Uncorrected Evidence 58

1.	This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
2.	Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
3.	Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
4.	Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 20 November 2007

Members present

Keith Vaz, in the Chair

Ms Karen Buck

Mr James Clappison

Mrs Ann Cryer

David T C Davies

Mrs Janet Dean

Patrick Mercer

Margaret Moran

Gwyn Prosser

Bob Russell

Martin Salter

Mr David Winnick

________________

Memoranda submitted by the Department of Health, the Department for Children, Schools and Families, the Department for Transport and Transport for London

Examination of Witnesses

Witnesses: Mr Richard Jeavons, Director, IT Service Implementation, Department of Health; Mr Tim Wright, Chief Information Officer, Department for Children, Schools and Families; Dr Stephen Hickey, Director General for the Safety, Service Delivery and Logistics Group, Department for Transport; and Mr Steve Burton, Deputy Director of Transport Policing & Enforcement, Transport for London, gave evidence.

Q326 Chairman: Mr Burton, Dr Hickey, Mr Jeavons, Mr Wright, thank you very much for coming to give evidence. This is obviously going to be a busy session and we have four witnesses from different Departments. What I thought would be helpful is if we could address our questions to each one of you. If there is a burning issue that you need to chip in on if you could do so quickly because I hope to end this session at about 12 o'clock. May I begin by asking Mr Jeavons the first question concerning the Department of Health taking the lead in government on these issues; what exactly does that mean?

Mr Jeavons: I think the Department has taken a very long and strong interest in the matter of confidentiality and the protection of patients' interests with regard to information, and necessarily so because without public confidence in how information about patients is managed we risk losing one of the fundamental tenants of how the NHS can operate. With the introduction of the National Framework for IT in 2002 clearly the need to examine further how information governance policy and practice is delivered in the NHS became even more important, and a steady stream of activity since then has strengthened our position. I think it is a combination of the fact that this is so important to the effective delivery of patient care and the introduction of the National Framework for IT means that we have had to seek to try and raise our game continuously over the last few years.

Q327 Chairman: What processes do you use in your Department to deal with breaches of security, in particular where errors have been found in records? How quickly are they corrected and how effectively do you deal with new processes in ensuring that those records are not defective?

Mr Jeavons: Most patient records are not held in the Department; they are held in the individual NHS organisations, and the responsibility for information governance rests firmly with individual NHS organisations as part of their statutory responsibilities. We provide guidance and policy on dealing with information governance and dealing with potential breaches. I can give you examples of where the NHS has acted to deal with breaches that have come to their attention, and usually (and having a run an NHS organisation myself I can testify to this) this follows a normal disciplinary process because it inevitably involves individual members of staff.

Q328 Chairman: How will the National Information Governance Board go about adopting and maintaining high standards?

Mr Jeavons: The National Information Governance Board, which came into being on 1 October and we are hoping through the Health Bill to give a statutory basis to, effectively will require every NHS organisation under its remit to provide an annual report on its information governance, it will review policy and practice and make recommendations on improving those, and it will report to the Secretary of State its findings on an annual basis, so it is an extremely high-level and visible statement of the accountability for information governance and it is directly connected both to policy and into practice in the NHS.

Chairman: Ann Cryer?

Q329 Mrs Cryer: Richard, could you tell us what strategies the Department of Health will be using to ensure that patients are able to make informed choices about how their information is held and stored?

Mr Jeavons: Yes. The responsibility for ensuring that patients are reasonably well-informed exists already. It pre-existed the National Framework for IT. The route we have gone down is to reinforce and to clarify the responsibilities of individual organisations. If I give you a specific example, in last year's Operating Framework, which is the annual statement of what the NHS should do in its plans in the coming year, we gave an absolutely explicitly steer to NHS organisations about reviewing their information governance position and being able to answer simple questions that patients might ask them should they be approached. That would be an example of how we are really trying to make a very high-profile but very practical focus at the top of organisations for their responsibilities. Another example is public information programmes. We encourage and support the NHS when they are considering changing the use of information to improve patient care to run public information programmes to ensure that their population has the opportunity to engage in a discussion. For example, the Summary Care Record early adopter programmes in Bolton and Bury would be examples of what we are doing, and we are evaluating those. You can always do these things better: you can learn from Scotland, you can learn from Hampshire, you can learn from places that have done things, so it is a continuous process. We have methods that we are trying and evaluating and we are encouraging the NHS to do that as well.

Q330 Mrs Cryer: Just to dig a bit further, can you tell us what sort of support and help will be available to clinicians as they give advice on patient choice and consent?

Mr Jeavons: To go into the Summary Care Record early adopters, which is the most vibrant and real example at the moment, we are running a public information programme which involves a personalised letter to every person over 16. Those are backed up with access to an NHS Direct helpline. When people phone in, the staff in NHS Direct have been trained and given tools to help them answer the questions effectively. We are running information booths where patients can book to meet people in their practices and health centres. The staff who are providing the advice there are trained and we have provided an e-portal of training materials for general practitioners to use as well in the consultation. To be fair, we are not at the stage where a lot of general practitioners are directly engaged with their patients in these discussions but that is coming in the next few months.

Q331 Mrs Cryer: Therefore how will the Department of Health, just to take it further, interact with the National Information Governance Board as it seeks to "be ever watchful and in touch with public perceptions"?

Mr Jeavons: The National Information Governance Board will produce an annual report and report to the Secretary of State. It will have a statutory basis. It will seek its advice and it will seek enquiries from anybody who wishes to approach it, so it will operate in a very open way. When it thinks it has got a set of questions it will seek, directly from the Department of Health's Information Governance Policy and related advice, to answer the questions and try to reach conclusions. In a sense, we have aligned the information governance capability and advice and policy support behind the Information Governance Board's roles and responsibilities, but it has to retain a strong element of independence.

Q332 Mrs Cryer: So if I can just be informed and ask; whilst witnesses in our inquiry spoke of the use of patient information for research purposes as an example of one of the benefits of "surveillance", they also identified "a climate of suspicion" around the use of patient information for research purposes. Therefore what steps is the Department of Health taking to tackle concerns about the security of information used in this way?

Mr Jeavons: Most recently we have had two quite major joint pieces of work which are now guiding what we are doing. Those pieces of work are the Joint Report with the UKCRC that was commissioned, which Ian Diamond led for us, and the recommendations of that were accepted, and the Boyd Report, which was commissioned by the predecessor of the National Information Governance Board, and again the recommendations were accepted. Those two reports made a number of recommendations about what needed to be done to bring greater clarity, to reduce ambiguity, and to sustain and develop confidence in the area you are asking the questions about. In response to that, we have established a research capability programme which has a work plan to work through those recommendations, so we are looking at improving anonymisation and pseudonymisation techniques. Those were raised as issues and we are reviewing those. We have looked at the current use and we have done an audit of the current use of some of the information in order to test whether we think the current practice is fit for purpose and is being sustained. We have a number of activities over the next 12 months which are aimed to respond and deal with those recommendations.

