Role of the data protection minister

22. Departmental responsibility for data protection rests with the Ministry of Justice. According to the Ministry of Justice's website, the department is "responsible for data protection and data sharing, both domestically and representing the UK's interests internationally" and "develop[s] policy that strikes a balance between the many benefits of public organisations sharing information and maintaining and strengthening safeguards and privacy".[23] "Data protection and data sharing" is one of 13 issues for which Michael Wills MP, Minister of State at the Ministry of Justice, is responsible, along with human rights, freedom of information, constitutional renewal (excluding Lords reform) and devolution.[24]

23. We were surprised to discover that Mr Wills had only found out about the loss of child benefit data when the Chancellor of the Exchequer made his statement on the subject to the House of Commons.[25] Mr Wills said:

I would think it is perfectly reasonable for me not to be informed the moment that something like this happens … I think the first thing the responsible officials and ministers had to do was to try and sort out what is clearly a very serious problem indeed. I would expect to be informed in due course and when it was helpful for me to be so informed, and that was the judgment that those ministers and officials obviously took.[26]

24. Mr Wills went on to explain that he was responsible for overseeing the data protection legislation and did not have a role in relation to specific breaches of data protection:

My responsibility is not for stopping any breaches of data protection personally, individually or even corporately within the department wherever and whenever they may occur. What this department is responsible for is the construction of a proper legislative apparatus which has proper protections in place.[27]

Departments have "operational independence" to implement their own data protection arrangements, within the legal framework maintained by the Ministry of Justice, explained the Minister: "we are not policemen in this department".[28]

25. Having heard the Minister's comments, we are concerned that the role of data protection minister is far too limited, being related exclusively to the maintenance of the legislative framework for data protection. It is clearly sensible to require Government departments to take responsibility themselves for abiding by the Data Protection Act, but we would expect there to be a degree of inter-departmental co-ordination to share best practice and help deal with the fall-out from significant breaches of data protection by departments. We heard no evidence that any co-ordinating activity of this sort is currently carried out: if it is, then the data protection minister is not involved.

26. We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection.

Promoting data protection and human rights in Government

27. We commented earlier on the importance of ensuring that public sector staff who handle personal data are fully aware of the requirements of data protection legislation.[29] On this point, Mr Wills said:

There are always two dimensions to any kind of security issue. One is the technological apparatus and the framework within it but also you have to have the right sort of culture … There was no question that if people had the idea of the right to privacy burning in the forefront of their minds we would have a far smaller number of these sorts of revelations and these sorts of deplorable breaches.[30]

We share the Minister's view. Recent breaches in data protection appear mostly to have resulted from human error and procedural lapses rather than technological problems. However, it would be wrong to see these errors and lapses as unfortunate "one-off" events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector.

28. Following lapses in data protection by Department of Transport agencies, the permanent secretary of the Department of Transport wrote to senior officials "drawing their attention to current guidance on the application of the Data Protection Act. That includes the main principles of the Act, information on handling personal data appropriately, and the role of the Information Commissioner".[31] We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act. The Information Commissioner said about the permanent secretary's letter:

I do not think I am depressed; in many ways I welcome it, because we have been trying to say the same things for many months and years, and to be able to have our message understood in terms of what can happen when things go wrong is perhaps not unwelcome.[32]

He added that he was concerned that awareness of data protection in Government might not be sustained and that it was "hugely important" to keep up momentum so that "personal information is treated just as seriously as cash inside a public authority".[33]

29. We asked the Minister about the action being taken to ensure that the safeguarding and promotion of human rights, including data protection, was central to the work of all civil servants. Mr Wills replied:

Are you saying that we should have done more to mainstream human rights? Of course we should be doing more. The work continues. That is why we have human rights champions in every single government department at grade 3 official level or above … the whole process of mainstreaming is going to take years, and in this particular case it is quite obvious that we need to do more.[34]

30. Staff at grade 3 level are very senior departmental managers, likely to have had little direct involvement with service delivery at the front line for many years, if ever. To be effective, they have to make all their front-line staff aware of the need for a human rights-based approach to their work. In response to our concern about this, Mr Wills said:

