UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 132-ii

House of LORDS

HOUSE OF COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

JOINT COMMITTEE ON HUMAN RIGHTS

DATA PROTECTION AND HUMAN RIGHTS

Monday 14 january 2008

MR RICHARD THOMAS and MR JONATHAN BAMFORD

Evidence heard in Public Questions 109 - 178

USE OF THE TRANSCRIPT

Oral Evidence

Taken before the Joint Committee on Human Rights

on Monday 14 January 2008

Members present:

Mr Andrew Dismore, in the Chair

Witnesses: Mr Richard Thomas, Information Commissioner, and Mr Jonathan Bamford, Assistant Commissioner, gave evidence.

Q109 Chairman: Good afternoon. This is our opening session on data protection and human rights. We are joined today by the witnesses Richard Thomas, who is the Information Commissioner, and Jonathan Bamford, who is the Assistant Commissioner. Do either of you want to make any opening remarks, or do you want to get straight on to it?

Mr Thomas: Thank you, Chairman. Can I just say just a very few words to very much welcome the interest of this Committee in the subject of data protection. Clearly, there are very close linkages between the human rights agenda and data protection issues. I think I would like to make an opening point that recent events have accelerated a trend whereby privacy and the protection of personal information is moving from the margins to become a key factor in safeguarding the interests of individuals, but also in raising reputational risk issues, both political and commercial, from the point of view of organisations holding personal information. Much of this has been fuelled by an explosion of technological change, whereby personal information is collected and used in ways now that create challenges for all concerned, which perhaps have not come into focus before. There is now a vast array of storage means that are increasingly used to hold personal information, and this presents challenges in managing that data that are multiplying all the time. The data breaches which have perhaps stimulated this current inquiry are really just one aspect that has clearly placed the spotlight on data protection recently; but there are many wider issues than just concerns about the security of data. These are challenges that are facing the public and private sectors alike; it is not just a public sector issue. I think there are issues in terms of the cultural approaches to data protection, governance and accountability issues, and then various specifics in terms of how data breaches are to be handled, but also in terms of the regulatory framework affecting the collection and use of information.

Q110 Chairman: Thank you for that snapshot. To what extent do you see data protection and privacy as human rights issues?

Mr Thomas: Clearly, there are very close linkages. Article 8 of the European Convention affects us most directly in this country, and I take it obviously that people are familiar with the language and interpretation of Article 8. It is clear that the data protection regime, currently the European Directive on Data Protection and the United Kingdom Act of 1988 all flow from that fundamental concept of human rights. If one looks at the preamble to the European Directive, for example, and the debates at European level about data protection, one sees a great deal of reference back to fundamental rights and freedoms. Although one can argue whether they are parallel or whether one somehow flows from the other, I think there are clearly very close connections; and I think there is a widespread recognition that data protection is a manifestation of the Article 8 right. Indeed, for organisations to understand and follow the requirements of the data protection legislation, that is a practical means to ensure that they are respecting the rights guaranteed by Article 8.

Q111 Chairman: But does the Human Rights Act come into your work at all, or is it seen as something parallel to one side?

Mr Thomas: It is very much a context, Chairman. My own organisation, of course, is a public authority and therefore we are bound to have reference to the Convention rights in the discharge of all our responsibilities; but without referring to the Human Rights Convention on everything we do - I would not want to give that impression, but certainly we and those we talk to are aware of the context in which the data protection legislation comes into effect in this country.

Q112 Chairman: Everybody always wants more value for their particular pitch, and that is inevitable, but how have budgetary constraints impacted on everything that you feel that you should be doing that you are not doing? Would it make any difference, for example, to some of the things we have seen going on over the last few months?