Q333 Mrs Cryer: Just to dig a bit further and to refer to another select committee, the Health Select Committee apparently did a recent report on the Electronic Patient Record which registered concern about governance arrangements for the use of patient information for research purposes. The Secondary Uses Working Group has made recommendations on this aspect of the development of NHS care records. Are you able to give an indication of how the Department is taking these recommendations forward?

Mr Jeavons: I think those recommendations are in the Boyd Report that I have referred to, and the National Information Governance Board have already agreed that they will ask the Department to demonstrate that they have delivered against those recommendations and those recommendations are being actioned through the research capability programme.

Mrs Cryer: Right, thank you.

Q334 Margaret Moran: It sounds as if it is all going terribly well when we know it is not. Just look at Computer Weekly's history on this subject and you can tell that is not the case. I have two questions. One of the issues around data-sharing is that even if you get the technology right, the problem is access by people and the use or misuse of data in that way. Given that there was not apparently a buy-in from front-line staff and there was not even proper consultation of front-line staff at the outset of this programme, how confident are you that there will not be breaches of data and confidentiality and privacy as a result of that?

Mr Jeavons: You cannot stop the wicked doing wicked things with information and patient data, so you cannot say there will not be, and of course we have examples where staff do misuse their privileges and have to be pursued through disciplinary procedures. To speak to your point about confidence, there is absolutely no complacency about the extremely fine balance that we need to strike between public confidence, staff confidence and the huge potential benefits that electronic records and the use of data about patients for public health and other purposes has. This is an incredibly difficult balancing act and practice needs to change as information technology changes the opportunities that are available to us. The reinforcement with the NHS of their information governance responsibilities; the backing up of that with advice and tools; the reinforcement of the need to ensure that human resources policy and practice is aligned with information governance policy and practice means that we are putting in place all the things we can do to deal and to manage this as well as possible, but we are not going to stop those who wish to break their employment contract terms and break their local area training policies and procedures and do wicked things. What we have to do is put in audit trails and be able to say to these people it is much more likely now that you are going to be caught, and if you are caught this is how you will be dealt with.

Q335 David Davies: Mr Jeavons, what work have you undertaken with other government departments in relation to the sharing of databases? In particular, can I ask you whether you work with the Border and Immigration Agency or the Department for Work and Pensions, to ensure that non-EU citizens do not access incorrectly out-patient care to which they are not entitled?

Mr Jeavons: Our main areas of interaction are with the Department for Children, Schools and Families and with Contact Point. We contribute and participate in cross-government policy and Transformational Government activity. We respond to requests for information that have a legal basis. However, our basic opening position is that NHS information and information about patients is confidential to the NHS and to the patient and therefore we work on a "persuade us if you can or provide a legal basis" mandate.

Q336 David Davies: But would you not use the databases that are already available to other government departments to ascertain whether or not people are getting access to care to which they are not entitled?

Mr Jeavons: I am not aware that it is the case that we do that and it is not clear that that is necessary. We do not deny emergency care.

Q337 David Davies: No, we would not do that under the law anyway, would we, because the law is quite clear; emergency care is available but out-patient care is not. The question is purely about out-patient care and whether you are doing anything to tackle the billions of pounds that are being lost because out-patient care is being provided to people who are not entitled to it?

Mr Jeavons: Clearly if we had evidence that there were billions of pounds being lost through inappropriate use of NHS services that would need to be tackled. If the opportunity were there for example to use other means to check the identity of people before they access those services, then those would be looked at, but I am not aware that those opportunities are there and, if they are there, it is not obvious how to implement them effectively in the NHS at the moment.

David Davies: The evidence is certainly there, is it not; the question is whether or not the NHS are willing to make use of other databases that already exist in government departments, but I think you have answered the questions.

Chairman: Thank you, Mr Davies. We are now turning to questions to Tim Wright. You are welcome to sit there, Mr Jeavons, because there may be other issues that members of the Committee will ask, so do not feel we are ignoring you. It is just we want to get the other Departments to give us their comments as well. Janet Dean has the first question to Tim Wright.

Q338 Mrs Dean: Mr Wright, could you estimate the proportion of DCFS activity that depends on information-sharing and the impact that the Every Child Matters strategy has had in this respect? In doing so, could you say whether the majority of activity is aimed at child protection or child welfare?

Mr Wright: A very significant part of the activity of the Department now is geared around data-sharing. We are quite a small central department operating within a very large, very profuse education sector, so there are many agencies and bodies that operate within that sector who will need and wish to use and share information. A number of the programmes that we are working on at the moment operate in that sphere and are quite central and quite key to supporting the Government's policy to improve choice for learners and enable individuals to move round, if you like, within the education system and take with them their personal records and details and be able to track their attainment and so on. On the second part of your question - my colleague here already mentioned Contact Point and of course I would draw a distinction between the purpose of Contact Point, which is really early intervention to ensure the protection of young children, with the sorts of systems that we are operating, which are purely in the educational space which are trying to engage with people in education. There is quite a split and quite a wide range of activities that are there. I would not hazard to put percentages on that because there is a very significant effort from the Department, certainly around Contact Point, and that is the largest single IT programme that we have on at this time.

Q339 Mrs Dean: I will come to Contact Point in a minute but could you say first of all how the Department goes about assessing the need for each new database that it creates or commissions and then drawing up the protocols for sharing information with other departments or agencies?

Mr Wright: I look after a team of information technology professionals and certainly we work extremely closely with the policy directorates of the Department to understand how technology might be applied to improve the opportunities for learners and children. It is quite a tight engagement, quite a tight partnership, between the technical professions that provide and support the information systems and the infrastructure with those that are actually in the front-line of delivering the Government's policy. There was a second part to your question, I am sorry?

Q340 Mrs Dean: It was about drawing up the protocols for sharing the information with other departments or agencies.

Mr Wright: I am not aware of any outward sharing, if you like, of information from the DCFS. We certainly rely upon other government departments to provide information to us. Contact Point again would be the best example of that where in fact we take national data fields from three other Departments - the Department of Health, the Department for Work and Pensions and the Office for National Statistics - and we combine that in Contact Point with data from our own records from the pupil database.

Q341 Mrs Dean: To turn to Contact Point, the Assistant Information Commissioner describes how the ambitions behind the database which is now Contact Base "started out as rather greater and have fallen backwards a little bit". Could you summarise the history of the Contact Point database in terms of the development of its objectives and scope?

Mr Wright: I am not actually familiar with its long history. Clearly the history of the database goes back to 2001 and the Victoria Climbi� case, but in the time that I have been engaged with Contact Point, the mission for the Department around Contact Point has not changed in any way. The system is an electronic index of every child in the country, with the sole purpose of bringing together those care professionals that work with children and need to be aware of other care professionals within the system that may be working with the same children.

Q342 Mrs Dean: So you do not really agree with the Assistant Information Commissioner that there has been a pull-back from the ambitions that were once there?

Mr Wright: I am not aware that there has been a pull-back. I have been with the Department for most of this year, I was not in the Department at that time, but I am not conscious that there has been any watering down or changing of the Department's ambitions for Contact Point.