Service delivery is fundamental. That is precisely why we have set up this network of human rights champions throughout Whitehall, so it is mainstreamed right through into service delivery. We have to get it to the front line, absolutely right, and this is the start of that process … we are taking action and we will continue to push on this.[35]

31. We asked the Information Commissioner about his contacts with the human rights champions in Government departments. We were surprised to find that he was entirely unaware of this network. He said "I do not think I have had a meeting in my five years with a human rights champion as such".[36] Jonathan Bamford, Assistant Information Commissioner, said that he "was not aware that there were human rights champions that also dealt with data protection".[37]

32. During our oral evidence session with the minister on 26 November 2007 we asked for further details about the work being done to ensure human rights were an issue of mainstream concern in Government departments. Mr Edward Adams, head of the Human Rights Division at the Ministry of Justice, said:

In the follow-through of the human rights programme each department will obviously have the overall responsibility for mainstreaming human rights within their own business and have an action plan for the delivery of in-house training and guidance to their own front-line staff … I hope that in future times when the Minister comes back we will have generated much better examples of how it is bedded in the process of the service delivery by front-line staff because it is certainly an aspect of the areas upon which departments are now increasingly concentrating.[38]

33. Following up these comments, we asked to be sent a human rights action plan but were told by the Minister:

The action plans are for my Department to use when communicating at official level with other Government departments to discuss the development and implementation of training and guidance requirements, including dissemination of best practice and distribution of MoJ generic human rights guidance. The action plans are not intended for wider circulation as they are only for internal reference.[39]

34. It is clear to us from a great deal of our work, and in particular recently our inquiries into human rights of older people in healthcare and adults with learning disabilities, as well as from this inquiry, that human rights are far from being a mainstream consideration in Government departments. The Minister has identified the cultural barrier to ensuring that personal data is adequately protected by the staff who handle it, but much more needs to be done to tackle this problem successfully. We have so far seen no evidence that the human rights champions in departments have made any impact, particularly in relation to front line staff. We will continue to scrutinise their work carefully.

35. We await the outcomes of the various reviews of data protection with interest. We expect the Government to keep us informed about its proposals for reform in this area. We recommend that, in its responses to the reviews, the Government should acknowledge the close connection between data protection and human rights; and explain how it proposes to ensure that a culture of respect for personal data is fostered throughout Government.

Role of the Information Commissioner

36. In his oral evidence, the Information Commissioner said "that the protection of personal information has not been taken as seriously as, in my view, it should be" and that there had been evidence of "indifferent or even begrudging attitudes towards data protection". He went on to say that "this may have manifested itself in the powers available to my office, and also the resources available for my office".[40]

37. Mr Thomas suggested that recent events, particularly the loss of child benefit data, had led to a "very, very sharp turn-around in attitudes" towards data protection.[41] He went on to add that "it should not take a train crash to prevent casualties on the railway; but we have had a train crash and that has served as a wake-up call".[42]

38. Shortly after the announcement to the House about the loss of child benefit data, the Prime Minister announced that the Information Commissioner will be given "the power to spot-check Departments, to do everything in his power and our power to secure the protection of data".[43] In its written evidence, the Information Commissioner's Office said:

The Commissioner has asked for additional powers for his office, in particular the power to inspect the processing of personal data without a data controller's consent. In response to the recent HMRC security breach the Government has agreed that he should have this power at least in relation to processing by Government departments. Provided he receives sufficient funding, the ICO's involvement in inspection should help provide reassurance to the public that their information will be handled safely and securely.[44]

39. We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively.

PRIVACY IMPACT ASSESSMENTS

40. The Information Commissioner told us about the privacy impact assessment handbook which his office had launched in December. Privacy impact assessments are intended to ensure that privacy concerns are systematically identified and addressed at an early stage in a project's conception, rather than "'bolted' on later as an expensive and inadequate afterthought".[45] The Information Commissioner said he had brought this initiative to the attention of Sir Gus O'Donnell's review of data security across Government and was also receiving support from the Ministry of Justice.[46] We support initiatives to ensure that data protection issues are dealt with at an early stage in the planning of Government projects, including legislative proposals. We intend to scrutinise how privacy impact assessments are used in practice.