Mr Thomas: Let us just say a few words about resources, because I think it does go to the cultural point I made earlier. I am concerned, certainly in the past, that the protection of personal information has not been taken as seriously as, in my view, it should be. There has not been sufficient seriousness towards the integrity and respect for personal information, which is needed, with some somewhat indifferent or even begrudging attitudes towards data protection. I think this may have manifested itself in the powers available to my office, and also the resources available for my office. We are funded for data protection by the fees that are paid by data controllers. This is quite different from the freedom of information responsibilities I have, which are funded by grant aid from the Government. They are separate revenue streams, and we cannot use one to pay for the other. The grand total for data protection is about £10 million. That, in passing, is just over double the budget for freedom of information - but that is a story, perhaps for another day. However, £10 million for data protection is not very much when you compare that to the funding available to the Health and Safety Executive, which is £890 million, and the funding available to the Financial Services Authority, which is £269 million. I could go on with other examples, but £10 million is really a very small amount to run a regulatory regime where we have three different sorts of responsibilities. We are there to promote good practice. We are there to adjudicate on complaints, and we are there as policemen to take enforcement with the limited powers that we do have, where people require some sort of regulatory action. For inspections and audits, we have very few staff indeed; we have just a handful of staff for the entire country, with something like 280,000 data controllers, private and public sector organisations that have notified that they are processing personal information. We can only carry out an inspection with the consent of an organisation, so we do not have the power to demand to see what is going on inside the organisation. We put a lot of emphasis on giving guidance and helping organisations get it right. Our strategy is to do our very best to help organisations understand and get a grip on what is required in terms of data protection and help them to get it right, and then just take enforcement action in those very exceptional circumstances where a minority are perhaps persistently ignoring their obligations. I do not wish to give the impression that you could double or quadruple our resources and some of the problems of recent months would not have happened. That is not the case. I am saying that we have a culture where perhaps until very recently these matters have not been taken with sufficient seriousness inside organisations.

Q113 Chairman: If I were to put a specific point to you, is there anything that you feel you should have done over the last few months that you could not do because of resource constraints?

Mr Thomas: I do not think that is the case, Chairman, that we could have done things differently. If we had more resource and more power, then we might have done more in terms of checking that organisations were treating security and other aspects with sufficient seriousness. In July of this year I published my annual report to Parliament, and that was a set-piece occasion and I took the opportunity with the annual report to sound a very clear warning about the importance of taking security seriously. I gave reference to a number of private and public organisations. In the public sector I referred to security breaches that had occurred in bodies linked to the Department of Health, the Foreign and Commonwealth Office where they had a problem with their website; and in the private sector we have come across banks and other financial institutions where there have been security breaches. I sounded quite a stark warning, saying this had to be taken seriously. I was reflecting in part developments in the United States, where there had been some major data breaches, and recognising reputational problems that had occurred for organisations if they had got it wrong. The examples I gave and the language I used did generate a great deal of press and other publicity at that time back in July. I did say then that it was a matter that had to be taken seriously at the top of organisations. I said that really this does require new attitude and new thinking, and that that should be led from the top of organisations. It is sad that some four or five months later we had the saga involving the loss of the disks with details of 25 million individuals on those desks, which were lost by HMRC, which has brought the situation into sharper focus since I gave my warning in July.

Q114 Lord Lester of Herne Hill: Obviously, data protection and freedom of information are two sides of the same coin, which is why your office rightly deals with both. There is plenty of regulation so far as data protection is concerned internationally - the Council of Europe and the EU. On the freedom of information side, the Council of Europe is negotiating a completely new convention. How influential is your office in Government negotiations on, for example, the new Freedom of Information Draft Convention? Are you consulted and are your views conveyed in the course of negotiations, for example?

Mr Thomas: The short answer, Lord Lester, is "no". This is a matter for Government. The Ministry of Justice is leading the discussions and negotiations, I believe, at that stage. To my knowledge, we have not been consulted about any of the specifics arising out of the discussion. I am aware of the discussions and the negotiations going forward, but I do not think that I or my office have received any direct requests from the Ministry of Justice to assist in that process. Having said that, we are not slow to bring forward our views on a range of issues, and I am sure the Ministry of Justice is familiar with our thinking on most of the issues. Of course, we have had experience of administering the Freedom of Information Act now for three years - the third anniversary has just passed - and there is no shortage of awareness as to our attitude towards the legislation.

Q115 Lord Lester of Herne Hill: Are you kept well informed about the state of negotiations so that you can respond to that?

Mr Thomas: No, we are not. I make no complaint, but we are not receiving regular reports.

Q116 Baroness Stern: Can we move on to some questions now about your views of the Government's record? Privacy International, I understand, recently concluded that the UK has the worst record in Europe for the protection of privacy. I think we have been calling it "endemic surveillance society". Do you share that view; and, if you do, what do you think this says about the importance the Government places on protecting this human right?