Q343 Mrs Dean: It may be something that you could look into for us?

Mr Wright: I would be glad to.

Q344 Mrs Dean: In designing Contact Point do you know what steps have been taken to ensure that the information collected about children is accurate and that the positive outcome in terms of child welfare outweighs any loss of privacy so early in life?

Mr Wright: Yes, the basic data on which the system relies is taken from four other data sources. What the system actually does is bring those four data sources together and then matches the data sets. There is a significant amount of overlap in those data sources so you will be picking up children's names, home addresses, and so on from all those different data sources. What we do is use the technology to match those databases and prove by overlay, if you like, that the data is indeed correct for each of those children. There are exception reports which are produced on a routine and regular basis to highlight anomalies that may require further investigation.

Q345 Mrs Dean: Which are the four data sources?

Mr Wright: They are taken from the Department of Health, from the benefits system of the DWP, from the birth registers of the Office for National Statistics, and from our own national pupil database.

Q346 Ms Buck. I was surprised to hear you list the three Departments and not include the DCLG. I just wonder if you could tell us a little bit about the relationship the Department has in respect of information from local authorities, in particular from all the sources in the DCLG?

Mr Wright: We do have contact with the DCLG in relation to Contact Point but not in regard to data-sharing. Our particular contact with the DCLG is to ensure that the infrastructure over which Contact Point is delivered is going to be delivered in a way which will enable local authorities to most readily and easily use the system in a secure way. There is no output flow of data to DCLG and there is no data actually coming from them. The infrastructure of the system is actually something that from local authorities' point of view is extremely important because of course now and into the future the expectation is that they will wish to access a number of systems from different departments. We are very keen to ensure that the mechanisms by which they access those systems are compatible and it is not a burden put upon the local authorities to connect to lots of different systems.

Q347 Ms Buck: In terms of the local authority Every Child Matters agenda your involvement in this is purely an infrastructure and data compatibility one?

Mr Wright: Certainly from my own group's perspective but, no, a very significant part of the Contact Point programme is actually working closely with the local authorities to make sure that there is robust education about what the system can do, how it should be used, how it should be protected, and the security that is in place and so on, so there is certainly a very active dialogue with the local authorities to ensure that the system will be effective in its use.

Q348 Ms Buck: How do you see local authorities' various sources of information currently within the Every Child Matters framework fitting into this? To give you an example that goes to the heart of it for me, and it goes to the heart of a lot of the data protection issue - the NOTIFY system for children in temporary accommodation because this is very much about children who drop through the net - I am not quite clear of the importance that local authorities should be putting on systems like that, which go very much to the heart of children at risk and child protection, and how they will fit into a national Every Child Matters data framework as you are describing it.

Mr Wright: Contact Point, as you rightly describe, is a national system to be accessed and used by every local authority. Each local authority in the country will also have a number of its own support systems and case management systems that do actually hold detailed information about particular child cases. What is important to us is to ensure that we are delivering the infrastructure of Contact Point in a manner in which it can be presented at the local authority level and so that they can actually combine Contact Point with their local data sources so that they actually will be able to integrate and connect those within the local authority area, but of course the case information that local authorities hold is solely for their purposes.

Q349 Ms Buck: So none of that will be uplifted into ---

Mr Wright: No, no lift goes upwards but we need to be able to connect that at local level.

Q350 Ms Buck: Can I just ask you about the potential of developing biometric data in education and schools. Where has that got to, where is the thinking and does the Department expect there to be a time in the near future when children will be expected to carry some form of biometric recognition?

Mr Wright: Surely. Biometric systems are used within a number of schools within the UK. There is no drive from the DCSF to promote the use of biometric systems but we are very conscious of the fact that a number of schools find them quite beneficial. They are used in schools for the purposes of monitoring attendance, of providing children with facilities to remove library books or to purchase school meals. There are a number of benefits of using biometric-based systems over other technologies such as smartcards, principally the fact that the child does not have to carry anything with them and therefore do not lay themselves open to bullying tactics from other children that may wish to get hold of their card in order to access the services that they have.

Q351 Ms Buck: Do you think that we should be comfortable with the idea of biometric recognition for getting out a library book?

Mr Wright: Certainly the Department is quite content with the use of biometrics in that way by school children. It is a very effective mechanism. Biometric data that is held by these systems is of quite a low quality in the sense that it is only held at a level which will enable a school to differentiate amongst the school community, so there is no value in that biometric information outside of the school environment.

Chairman: Thank you, Karen Buck. Margaret Moran?

Q352 Margaret Moran: Given your technological capacity and capability and the fact that you are dealing with a number of children's databases, how much further do you think there will be progress or otherwise in relation to further data-sharing and data-gathering? Is there greater scope for any of that?

Mr Wright: I think over the next few years we are certainly going to see significant progress around the initiatives that we have already started. I mentioned when I started about being able to join up this very large and quite complex education system that we have in the UK, so it is about improving choice for learners. Our expectation is that there will be a number of other future participants in the initiatives that we have already started. We have a programme we call MIAP (Managing Information Across Partners) which is very specifically to support the Government's drive for reforming the 14 to 19 age group. MIAP actually underpins the diploma environment and it is going to be very important that children can take their information from one institution to another and can have their qualifications recognised on their lifetime journey. I do not see on the horizon any particularly new initiatives at this time. I think it is quite inevitable that we will find that we will wish to continue to provide that kind of shared information infrastructure across the education system. I do draw a distinction perhaps between education and the care and welfare of children, and when it comes to systems like Contact Point there is very clear regulation in place for systems such as Contact Point, so I see no drift from that. Contact Point is there for a very specific purpose and that is the backstop to what that system will be used for.

Q353 Margaret Moran: I want to come back to Contact Point later. You are talking about data-sharing from pre-school nursery through to 19, to the end of HE, something like that?

Mr Wright: Well, in fact in information terms I am talking about what we would refer to as the lifetime journey of the learner, so I am talking about, yes, from the early years right through to adult and workplace training. In the changes in government this year the Department for Education and Skills was split to create the Department for Children, Schools and Families and the Department for Innovation, Universities and Skills. In terms of lifetime information-sharing that effectively cleaved a line at aged 19 in that learning journey, but with colleagues in the IUS we see a very strong need to continue that co-operation between the two Departments to ensure that the education system in the country remains joined up.

Q354 Margaret Moran: It is very expensive data-sharing based on very different systems very often. How can you ensure inter-operability and ensure that there is no rubbish-in rubbish-out? Where do you think the technology will take us next? Are we looking at data-mining, profiling, prevention?

Mr Wright: Sorry, can you just repeat the first part of your question.

Q355 Margaret Moran: I have forgotten it myself! Where do we go next in terms of technology and interoperability?

Mr Wright: Thank you, I think the key word was "interoperability". Joining up across government is extremely important in lots of different areas. I have a role within the Department for Children, Schools and Families to support the policy directorates in managing information, but I also have another role as a member of the information community across government, so we have mechanisms at a higher level, if you like. We have a CIO Council that comprises members from all government departments, and a very significant part of our agenda and out thrust through the CIO Council is to ensure that we have a common framework for data standards and can share best practice across government departments, so in areas such as data security, for instance, those thrusts to ensure that we have the right levels of security in place and we are using technologies that are available as wisely as possible is the sort of thing that is done at a higher level, if you like, through the CIO Council, and that is quite an active community.