National Identity Scheme

41. Our predecessors published two Reports on the Identity Cards Bill in the last Parliament and we published a further Report on the Bill in 2005 before it finally reached the statute book.[47] The main focus of these Reports can be summarised as follows:

The difficulties of human rights compliance in this Bill relate not to the issue of ID cards, either on a voluntary or a compulsory basis, but to the related provision for the gathering, storage and in particular the disclosure of personal information as part of the National Identity Register to be established under the Bill.[48]

42. The Identity Cards Bill was an enabling provision and the details of the scheme will be set out in secondary legislation. Our predecessors expressed their concern that the opportunity for parliamentary scrutiny of the human rights compatibility of the identity cards scheme will therefore be limited.[49] They also drew attention to the scale of the personal information which may be held on the National Identity Register.[50]

43. The Information Commissioner told us he had been "consistently sceptical" about the database aspects of the project and that he still sought "absolute clarity as to the rationale and purpose for the identity card scheme". He went on to add that:

it is one thing to collect basic identity information - name, address, date of birth and so on; but if one is going to record details of every time that card is used or every time that card is passed through a reader of some sort, one then begins to build up a very detailed picture of the daily lives of citizens … That does go to the heart of the relationship between state and citizens.[51]

In addition, he said he was concerned with issues such as who had access to the data on the database, and under what circumstances, and the purposes for which data was collected and used.[52]

44. We share the concerns expressed by the Information Commissioner about the National Identity Register, which also mirror the views of our predecessors in their work on the Identity Cards Bill. Identity cards do not in themselves raise issues of human rights compatibility. The creation and maintenance of a national identity database, however, must involve safeguards, both to ensure that the information which is collected is proportionate to the purposes for which it is required and to limit access to data to those who need it.

45. We received a letter from a number of academics specialising in IT security who claimed that the Government's confidence in biometric security was "based on a fairy-tale view of the capabilities of the technology". In this inquiry, we have not tested their view of the effectiveness of biometric technology in limiting the impact of human error. In the light of recent events, however, they argued that the use of the most advanced technology available would not necessarily prevent human error causing lapses in data protection:

Biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.[53]

46. The Minister told us "we obviously are going to have to look at the National Identity Register again" following the loss of child benefit data and that the Government "will have to learn the lessons".[54] The Information Commissioner suggested that, when it came to concerns about the national identity scheme, Ministers were "listening to us a great deal more actively and more seriously in the last month or so than before".[55] When we asked the Minister about reviewing policy for the National Identity Register, he said:

I did not in my evidence make any commitment myself to review this project. My colleagues in the Home Office will of course be taking into account any developments that may influence the implementation of the National Identity Register, including issues relating to data protection.[56]

47. Recent breaches in data protection by Government departments do not encourage us to feel confident about the security of data collected as part of the National Identity Register project. We intend to take a close interest in the Government's detailed proposals for the National Identity Register as and when they emerge.

24   http://www.justice.gov.uk/about/wills.htm as at 24 February 2008. Back

25   Q5. Back

26   Qq9, 12. Back

27   Q17. Back

28   Q24. Back

29   Paragraph 21. Back

30   Q26. Back

31   HC Deb, 17 Dec 07, c625. Back

32   Q137. Back

33   Ibid. Back

34   Q18. Back

35   Q21 and see Q70. Back

36   Q138. Back

37   Q139. Back

38   Q67. Back

39   Appendix 3. Back

40   Q112. Back

41   Q123. Back

42   Q137. Back

43   HC Deb, 21 Nov 07, c1179. Back

44   Appendix 2, paragraph 10. Back

45   Ibid, paragraph 11-13. Back

46   Qq164-66. Back

47   Fifth Report, Session 2004-05, Identity Cards Bill, HL Paper 35, HC 283; Eighth Report, Session 2004-05, Scrutiny: Fourth Progress Report, HL Paper 60, HC 388 (hereafter Eighth Report); First Report, Session 2005-06, Legislative Scrutiny: First Progress Report, HL Paper 48, HC 560. Back

48   Eighth Report, paragraph 1.3. Back

49   Ibid, paragraph 1.5. Back

50   Ibid, paragraphs 1.6-1.13. Back

51   Q169. Back

52   Ibid. Back

53   Appendix 1. Back

54   Q32. Back

55   Q173. Back

56   Appendix 3. Back