Mr Thomas: I do not share the view of Privacy International in those terms. I think theirs was an impressionistic survey. I was aware of what they were saying, but I do not think that any meaningful can be deduced by saying we are the best or the worst. I understood some of the issues they were raising, and indeed I have raised some of those myself. In November 2006 we hosted the International Conference of Privacy and Data Protection Commissioners world-wide, and we commissioned a report for that on the subject of a surveillance society. We have already raised some questions about whether we are sleep-walking into a surveillance society. That was a very comprehensive report, and when it was published we said: "In some respects we are quite closely monitored in this country; there are more CCTV cameras per head of population than elsewhere; and there are more and more databases. I referred in my opening remarks to this Committee about the explosion in different methodologies to collect personal information. We made the point that perhaps there are aspects of a surveillance society, not in a malign way - not in a way that one would associate with the tyrannies of eastern Europe and elsewhere - but more and more information is being collected by public and private sector organisations. More and more information is collected from the electronic footprints that each individual leaves every day in their lives in their dealings with government, their financial transactions, their use of the Internet, their use of telephones and mobile phones and so on. We wanted to start a debate, and that was some 14 months ago now. I think the debate has continued ever since. I am delighted that both the House of Commons Home Affairs Committee and the House of Lords Constitutional Affairs Committee have both started inquiries into a surveillance society, and we have given evidence to both of those. I think the debate is up and running now. I think that some of the predictions that were made in the report that we commissioned about life in the year 2016, rolling forward ten years, did give people pause for thought. I do not think anything there was undocumented. One could relate to every prediction an example of something currently under consideration or under development. If I could give you one example, Baroness Stern, the report predicted that by the time of the London Olympics in 2012, there would be flying drones, pilotless cameras in the sky - they were dubbed "the friendly eye in the sky" - monitoring crowd control. That was predicted to be around by 2012; well, in May 2007, just six months after the report was published, Staffordshire Police were experimenting with such a drone at a rock festival. Indeed, the manufacturers of this drone said that it had the capacity to squirt "smart water" on those not behaving themselves. It does raise questions about how these cameras are to be regulated, in what circumstances they should be deployed and what controls there should be. This is only at the very experimental stage, but it is a good example of the ability of technology to keep people under ever-growing surveillance, and things are happening even faster than had been predicted in the report.

Q117 Mr Shepherd: This follows from the evidence you gave to the Justice Committee and their conclusions in their report earlier this month. One of them is that there is evidence of a widespread problem with Government relating to establishing systems for data protection and operating them accurately. In fact, you have made reference to that. Where is this problem? Is it at the top?

Mr Thomas: I think it is fairly endemic, Mr Shepherd. This Committee, I hope, will have seen the report published just before Christmas by the Cabinet Secretary, Gus O'Donnell. That documented the state of affairs across Whitehall departments. I think the responsibility for the governance of personal information must lie at the top of an organisation; and, indeed, when things go wrong reputations are at risk, but, as I said earlier, commercial and political reputations, and therefore somebody needs to have very clear responsibility for such matters as the rationale for collecting information in the first place; how it is to be used - if it is to be shared and, if so how; the importance of minimising data. It is not just about keeping it secure, but there are questions about whether we are collecting too much in the first place, so data minimisation is a very important theme; how you store information, when you delete it, the security arrangements, the technical standards that are being followed, how technology is used to provide safeguards - and there are various techniques whereby you can harness technology in the interests of protecting people. Hugely important equally are communicating to your staff, the training programmes that you need, and then arrangements for audit and reporting. I am sorry it is a long answer, but I wanted to say that you need somebody at the top to ensure the whole framework is being applied; but some of the specifics need to be given responsibility somewhere else in the organisation. For too long data protection has been at the middle or lower inside organisations.

Q118 Mr Shepherd: It was just this point about the plethora of information that we are doing. We are in an age, as you well know, where governments demand the necessity for gathering the information for public protection reasons or for the efficacy of its programmes. We can pass all the laws in the world, but unless there is organisational competence and belief or commitment behind it, it comes to nothing, as we have seen recently. It is just the genteel and gentle way in which one deals with these incredibly disturbing intrusions into the lives of the citizens of this country. You have said that political embarrassment does follow from it, but where is the accountability in any of this system?

Mr Thomas: There are legal obligations -----

Q119 Mr Shepherd: But no-one has been prosecuted!

Mr Thomas: There have been a few, but we have very weak enforcement powers, and by and large at the moment our enforcement powers are limited to serving a notice saying, "Do not do the same again". We have been putting forward proposals for some time to the MoJ for our powers to be increased - our powers to carry out inspections but also the powers - the need for sanctions, particularly to act as a deterrent against serious, reckless or deliberate breaches.

Q120 Mr Shepherd: But in the case of the loss of the child credit information, the press or those who reported it seem to have been directed to a very minor official at the bottom of the pile, and no senior official or anyone; so is this the intent of Government or is it that we make laws and we do not care whether they get acted upon?