Q356 Margaret Moran: Just very quickly on Contact Point, you will be aware, more than anyone I guess, that there are serious concerns about the amount of data being collected on children and whether lack of confidence in the ability to keep that data confidential will deter people from accessing the services and indeed possibilities that having all that data together could actually put children at greater risk. What research has your Department done to ensure the effectiveness of communication about what is actually happening on data-gathering and data-sharing in that context?

Mr Wright: I would describe Contact Point itself as an electronic index. It is true that it will include data on every child in the country but it is only basic demographic information, so it is child's name, date of birth, address, parents' names, the learning setting/the educational setting in which they are currently residing, GP's name, and other specialists that they may have contact with. There is no case information within Contact Point whatsoever. Whilst the Contact Point programme is a significant technological challenge, we recognise that communication across the community of users of Contact Point, of which there are many thousands, is a crucial part of the success of the system, and that is a very active dialogue with that community. As part of the first phase of the use of Contact Point, which will commence during next year, we will be working, and have started working very closely, with 17 early adopter local authorities so that we can work closely with them and learn the lessons of early adoption and make sure that that knowledge and that practice, if you like, is shared and cascaded to other users of the system.

Chairman: Thank you very much, Margaret Moran. We are now turning to some questions to Dr Stephen Hickey from the Department of Transport and we are going to start with Martin Salter.

Q357 Martin Salter: Dr Hickey, I was interested in your memorandum of evidence to the Committee and in particular in paragraph 4 where you talked about clarity about the legal authority under which data may be shared, including using the Data Protection Act, being critical. I want to tease out a couple of examples. Has your Department had any requests for data from other government departments or other areas of government which you have considered not to be lawful?

Dr Hickey: I cannot think of one offhand where we have specifically rejected it on that ground, but we certainly do review the legal basis on which we do data-sharing. Most of our data-sharing is fairly long-standing but we would certainly want to know on what basis any approach was made to us and what was the legal justification.

Q358 Martin Salter: Because at the moment the way the process works is that government departments and other agencies seek advice from the data protection authorities and also from the Information Commissioner and it is possible that cracks could open up and people could end up with different advice and different practices could emerge.

Dr Hickey: But we would need to look at it from both ends of the telescope. We need to look at it both from have they got the power to seek the information but also have we got the power to give it, so we will ask both those questions.

Q359 Martin Salter: One final question from me. I notice in paragraph 2(7) of your evidence there is perhaps a more contentious area than a government department, which is the sharing of data with parking enforcement companies. It says here that you will do this where they can show reasonable cause to receive the data. Of course some parking enforcement companies are nothing more than licensed thugs to clamp vehicles in dubious circumstances. Do some of the clamping - I will not even call them organisations - outfits benefit from data provided by your Department?

Dr Hickey: There was a big review of this done last year and ministers announced 14 improvements to the processes around reasonable cause. Reasonable cause are the words used in legislation but there is not a definition in law. 14 measures were announced last year to tighten up on the processes around reasonable cause and who should get the information. Amongst those is a lot more transparency around the information which is now, for example, on the DVLA website and on Directgov, so there is a lot more visibility to people on the circumstances in which information can be provided. As far as parking companies are concerned, there are two set of processes, one is for ad hoc individual requests, and the companies have to go through a process to justify why that is needed and they are asked various questions about their business and the purposes and so on, and that can be checked and audited, and refused of course if those answers are not acceptable. In addition, for companies who are doing it on a regular basis, which of course some of them are, and where we have electronic links, they are required to register with us, and they go through processes of validation including of their internal processes and they are also asked to be members of an approved association which itself has various processes for control. All of that is much more transparent now than it was two years ago. As I say, a lot of this is now on the website and our feeling is that the processes are now working more satisfactorily than when this issue was raised quite strongly a couple of years ago.

Q360 Mr Winnick: Dr Hickey, there are a lot of cameras all around the place operated via the Highways Agency. In the very useful paper that you circulated you give at paragraph 1.4 details. Apparently there are 1,133 automated number plate recognition cameras and 1,300 CCTV cameras. How far are motorists in the position to be able to check on the website who is actually responsible for those cameras?

Dr Hickey: I think those cameras are the responsibility of the Highways Agency, but of course the Police have many other cameras and there are many other people - local authorities and others - who have cameras. I think those ones you referred to are all Highways Agency cameras.

Q361 Mr Winnick: How far would motorists be in a position to contact the Agency because presumably in some circumstances they may wish to do so?

Dr Hickey: They can certainly contact the Agency. I do not know offhand whether on the website it would tell you where each camera was. I suspect not, partly because of course some of them are moved and are mobile.

Q362 Mr Winnick: I will come to criminality, which is the purpose of these cameras, they are not there for fun and no doubt they serve a positive reason. However, would it not be useful for the ordinary citizen to be able to find out from the website precisely what is what?

Dr Hickey: Yes, I accept that point.

Q363 Mr Winnick: Is it intended to have more sophisticated technology in time? It is not the end, is it, these cameras which I have mentioned a number of which are in use? Are they going to increase? Are there going to be other different kinds of cameras?

Dr Hickey: The need for cameras certainly has been going up. For example, if we go further down the route of active traffic management on the network, the sort of system with traffic controls that we now see on the M42 around Birmingham where you have got hard shoulder running for example at peak hours and tighter speed controls and a need to watch extremely carefully if incidents were to happen, then clearly that sort of operational system relies quite heavily on these cameras. If we go further down the route of that kind of regime on the trunk roads, then certainly the need for active management, including cameras, is likely to increase.

Q364 Mr Winnick: Just tell us, Mr Hickey, how long has this been happening with the cameras? How many years back? Presumably there was a time, including in the post-War period when people would drive without cameras and investigations and so on and so forth?

Dr Hickey: I can tell you from personal recollection that in the 1960s cameras were introduced in Durham City for the control of traffic coming up from the bridges to the market-place because I was a boy at the time and it was a very big deal and we used to go and stand behind the policeman's box and look over his shoulder at these cameras, it was a major novelty, and Durham prided itself on being one of the first towns to have that sort of camera. That was the 1960s, I think. On the national network I am afraid I do not know offhand when they started.

Q365 Mr Winnick: We are talking about 40 years.

Dr Hickey: Cameras have been around certainly to my personal knowledge ---

Q366 Mr Winnick: And all the indications are that it is escalating, is it not?

Dr Hickey: On the roads but also more widely in local authority communities and so on cameras have certainly increased substantially.

Q367 Mr Winnick: I said a moment ago - and I do not think there is any disagreement - that they are not there for fun; they are to deal with those who break the law and outright criminality, but what I want to ask you is, how do you assess the potential benefits for example of these number plate recognition cameras which I have mentioned compared with the risk of mistakes or criminal misuse - that is going further - of transport databases?

