the implications of our decisions about our data systems? Clearly, there will not be a big enough hammer to take to some systems that we are creating. I am concerned about whether the Government—not necessarily just the Home Office—are thinking the matter through. I liken the current approach to the digital equivalent of digging a bigger and bigger hole and filling it with potentially toxic material without proper consideration of long-term containment, the significant damage caused by leaks and how long the material will need to sit there before it becomes benign. What seems like an asset risks turning into a big long-term liability, and the problem will not be confined to the public sector. The structural solution to the challenge of rethinking the architecture of our IT systems will not be found by the arms of the state or by the private sector acting in isolation.
We also need to think more carefully about the purpose, scope and extent of data sharing. Let me be clear: I am not opposed to data sharing in principle; indeed, I believe that data sharing can be essential for providing greater public protection. However, it must be specific, not general, and its purpose must be clearly defined, with data security and data protection at the forefront. That is why I welcome the Government's retreat this week from seeking blanket data-sharing powers based on ministerial edict. I hope that they will similarly retreat from policies on the retention of DNA data by ministerial order, because that is equally unacceptable.
The Government have been expanding the DNA database that records the DNA of anyone arrested in England and Wales, regardless of whether they are acquitted or found guilty. The data are recorded indefinitely, and they will be removed only in exceptional circumstances. Indeed, hon. Members will know that only a small number of people have managed to have their data removed from the DNA database by demonstrating exceptional circumstances to chief constables. We agree that the use of DNA samples can be an important evidential tool in prosecuting and bringing crimes to justice. We are all aware of circumstances in which DNA data have formed an important part of the case to prove guilt or, indeed, innocence, thus ensuring that serious criminals have been put behind bars, where they belong.
The fight against crime, particularly organised crime and terrorism, depends on the use of modern scientific techniques of investigation and identification. However, the status of DNA needs to be considered carefully, because, as the European Court of Human Rights has noted:
"The retention of cellular samples is particularly intrusive given the wealth of genetic and health information contained therein."
The use of that technology must strike the right balance between the promotion of public interest and public safety and the protection of important private-life interests.
The UK's DNA database is proportionately the largest in the world, accounting for about 7 per cent. of the UK population. The Government argue that this country can claim a pioneering role in the utilisation of DNA technology, but, in doing so, they bear a special responsibility to ensure that they strike the right balance regarding what is permissible, given the potential interference in private life. That is why last December's European Court of Human Rights judgment regarding S. and Marper was so fundamental. The Court was scathing in its criticism of the current approach of indefinite retention regardless of guilt or innocence, and it dealt with the structure—the fundamental protections and reviews; it did not say that the issue could be dealt with case by case, as the Government's initial comments seemed to suggest.
What I am saying will not be unfamiliar to the Minister. We have debated these issues before. I am asking the Government to rethink responding to the Court judgment with an order-making power that does not require full parliamentary scrutiny. They said that they want an open debate on this subject. Let them rise to that challenge, rather than push this issue out of view with a vague promise to publish a forensics White Paper by the summer.