Mr Thomas: I think in part that may be a question for Government. On the specifics of what happened at HMRC there is an inquiry that is being headed by PriceWaterhouseCooper. My office has agreed with Mr Pointer, the senior partner of PriceWaterhouseCooper, that he will carry out the full investigation; and when that is available later in the spring we will decide what, if any, enforcement action is appropriate in that particular case. I have said that it is highly likely that there have been breaches of the Data Protection Act there. We have seen the Permanent Secretary resign from his office, so perhaps one might be reminded that there was a level of accountability there.

Q121 Mr Shepherd: My last point on this: PriceWaterhouseCooper have a very close relationship with Government, and their revenues and a large part of their income are formed from their relationship with Government. Are you satisfied in your mind - or is this going beyond the brief - that people that have such a cosy relationship with central government are best commissioned to look into the deficiencies of central government?

Mr Thomas: I think that is well beyond my brief, but I will benefit from their report when it is published.

Q122 Baroness Stern: Can we continue on this vein about the recent examples of personal data being lost or otherwise compromised. You have already made some very helpful remarks, but I would just like to ask you to slightly turn them round and very briefly say what you think the systemic causes are for the recent failings in the loss or compromise of personal data.

Mr Thomas: At the moment there is no obligation on any organisation to tell us about data breaches, but since the warnings I sounded in July of last year we have had a steady flow of cases that have come to our attention. I have before me a print-out from an internal log that we are keeping, and we have some 34 incidents that have been reported to us in the last 12 months. Twelve of these preceded the HMRC incident. The rest have come to our attention more recently. Some of these are very minor indeed. Some of them are what you might call minor matters where not many people are involved, not very sensitive information - and it may have been encrypted. These are public and private. I do not say this is a comprehensive record of all breaches, because we are aware of some incidents that have been reported to the press which have not come to our attention. It is very difficult to answer your question directly what are the causes -----

Q123 Baroness Stern: Remember, we are talking about the Government's record.

Mr Thomas: I appreciate that. I will focus primarily on Government. It is difficult to generalise from these various incidents. I will attempt to do so by repeating what I said earlier in terms of perhaps there has been too much of an attitude that these are technical matters which people do not have to take with sufficient seriousness. There is a plethora of guidance in terms of British Standards, in terms of advice on information assurance from the Cabinet Office; but until recently this has not featured on the agenda of those responsible for risks inside organisations. Data protection is to quite a large extent an elaborate exercise in specialised risk management. Organisations are very much aware of the risks of propriety and the risks of mishandling money. Perhaps they have not sufficiently seen until recently that personal information is both an asset to an organisation and should be treated as a valued asset, but also as a liability if things go wrong. All the signs I have seen in the last four or five weeks have indicated a very, very sharp turn-around in attitudes - almost endless meetings, almost daily, looking at what is to be done about the problems that have come to the surface.

Q124 Chairman: Is the list you are talking about a confidential list?

Mr Thomas: It is, sir. The names are confidential, Chairman, because some organisations have told us in confidence. This is a non-statutory function; we have no obligation to maintain a register. One of the debates going on is whether there should be a stronger obligation to notify either us or the individuals concerned when there has been a breach, but we are just keeping this informally at the moment, and I think it would be unfair to read out every name and every detail, when some of these come to us in confidence.

Q125 Chairman: Would the same apply for public sector cases on the list?

Mr Thomas: Yes. I would imagine that in most cases the organisation itself would want to tell Parliament or - most of these in fact have surfaced in the public domain already, but I think it is the responsibility for sharing the information is for the organisation concerned, not for my office.

Q126 Chairman: That then begs the question: are there any serious breaches on that list involving a public body -----

Mr Thomas: No.

Q127 Chairman: ----- that has not come to public light?

Mr Thomas: No, nothing on the scale of HMRC.

Q128 Chairman: I think that would -----

Mr Thomas: If I give you an example, Chairman, the loss of the details by the Driving Standards Agency - there were some 3 million details there. I was aware of that when I gave evidence to the Justice Committee on 4 December. It did not come to public light until a few days later, but equally I was aware that that only involved names and addresses, and there had been a high level of encryption there, so there was nothing remotely on the same scale as the loss of HMRC.

Q129 Chairman: I would hope not; we are talking about half the population there.

Mr Thomas: I am making a judgment of not just the numbers but also in terms of the sensitivity of the data and the consequences if it got into the wrong hands.

Q130 Chairman: So on your list of public sector breaches, are there any involving a million people or more that we have not heard about?

Mr Thomas: No, nothing like that, Chairman. I think it is dangerous to play the numbers game here.

Q131 Chairman: That is the quantity; the next one is the quality question. Are there any serious qualitative breaches in that they involved only a few hundred of people that we have not heard about?