Dr Hickey: Could I first just correct you on the Highways Agency cameras. The Highways Agency cameras are not used for criminality in quite the sense I think you are implying. They are actually used for traffic flow control. That is quite important. For example, they do not record the full number plate of the individual vehicle, which of course for criminal-type purposes you need to have. The Highways Agency ANPR cameras only record three digits, which is enough to say at the next point down the road those same three digits can be identified and from that you can calculate what the flow of traffic is. That is not enough to tell you it was my car or someone else's car.

Q368 Mr Winnick: So it would not help the Police?

Dr Hickey: It would not help the Police, no.

Q369 Mr Winnick: What would help the Police in carrying out their investigations?

Dr Hickey: For the Police's purposes you need the full number plate and of course the Police do have ANPR cameras that show the full number plate. They are both ANPR cameras but they are used in different ways and for some different purposes, and we must be clear.

Q370 Mr Winnick: So the motorist - and I am not saying that should not be so, we recognise all the criminality that could be involved - on all these roads is constantly being watched?

Dr Hickey: That is right. As far as criminality and so on is concerned, the ANPR cameras, which are particularly relevant to that are the Police's own ANPR cameras and they have a lot of those, as you know. In addition, from the Department's point of view, as you will have seen from the memorandum, both DVLA and VOSA have a small number of ANPR cameras, nothing like the Police scale. Those are used for identifying vehicles which are not taxed or, in the case of VOSA, have other HGV concerns about them, so those do identify the individual vehicle.

Q371 Mr Winnick: That is a very useful answer. In terms of our inquiry we would be right presumably to say that the use of cameras and such technology is likely to increase rather than decrease?

Dr Hickey: I think that is plausible.

Q372 Mr Winnick: More than plausible?

Dr Hickey: Yes.

Chairman: I shall bring Mr Davies in now for a quick supplementary.

Q373 David Davies: Just to turn around one of Mr Winnick's questions, the whole point of ANPR readers is that they can track a licence plate registered to a criminal and find out where on the motorway for example that person is exiting so the Police can follow that up. Would it be useful to advertise to the whole world where ANPR cameras are located or would it not defeat the whole purpose, which is to be able to track people who should not be on the road?

Dr Hickey: You are quite right that for Police cameras which do that sort of thing certainly it would be quite counter-productive to tell people but for traffic monitoring purposes there is not that same sensitivity, so it is a more open question.

Q374 Chairman: Could I ask you to comment on the new proposals that passengers on domestic flights between Northern Ireland and the UK mainland are now to be subject to identity checks; is that coming from your Department or the Home Office?

Dr Hickey: I confess that is not a subject I am familiar with. I can come back to you and tell you which department is behind that.

Q375 Chairman: I think it is a Home Office Statutory Instrument but obviously the Department for Transport would need to have been consulted.

Dr Hickey: That is probably right, yes.

Q376 Chairman: Would you drop us a note on that?

Dr Hickey: I will drop you a note.

Chairman: Thank you so much. Patrick Mercer now has the first question to Mr Burton for Transport for London.

Q377 Patrick Mercer: Has Transport for London itself commissioned any research into the effectiveness of CCTV as a deterrent to crime on the transport network?

Mr Burton: We have not undertaken any specific research on that. We have done a fair amount of research on passengers' views of CCTV.

Q378 Patrick Mercer: Who are very reassured by it, are they not?

Mr Burton: Indeed, all our research, as you say, shows that passengers see two primary ways of making them feel safe on the network: visible, uniformed staff; and CCTV systems.

Q379 Patrick Mercer: Okay, but you have not actually taken any soundings yourself as such?

Mr Burton: We have not got any empirical research on the actual results. We have results-based analysis done in specific areas, for example the on-bus CCTV systems that we use which are primarily there for crime and disorder reduction, we have had some very positive results around that where we have identified 2,000 individuals and convicted 2,000 individuals who have been damaging and vandalising the network. In certain areas we think we have got good results but because a lot of the systems are recently installed we have not actually undertaken any detailed research of the overall systems.

Q380 Patrick Mercer: After a crime has been committed and the Police want evidence from your camera systems, how do they go about retrieving data from TfL sources?

Mr Burton: I have a small group of individuals working for me. The Police fill in the appropriate data protection form to identify why they want the data and we will do our best to give them the appropriate information. We do that in a transparent way and we have fairly carefully structured guidelines for those staff on when it is appropriate to release the information.

Q381 Patrick Mercer: I appreciate there may not be an exact answer to this but on average how long does that process take?

Mr Burton: It will take a couple of days at most. Essentially we work with the Police very closely and we will prioritise cases. Obviously the more serious the case the more resources we will put on it, and we will do our best to turn it around in an appropriate timescale.

Q382 Patrick Mercer: You will be aware that there is a debate going on about whether the public should or should not in certain circumstances have access to the data that you have gathered. What is your view on that? If a crime has been committed and the public needs to have access to your data, how far has the debate gone?

Mr Burton: Obviously there is a debate going on around that. There are currently a number of FOI applications that people have put in and we will treat them on a case-by-case basis. At the moment we have no plans to make that data available as a matter of course and I think we would want to work very closely with the Police agencies on that. By their very nature most of those requests that come from the Police are active investigations so there are sub judice issues of course as well.

Q383 Patrick Mercer: Can you give me a feel for what the volume of those requests is?

Mr Burton: At the moment we get just over 300-350 requests for specific pieces of data, on the Oyster system for example.

Q384 Patrick Mercer: How often?

Mr Burton: Per month. However you have to contextualise that. We are running three and a half billion journeys a year, so in comparative terms it is a fairly small number.

Q385 Ms Buck: Can I ask you a bit more about the gauging of public opinion because clearly there is out there some degree of concern about surveillance of customers and users of all kinds of services. Do you have any sense at all of the extent to which users worry about their privacy and how would you research it?

Mr Burton: We have done a number of market research exercises of both customers and the community at large because they are two different groups in many ways. A particular exercise we did a year or two ago was asking people what we could do to the network to make them feel safer. As I say, I think the second item that was identified was putting more CCTV on to the system. We do consult on a regular basis on how we use the system.

Q386 Ms Buck: But do you ever ask them the flip-side question, the extent to which people feel that even making a simple journey now puts them under surveillance? Is that angle of it addressed by anything that you research?

Mr Burton: We have not asked them recently on that. There is a piece of research we are doing at the moment for which I do not have the results available, in fact it has only just been done. Our information access team, who run our overall data protection work, have asked members of the public how they feel about accessing our data and how they feel about being observed. I think those results will be out in the next few months, but the previous stuff we have done, as I say, does show that the public do feel comforted by a feeling of being watched on the network. I think it might be different if you ask people outside of what they perceive to be a controlled environment, but I think the public very much see the public transit system as something we should manage on their behalf.

Ms Buck: Of course they do but if you do not ask them you are not going to know where that balance is struck. Perhaps we could ask for the results of that survey to be shared with us.

Q387 Chairman: That would be very helpful. Could you send that to us?

Mr Burton: We will do.