Mr Thomas: We have not been able to get full details of some of these. If I could just give a hypothetical example, if health records were lost in just half a dozen people, and there was some really sensitive health data, and that got into the public domain, there may not be financial loss in the way there could be if financial data got into the wrong hands, where there were bank account details and so on, which tends to grab the attention - but health data, or details of adoption arrangements - all these are hypotheticals I stress -----

Q132 Chairman: Right, but -----

Mr Thomas: As you are implying, the state holds, the Government holds, a lot of personal information of a high level of sensitivity.

Q133 Chairman: In your subjective view, are there any qualitatively serious breaches on your list that have not come to the public attention?

Mr Thomas: Nothing of which I have got full details at all.

Chairman: That is not quite what I asked you, is it?

Q134 Baroness Stern: No.

Mr Thomas: I am relying on my own knowledge, Chairman. Whereas there may be further announcements by departments in due course, I do not have sufficient detail to share anything of any value.

Q135 Chairman: So there could be on your list -----

Mr Thomas: Nothing on my list at the moment.

Q136 Chairman: Nothing on your list at the moment that you would subjectively think is qualitatively serious?

Mr Thomas: No.

Q137 Baroness Stern: We have already talked about the Driving Standards Agency; can I just finish by raising that? After the loss of data the Permanent Secretary for the Department of Transport wrote to senior officials in the Department to remind them of the main principles of the Data Protection Act. Does that depress you slightly, that senior officials in a fairly major department needed to be reminded of the Data Protection Act? I think you hinted, in answer to an earlier question, that things have now changed. Do you feel that the message got through and that things have now changed?

Mr Thomas: It does not depress me. I suppose one has to say there is a silver lining to any cloud; but of course it should not take a train crash to prevent casualties on the railway; but we have had a train crash and that has served as a wake-up call, and I do not think the Permanent Secretary and the Department of Transport were alone in writing to the entire organisation to ensure that people were aware of the seriousness of the issues. I do not think I am depressed; in many ways I welcome it, because we have been trying to say the same things for many months and years, and to be able to have our message understood in terms of what can happen when things go wrong is perhaps not unwelcome. It helps us get our message across. We have been saying these things with guidance notes, with warnings and with clarion calls in terms of the benefits of getting it right and the disbenefits of getting it wrong for a long time now. I think we are going to see more of it, so I do not think the letter sent round in December will be the last round; we have to keep the pressure up for a long time. I said that things had changed in recent weeks. One of my concerns is that we just have two months of concern, and in six months' time everyone has forgotten about it. It is hugely important to keep momentum and make this a permanent feature. That is why in my opening remarks I wanted to stress to the Committee the importance of getting the governance and accountability arrangements straight so that personal information is treated just as seriously as cash inside a public authority.

Q138 John Austin: The Minister told the Committee that every Government department now has a human rights champion at Grade 3 level. In answer to the Chair earlier this evening, you said very clearly that you saw data protection and privacy as part of human rights. Do you have any evidence to show that the champions the Minister told us about see data protection and privacy as part of their role as human rights champions, and do you think that those champions are effective in relation to data protection?

Mr Thomas: I have to say that I personally - I will ask Jonathan who has been in the office for 21 years, who may have a wider perspective than I have clocked up over five years. I do not think I have had a meeting in my five years with a human rights champion as such. Most of the people in my office come across dealing with data protection concerns until recently have been dedicated staff, doing their best, much more middle-ranking or junior level. I do not think that we h v had much awareness that data protection has focused near the top of the agenda for the human rights champions. That may change. When I have been calling for cultural change, that has to come from the top of an organisation, so I welcome the fact that there are senior people - and I have been dealing with permanent secretaries on these matters in recent weeks - but they cannot do everything; you have to empower people elsewhere in the organisation. I do not think it is a question of either/or; it is not either someone at the top or someone at the heart of the organisation; you need both. You need someone to champion the issues and someone to deliver the results on behalf of the organisation.

Q139 John Austin: Were either of you aware that there were these champions, aware of their existence?

Mr Bamford: I was not aware that there were human rights champions that also dealt with data protection. The sources I have to talk about things are interactions that tend to be on particular initiatives. We do deal at a very senior level with Government departments but it tends to be on the initiative that is there before us and what the data protection implications are and the acceptability of that.

Mr Thomas: I am sure it is my ignorance, Mr Austin: I have not come across the human rights champions -----

Q140 John Austin: It is not an accusation!

Mr Thomas: I am sure. I have followed the human rights debate for many years and the legislation, the Bill and the Act, and being involved with human rights issues; but I have to confess that I was not aware that human rights champions were specifically engaged with data protection, and I do not think they have been is the short answer.

Q141 John Austin: You also indicated that if you had more resources you might be able to check more adequately whether Government departments were treating them with sufficient seriousness. To what extent are you confident that frontline staff are getting the message and that it is not just those at the top?

Mr Thomas: I do not think there will be many public officials now in recent weeks who are unaware of the risks -----

Q142 John Austin: As a result of the train crash!

Mr Thomas: Indeed - getting it wrong. My concern, as I said earlier, is to make that a permanent feature. There has been debate about my office having stronger powers. The Government has announced already that we will have the non-statutory power to carry out spot-checks of Government departments. The Government has also announced that legislation will be introduced to give us the statutory power to carry out inspections of other public sector bodies. I made it clear that I think that power should be available right across the spectrum: I think it would be unhealthy and undesirable to distinguish between public and private in that respect. We need the same sort of power as our colleagues elsewhere in the world have to inspect for compliance with the law, regardless of the identity of the organisation that is controlling the data. In this country other regulators have the power to find out what is really going on, not just looking at policies and procedures but checking on compliance; so I very much welcome the Government's intention to take us down the road of inspection, but I made it clear that even with spot-checks of Government departments we cannot even do that without increased resources; we simply do not have the resource to do that.

Mr Bamford: Could I add a few things as well there? It is vitally important of course to talk about security, but there is a danger that we concentrate on security at the expense of other aspects of data protection. We have a set of provisions there that also talk about minimising the amount of information that is there in the first place, and making sure that there are proper controls surrounding it is an important aspect of that. It would be a shame if there was a concentration on security; we have to look at data protection in the round, and the balanced set of measures that were created in the first place, which includes things about transparency and about what happens to information, but also minimising it in terms of the extent of information and how long it is kept for. That, in some ways, mitigates against the possible risk. We are very, very keen as well to make sure - and this deals with your point in some ways - that it is not just leading from the top that matters; but that there are tools to help everybody who is trying to grapple with providing better public services and using information to do that and to do it in a way that is consistent with data protection and privacy rights. We increasingly try to come forward with practical tools. To go back to the Chairman's first question about how we join data protection and human rights, one of the things we have brought forward in the last few months is a privacy impact assessment handbook, which goes further than just narrow data protection issues but is a way that Government departments can also come forward with a policy initiative to think about the privacy consequences of that upstream so that they can look at the potential pitfalls and perhaps modify the plans in a particular way to deal with those and make sure that we incorporate privacy and data protection safeguards in at the outset rather than bolt them on as an expensive afterthought. It is important we look at everything in the round and do not just look at champions or things like that, but we need to make sure that we have a range of measures that help organisations generally.

Q143 Mr Shepherd: There is a hole in that, to the extent that some of the information is now being handled and processed outside the jurisdiction. What do you do about that - the DVLA, for instance?

Mr Bamford: You are right that there can be situations where they use data processors that are outside the United Kingdom. The responsibility under data protection law is still very, very firmly, in that instance with the DVLA, and they are responsible for what happens there. If you think about the privacy impact assessment model, it may be that you decide there is a risk having personal data processed somewhere else, and that is something you can consider as part of the decision to do that. That is why we are keen to provide people with tools. We have already approached the Office of Government Commerce about the idea that we embed the privacy impact assessment as part of their own gateway review process; so we are looking at big IT projects where data is going to be processed and how they do it. But privacy considerations are also mapped in at that stage, not just financial considerations. We have to look at that and provide a framework that ensures compliance across the piece, including issues like data being processed overseas.

Q144 Mr Sharma: In the light of all this debate on data protection, would you like to see the role of the Data Protection Minister beefed up?

Mr Thomas: It is always gratifying when the Minister dealing with your particular subject is at the highest possible level, so whether the Minister wishes to see me on his way to the Cabinet is for debate, I suppose, but we are happy that we have a Minister of State at the Ministry of Justice. He is responsible for policy. I meet him from time to time, and I have been putting forward to him and his officials for some time now the case for enhanced powers and resources. I do not think it is for me to comment on what level in Government a particular minister should be, but I am also encouraged that Jack Straw, the Secretary of State for Justice, takes these matters seriously. I have spoken on the telephone with him and I am meeting both him and Michael Wills, the Minister of State, on Thursday of this week, and I will be exchanging views with them on that occasion.