Chairman: Thank you very much. Mr Davies has a question on the Oyster scheme. I should declare I have an Oyster card.

Ms Buck: So do I.

David Davies: I think my question was probably answered by something that the gentleman said. It was to do with the number of requests that the Police had, so I am content.

Q388 Chairman: Before I release you all, I have a question on the practical measures adopted by my local health authority. When a constituent comes to me and asks about the length of time it takes for him to get an operation, for example he wants an earlier date, I would write to my local health authority and expect to get the information back. They have now adopted the practice of writing back to me and sending a consent form for me to send to my constituent in my constituency to sign and for it to be returned to me and then returned to the health authority. Do you know what the practice is with different local health authorities because I would have thought it was implicit that when a constituent walks in and sees a Member of Parliament that they have given consent for the MP to write.

Mr Jeavons: The answer is I do not know what the practice is across local authorities. I am quite happy to look into that though and provide a note.

Chairman: I do not know what other Members have found.

David Davies: It is good question.

Bob Russell: It sounds like a Leicester problem. It does not affect me.

Q389 Chairman: I think we are all nodding in agreement and chuntering and saying this happens to us, too, so if you could find out that would be very helpful. It may be an attempt to delay matters so that the operation takes place before the answer is given, but who knows.

Mr Jeavons: I could not comment.

Chairman: Mr Jeavons, Dr Hickey, Mr Wright and Mr Burton, thank you very much for your evidence today.

Memoranda submitted by the Ministry of Justice

and Her Majesty's Chief Information Officer

Witnesses: Ms Clare Moriarty, Constitution Director, Ministry of Justice; and Mr John Suffolk, Government Chief Information Officer, gave evidence.

Q390 Chairman: We now welcome to the dais Clare Moriarty from the Ministry of Justice and Mr Suffolk who is the Government Chief Information Officer. Thank you for coming to give evidence to us today. If I could start with you, Ms Moriarty, the Ministry of Justice we are told "holds the ring" across government in terms of data protection and data-sharing. How does this work in practice as far as day-to-day issues are concerned?

Ms Moriarty: The Constitution Directorate within the Ministry of Justice is responsible for rights and democracy issues, and as part of that we lead the Government's domestic, European and international policy on data protection and data-sharing, and as part of that we are responsible for the operation of the Data Protection Act. As the volume of data that is collected and shared increases that obviously creates opportunities for crime prevention, for tackling social disadvantage and for improving public services. What we have to do is to ensure that as we exploit those opportunities that they are balanced against the need to protect people's privacy. The responsibility for privacy aspects of individual policies rests with the departments responsible, as obviously you have seen in the evidence you have already had today. Our responsibility as the Ministry of Justice is to work with departments to ensure that they remain compliant.

Q391 Chairman: So you advise them?

Ms Moriarty: We advise them.

Q392 Chairman: And on a European level you take the lead?

Ms Moriarty: On a European level, if they are individual policies, they will take the lead. We lead on negotiating general instruments.

Q393 Chairman: And then you will come back and give advice to other government departments?

Ms Moriarty: Yes, and particularly on European and international issues we have created a group of interested departments and we work with them on data protection and data-sharing issues.

Q394 Chairman: Do you act as arbiter between departments if one department is keen to get information from another and they do not want to give that information? Would you step in and advise?

Ms Moriarty: What we would do is work it through with the departments. The critical issues to be looked at are: is there a purpose for sharing information; do the powers exist to share the information; is any intrusion on privacy proportionate to the benefits that will be gained from sharing the data; and is the data going to be adequately protected in terms of the principles underlying the Data Protection Act? Essentially that is a set of issues to be worked through. Where there is more than one department involved we would help them work through those issues so that they reach an agreement.

Q395 David Davies: One specific question on this - and I have been trying to find out the information for some time without much success - and that is whether or not the Department for Work and Pensions accesses databases used by the Ministry of Justice effectively in order to find out whether people claiming benefits are actually on the run from open prisons. You might think it is so glaringly obvious whether that can happen and yet when I have written to the Ministry of Justice, or its previous incarnations, I have not been able to get a clear response. Do the Department for Work and Pensions check a database, presumably in the Prison Service, of those who have walked out of open prisons to ensure that they are not accessing benefits? There are thousands of people on the run and they are not all living in the woods eating squirrels and wild berries.

Ms Moriarty: The straightforward answer to that is I do not know. The individual arrangements that the Ministry of Justice makes would be owned by individual parts of the Ministry of Justice. If you would like me to take that away and try and find an answer ---

Q396 David Davies: Would you? That would be great. You will have more success than I have had.

Ms Moriarty: Hopefully.

Q397 Chairman: I think, Ms Moriarty, that you just have to go next door, do you not, somewhere in Selborne House the answer must be there?

Ms Moriarty: Somewhere in Selborne House the answer certainly should be.

Q398 Bob Russell: Mr Suffolk, two relatively brief questions. I understand that part of your role involves enabling "public service transformation through the strategic deployment of technology". What do you see as the most significant developments in technology from the point of view of delivering public services? Linked with that, how do you fulfil this role across government, if at all?

Mr Suffolk: The first part of the question first. Without a shadow of a doubt I think technology is moving at its fastest rate ever, it is accelerating away. I think there are three key developments that are going on on a worldwide basis which clearly impact in terms of the UK public sector. The first thing is the web/the Internet is underpinning most major economies and most successful businesses. Most things are something to do with web-based transactions. The second thing that is happening is everything to do with communications - the way we use mobile phones, our fixed lines - is blurring and everything is coming together in a converged approach. The third thing that has happened ever since technology has been invented is it is getting smaller. When you put those things together what is happening is that every technology and every system is available where you are when you want to use it and that fundamentally is changing citizens' outlooks and customers' outlooks in terms of what they see as the normal service that they expect. It is not a service for our convenience; it is a service for their convenience, and those things are happening in every walk of life. That is where I see the big technological changes coming, the whole Internet, the whole convergence of technology, and wherever you are technology is moving, as we have heard in this room this morning, with mobile phones, et cetera.

Q399 Bob Russell: Mr Suffolk, there are a lot of people out there who are technology challenged and I do represent the technology challenged. Where do we fit in in this great brave new world?

Mr Suffolk: I think that is a very good question because we do sometimes lose sight of the fact that the Internet in terms of the UK has just over 60% penetration and so not everybody does use the Internet, but it is not necessarily the people that we would think about. There are some people who do not have access to that technology. Our starting point in terms of technology is first of all what problem are we trying to solve or what is it that citizens want. Then we are looking for what solutions best solve that problem. Therefore our belief is - and this is the work we are doing with David Varney as part of the Transformational Government strategy - that one route for dealing with citizens is not acceptable. Some citizens will always want face-to-face service; some will want telephone services; some will want Internet; some will want all three. Therefore it is very important that we do not disenfranchise any section of the population by going down one particular route.

Q400 Bob Russell: So I can be satisfied that I as the technology challenged Member of Parliament for Colchester will not be discriminated against?

Mr Suffolk: Absolutely.