Q145 Earl of Onslow: I am reading my conclusions from the brief now in relation to what Mr Wills, the Minister of State, said. "So you were not aware of the breaches until you heard them in the Commons, you were not aware of this piece of advice and you were not aware until you read it in the newspapers of all the other breaches there have been. I therefore have to reluctantly come to the conclusion, what is the point of the Data Protection Ministry?" He does not know what has happened until he reads it in the newspapers.

Mr Thomas: My Lord Onslow, I would rather not be drawn too far down that road. I will say that -----

Q146 Earl of Onslow: I was -----

Mr Thomas: I was genuinely pleased that when I gave evidence in the committee room next-door to this one on 14 November that as I came out from there I was door-stepped by a civil servant from the Private Office of the Financial Secretary, Jane Kennedy, who said that she wanted to talk to me about a problem, and of course that was the problem relating to the loss of HMRC data. She briefed me as to what had happened. I saw the Chancellor of the Exchequer the following morning, on Thursday 15^th, and it was announced to Parliament on the Tuesday. As the Regulator -----

Q147 Chairman: The point is, there is a joined-up Government issue, is there not? There is you being brought in and notified of particular breaches, but the issue really is that if you have a Data Protection Minister, surely the Minister ought to be informed to keep an eye on what is going on. Secondly, if you have a Minister, surely the Minister's job should be to be aware of not just a specific breach but to see whether there are any dots to be joined up when developing policy, for instance, or to be aware of the advice that has been given in relation to policy and particularly because the databases by that definition are going to be huge?

Mr Thomas: I am very much aware that these points were put to the Minister. If you will forgive me, I cannot be more than the appointed Commissioner with a set of standards -----

Q148 Chairman: So when you are asked -----

Mr Thomas: I was informed.

Q149 Chairman: Right. When you were asked what you think the Minister's role should be, it is not necessarily where he sits in Government; it is a question of what he actually does.

Mr Thomas: The Minister is responsible for policy. I am lobbying him to strengthen my powers -----

Q150 Earl of Onslow: He is called the Data Protection Minister. If you are First Lord of the Admiralty, you have something to do with the Navy; if you are Data Protection Minister I would assume you have something to do with data protection. Have you told the Data Protection Minister of those people who you have told us about whose things are going AWOL?

Mr Thomas: I have not, Lord Onslow, because I am the Data Protection Regulator; I am the one who has got the powers. It is my responsibility to receive -----

Q151 Earl of Onslow: Do you not think it is a duty - do you think you ought not to inform the Data Protection Minister of the actions you are taking on protecting data, or is that a rather novel idea?

Mr Thomas: I keep him in the picture, not on the specifics of every case for every action we take, but he is broadly aware of what we are doing. Some of these he will be aware of because we are a Government department and they will also tell the Minister of Justice at the same time.

Q152 Chairman: If you think about the very big ones - take the HMRC one: the data of half the population - the first he knows about it is when he hears the statement in Parliament. That cannot be right, can it?

Mr Thomas: Well -----

Q153 Mr Shepherd: It is about outcomes!

Mr Thomas: I would rather not be drawn into this. I am not a politician; I am the Commissioner and I was pleased that I was taken into the confidence of the Treasury and told about the situation; i.e., my priority at that time was to minimise the risks of these disks falling into the wrong hands. I can see straight away whilst the search was going on the consequences could be very serious indeed, and I made my position clear when the news became published: the Treasury announced it and I said that this was unprecedented and on a scale beyond anything we had come across before. The questions as to what the Minister, who has not got the statutory powers that I have got, should or should not be told, with respect I think are for the Minister and not for me.

Q154 Chairman: We have already asked these questions anyway. The point really is that he is your mirror image in Government. You are quite right to say he does not have your investigatory powers, such as those that you do have; but he is your mirror image in Parliament and it is his job to be responsible for issues of data protection. It is your job to promote data protection in the country, as it were, and his job is within Government and Parliament. Our concern comes out of this: do you think that ultimately his job is seen as sufficiently important within Government; do you think it is seen as sufficiently important within MoJ, to make sure that he has the time, I suppose, to do things that need to be done, bearing in mind his other responsibilities? Would it be better to have a separate minister just responsible for this? In the end, you must have a view on the political side of the mirror image view in Government!

Mr Thomas: I am certainly pleased that as a result of recent events the issues are being taken a great deal more seriously inside the Ministry of Justice at official level and at the political level. It is rather sad that it has taken these events to achieve that result. In my view, it is unfortunate that the seriousness that I now detect has not been there before.