Q401 Bob Russell: Thank you. How does the CIO Council ensure that where possible technology-based systems are not duplicated? How is information on the development of systems shared across government?

Mr Suffolk: One of the processes I have put in on the CIO Council is a process called the champion/challenger process. It is fair to say that the public sector has vast amounts of technology and we do not always see where that great technology is and we run the risk of reinventing the wheel which increases risk, increases cost, and slows our time from a citizen outcome perspective. The champion/challenger process is a very simple process. Anyone can nominate a champion. Let me give you an example. The Government Gateway, where we have 12 million citizens and businesses registered so they can get access to government services - someone can come along and say, "I believe that is a champion asset." Anybody can come along and say, "No, I think I have got a better one," and therefore it is quite democratic in terms of the way we do this. An evaluation process occurs and the best product will commence. The rule is quite simply this: if you cannot beat it, you should join it. It is a peer-based review, it is very democratic, it does not take a long time to do, but the objective is to begin to coalesce the systems and technology that we have already in the public sector that we can continue to invest in and protect and support without having to go through connecting 23 different systems together. That is a long-term activity but it is also the right way of doing things. The CIO Council runs that process.

Bob Russell: Thank you, Chairman.

Chairman: Thank you very much, Mr Russell. Gwyn Prosser?

Q402 Gwyn Prosser: Mr Suffolk, one of the strands of the Transformational Government Strategy, as you know, is shared services and common infrastructures, which includes a reduction in the number of computers storing data and networks, et cetera. It seems on the face of it perhaps a logical progression but we have heard from a committee of Dutch experts that their recommendation in their country to move towards a single clearing house for data was met with huge opposition on the grounds that greater centralisation could result in a greater threat to security. What is your view? Where is the balance to be struck?

Mr Suffolk: I think you are absolutely right; there is a balance to be struck. First of all, I think it would be nonsense to assume or even think about a central database and a central clearing house. The UK public sector is more advanced than many countries because we have been doing joined-up technology for years. The oldest computer system that I know in the public sector is 33 years old on 1 April 2008, which is the Police National Computer, and therefore we work at a national scale, and when you work at a national scale I think to continue to put more eggs in a single basket is a foolhardy approach. You are absolutely right when you say that some of the best ways of protecting data are to say that this data has a specific purpose, the purpose is clear in terms of all parties, and therefore we can put protection around that specific purpose in terms of only the people that need legitimate access to that data can access that data. The more and more we put it into large databases where more and more people have access to it, it becomes more complex. I think there is a balance to be struck, but clearly what we want to avoid doing is creating yet another large-scale citizen database when we have a number of those already because that would not be a wise thing to do.

Q403 Gwyn Prosser: Ms Moriarty, the passage of the Serious Crime Bill represents a good example, some people say, of cross-government working on data-sharing. If that is your view, what was done right during that exercise which made it such a success and what could the Ministry of Justice learn from the exercise?

Ms Moriarty: It is a very good example because fraud as a crime is obviously an area where information sharing can be of great benefit. What was specific about the Serious Crime Act was that the information that needed to be shared was relatively sophisticated and relatively sophisticated arrangements because of the nature of fraud as a crime, and that meant the protections that needed to be in place were also more complex than in some areas. What happened with that piece of legislation was the Ministry of Justice worked very closely with the Home Office in framing the legislation which provides a legal gateway through which public authorities can share data in order to prevent fraud. There was a lot of discussion between the two departments and with the Information Commissioner on exactly what was the best way of achieving the policy objective. As the legislation went through Parliament there were a number of changes made, particularly the introduction of the requirement for a Code of Practice. It is a good example of spotting the issue, working together between departments and with the Information Commissioner to find the best way of addressing that issue, making sure that we have the right powers in place to do it and also listening to the views of Parliament and being prepared to make amendments as the legislation goes through.

Q404 Gwyn Prosser: How will the Ministry of Justice work with the Information Commissioner to take forward the Framework Code of Practice for Sharing Personal Information?

Ms Moriarty: The Information Commissioner has published the Framework Code of Practice and we very much support that as a way of encouraging public authorities to develop Codes of Practice and giving them a template to work with. We will be working with him and with the public authorities as they develop their Codes of Practice.

Q405 Margaret Moran: You will be aware that the Varney report referred to engaging citizens, businesses and the private sector in both the design and delivery of services. Referring specifically to Clare at this moment, how can you assure citizens that the data-sharing that requires is done in such a way that gives them confidence to be able to access those services? Is it not true to say that a great deal of what is good in Transformational Government is data sharing by stealth, in other words local authorities, for example, are doing some of this Transformational Government public service delivery but they do not want to tell anybody because the data-share rules are so obscure?

Ms Moriarty: To take the first part of the question, public trust and confidence is one of the biggest challenges that we face. We know from research which Ipsos MORI did that the vast majority of people want to see more sharing of information in order to produce better and more joined-up services provided that the right controls are in place around the data. The Information Commissioner published his tracker survey last week and that showed us that people are very concerned that their data is properly protected and they are very concerned about the sorts of things that might happen to it. We are not seeing a huge groundswell of people who are really concerned that organisations are not looking after their data properly but they do feel they are losing control over their data and they want more reassurance that the legislation and the operational practices are going to provide, and are going to continue to provide, adequate protection. That is why, while we are confident that the basic architecture of the data protection, data-sharing system is robust, we have to keep looking at it as the technology moves on, as people's expectations move on, so we need to be making sure that it is constantly up-to-date. That is something we do all the time internally and we have also recognised the need to have some independent input to that process and that is why we have set up the independent review which Richard Thomas and Mark Walport are going to lead looking at the use of information in both public and private sectors.

Q406 Margaret Moran: I also mentioned the fact that people are doing data-sharing by stealth in the public sector.

Ms Moriarty: I am not aware of any detail about that.

Q407 Margaret Moran: Local government?

Ms Moriarty: Broadly speaking, as I said, the Framework is that there has to be a purpose in order for data-sharing to take place, there have to be the correct powers in the place, there has to be an assessment of the proportionality and the data has to be properly protected. As long as all of those things are in place then it is reasonable for people to share data, but if they are sharing data without the powers then that is something which is an issue that we need to take up with them and the Information Commissioner.

Q408 Margaret Moran: Perhaps you would like to comment on that, John, but can I ask you particularly, what is your role in ensuring that government departments do engage with the public when they are developing Transformational Government services and sharing personal data? Could you comment on the fact that when we spoke to the head of the Social Inclusion Unit recently she made the comment that the issue around data-sharing and privacy is very much a middle class concern rather than a concern of those who need those services at the frontline.

Mr Suffolk: Thank you. There are three points there. The first one is that I am not aware of anyone sharing data on stealth. The question was asked if we sometimes get in and arbitrate deals with departments and the answer is, yes, we do and frequently that comes around people's interpretation of "Do I have the powers to data-share?" All of my experience when I work across local and central Government is that people are very conscious in terms of data-sharing, very conscious in terms of do they have the powers and do they have a legitimate purpose. I am absolutely not aware of anything occurring by stealth, as Clare has already said. If we knew that then we would go in and work with the teams and understand why that has happened.

Q409 Margaret Moran: Do you talk to SOCA teams?

Mr Suffolk: I am very happy to take to SOCA and I will take it up with our colleagues in SOCA. In relation to the second point, which was engaging citizens to understand what they want, as part of the Varney work in terms of Transformational Government, which is putting the citizen at the heart of what we do, we have created a thing called the Customer Insight Forum and the objective there is to share information about what citizens' wants, needs, likes and dislikes are because, of course, citizens come to us in different guises and that is why we have created things like Customer Directors, one for old people, one for farmers, and of course you could be an older person and a farmer. The purpose there is to say, "Let's look through the eyes of the citizen and understand what their need is and what the best way of delivering that need is." It is fair to say historically that we have not always been as good as we could have been in terms of sharing that insight, hence why we created the Customer Insight Forum and why we have positioned that knowledge, that information, at the heart of the way that we do service design. We are absolutely conscious in terms of we have to look at it through the eyes of the citizen and we have the processes on board in terms of doing that. Your point about data-sharing and security being a middle class view, I have heard that said before and those who want a benefit would say, "Guys, share my data to give me the benefit". Our starting point is really quite simple: what is it that we are trying to do with the citizen, what is their need? If their need, for example, is giving benefits quickly then the systems and the programmes that we have designed are around fulfilling that requirement. We never look at this from a one-size-fits-all point of view in terms of, "Here is an approach which will apply to all walks of life", it fundamentally does not work that way. Customer insight mapped on to what is the purpose and what problem are we trying to overcome from the citizen's perspective should drive whatever solution and technology that we put in place.

Chairman: The final question is from James Clappison.

Q410 Mr Clappison: Could I ask you both if you would comment separately from your points of view to tell us if you track trends and new developments relating to data-gathering and data-sharing? One example which has had a bit of publicity in the past is the use of loyalty cards which give businesses a great deal of personal information about shopping habits and, perhaps even more topically, the growth of social networking websites, which the younger generation know all about but I have got to say I do not know all that much about.

Ms Moriarty: From the Ministry of Justice, we work with all government departments who in turn work with the various sectors that they connect with, so within each sector departments will be gathering information and looking at trends. We also work closely with the Information Commissioner. We have complementary roles. We are in charge of setting the Framework, he is in charge of regulating it and, obviously, as the regulator he can gather evidence about all the sorts of issues that are coming up, and certainly social networking forums is one of the issues that he has identified and he is working on guidance to make sure that people understand the basis on which they are giving their consent, that they know what might happen to the data. It is something where we work, as part of our work across Government, with departments and the Information Commissioner.

Q411 Mr Clappison: From your point of view, given the difference of roles between yourself and the Commissioner, have you seen anything in trends in the social networking sites, some of which are obviously well-known, which concern you or are of interest to you?

Ms Moriarty: It is one of the issues that make us aware that we constantly need to be looking at the Framework to make sure that it is up-to-date, and that is something we would expect the Thomas Walport review to be looking at because it covers the crossover between the public and private sector.

Mr Suffolk: We certainly do track all of the social networking and the trends in terms of what people are doing and we do this for a number of reasons. The first reason is in terms of what are people's perceptions in terms of security and personal privacy. We ran the Get Safe Online Week last week and all the research is telling us that still we have 20% of people who use technology on the Internet who do not have basic protection. Of the 80% who do, 50% do not keep it up-to-date. When you translate that on social networking, those behaviours are often translated as well, so people do give out their date of birth and personal information which, of course, is a primary cause and stimulus from an identity theft perspective. Often we track the technology from the basis of how are people using those technologies and what does it tell us in terms of their propensity to secure themselves or not to secure themselves. Also, if you take something like mySpace, one of the bigger social networking sites, the amount of users on that is equivalent to the eleventh largest country in the world. It fundamentally begins to tell you how the world is shifting in terms of how people treat technology and how they expect service providers and governments to deal with them from a technological perspective, and we track it in that context in terms of what is the norm in terms of the way we are doing business and what are the consequences of doing business in that way.

Q412 Mr Clappison: Could I ask on a slightly separate subject if there are any lessons you think the Government can learn from the private sector in terms of harnessing IT capability?

Mr Suffolk: We partner extensively with the private sector and much of what we do from a technological perspective is outsourced to the private sector. Clearly we are working at a scale which is much bigger than the private sector from the number of countries that we deal with, because we operate in 148 countries now, and we work at a level of security the private sector would not need to worry about because we have to protect loss of life, witness protection, domestic violence, et al. Where I think the private sector is exceptionally good is how do you create customer facing worlds that absolutely map on to their hopes, their aspirations and their requirements in a quick way and, therefore, there is always learning that we look to take from the private sector. We also work extensively with every major supplier from around the world because, rightly or wrongly, I have a belief that somebody somewhere in the world has cracked most of the problems, we just do not know where they have cracked them. One of the roles that I am more used to is to act as a kind of data agent where someone says, "I have a particular problem, do you know somebody with a solution?" and often those solutions exist somewhere under a different banner in health or education and we try and match those two up.

Q413 Margaret Moran: A small but practical question. I recently visited my CCTV hub in Luton and they have been the subject of some publicity because a beating up in the town centre was relayed on to YouTube, I believe. What mechanisms are there to retain the privacy of that data through the whole process so that both the victim and those who are the alleged perpetrators are not identified and, indeed, the integrity of the criminal justice system is not jeopardised?

Ms Moriarty: That is obviously a misuse of data because the data collected by the CCTV cameras is not intended to be used for those purposes, so there is a breach of data use there. We have a system for regulating compliance with the Data Protection Act. One of the things we have recently done is to change the penalties for wilful misuse of data because the Information Commissioner gathered evidence that the penalties were not ---

Q414 Margaret Moran: I am talking about the process, the trail of that.

Ms Moriarty: The trail of process?

Q415 Margaret Moran: The data is shared across a number of actors within the criminal justice system from the CCTV operator to it ending up on YouTube, but there were a lot of actors in-between.

Ms Moriarty: It depends on what data-sharing arrangements are in place, but the data-sharing arrangements all have to be governed by the provisions of the Data Protection Act, so there has been a breach and if it is a breach which is significant then that is something which needs to be investigated and, if necessary, prosecuted.

Mr Suffolk: If I could just come in there. It really comes down to what Richard Jeavons said this morning. The more and more that the technology becomes sophisticated, we absolutely will be able to find people who are getting access to systems and using information illegally. In that instance where clearly they have breached the Data Protection Act by taking data and using it for a purpose that it was not intended, there will be audit logs in terms of who had access to those systems. My belief is that we have to execute that review process to find out what went wrong in a situation like that and learn those lessons because it is clear that is not what should have occurred.

Chairman: Mr Suffolk, Ms Moriarty, thank you very much for giving evidence today. We have almost concluded our evidence for our report into the Surveillance Society. Our next evidence session on this will be on 11 December when ACPO and the Minister at the Home Office, Tony McNulty, will be giving evidence.