Q155 Earl of Onslow: May I come back to this whole concept? Am I not right in saying that if you have a very large database and a very large number of people having access to it, it is not a question if a breach happens; it is a question of when a breach happens? Should therefore not the databases - and I think I heard you say earlier amenable access - should this not be policy throughout Government and throughout everybody having anything to do with these machines at all, that the minimum number of people should be chunked rather than have access across the whole thing?

Mr Thomas: What you are broadly saying, Lord Onslow, is consistent with the underlying data protection principles.

Chairman: We will come to this in more detail later on.

Q156 Mr Sharma: In many of our legislative scrutiny reports in recent years we have raised concerns about arrangements for information-sharing. In our view, safeguards to protect the right to privacy should be included in primary legislation, not left to secondary legislation or application of the Data Protection Act. Do you share our concerns?

Mr Thomas: I certainly share the broad thrust of those conclusions. I was aware of the Committee's recently published report in relation to child maintenance: that is just one example. The Committee may be aware that I was asked in October, before the HMRC saga started, by the Prime Minister, in an individual capacity, and Dr Mark Alport, who is the Chief Executive of the Wellcome Trust to undertake a review of data sharing, because this is a hugely important area. There has been a lot of misunderstanding and confusion in the whole area of where an organisation collects information for one purpose; then another organisation wants to use that. Phrases like "data-sharing" cover a very broad spectrum of activity, ranging from an individual case record being exchanged, right across the other end of the spectrum to two databases communicating on a real-time basis. It is very dangerous to generalise in this area. You cannot say all data-sharing is bad, but nor can you say all data-sharing is good. There has been perhaps in the past a bit of a tendency to think that you can improve law enforcement; you can improve the delivery of public services, just be sharing more and more information. I have been somewhat resistant to that approach. I said that the presumption needs to be the other way round. If there can be a good case made out for a particular episode of data-sharing, if there are adequate safeguards in place, they may be acceptable; but you should not start from the proposition, "We have got the information; therefore, we should share it" because you, and I think Lord Onslow before you were absolutely right in saying the more that you centralise and the more that you share, the greater the risks are. This is all about keeping risks -----

Q157 Mr Shepherd: The whole statute now is the means by which this is done. We have a piece of legislation which mandates or makes easy the transference of the vast bulk of this information right across the public sector for what are decided to be grandstand issues of protection of the public; and now we are finding it is undermining the position of the individuality of the citizen.

Mr Thomas: Some examples are understandable and others less so. We were pleased that the Serious Crime Bill was amended as it went through Parliament, because that had arrangements, for example, for sharing information in the interests of anti-fraud behaviour. One can understand that where one is genuinely trying to prevent or detect pieces of fraud, there can be some situations where you need to share data; but the Bill was amended, and I very much welcomed that, to put in place a code of practice to be put in place after consultation with my office, to give us the powers to inspect the activity; and that seemed to me a good compromise, to provide for sharing within a regulated environment.

Q158 Mr Shepherd: But the statutory instruments are expanding, as you have seen in the case of the Driving Inspectorate, et cetera, which now have the powers to seek such information.

Mr Thomas: I am certainly in sympathy with the general point that if there is to be sharing, it should have as clear statutory authority as possible, and I would say that that should be primary where possible not the secondary level.

Earl of Onslow: What you have just said is a very good argument against identity cards.

Chairman: We are coming on to that.

Q159 Baroness Stern: Can I carry on with this topic of legislation very briefly and ask you this: do you raise your concerns with Government about specific legislative provisions; how do you do that, if you do it; and what response do you get?

Mr Thomas: Yes, I do, and not just with Government. The independence of the Commissioner is guaranteed by statute and is required by the European Directive. I have to be proud and robust in asserting independence. Therefore, not only do I sometimes express views to ministers, but I will do so in public, or come to Parliament. I have lost count of how many select committees I have talked to on this particular matter. Whether it is identity cards or electronic health records, contact by the children's database, road pricing, e-borders, there has been a range of subjects in the last 12 months or so on which we have expressed views in public. I hope I am a good democrat; I recognise at the end of the day that it is for Parliament to decide what the law is. I suspect we are coming on to identity cards, but when that was at the early stages, when there were Home Office consultations and select committee hearings, we were not slow to come forward with our point of view and express some concerns and some reservations and raise questions. When it reached the parliamentary arena, which was very controversial - it was bouncing backwards and forwards between the two Houses, and the parties were taking their positions - I do not think it is my role there to get involved in the party political debate, so we kept a much lower profile. Since the Act received Royal Assent, we have had discussions with officials about where the identity card programme might be going. Although I try to be constructive in the approach we take, we are not shy to come forward. Whether our points always get taken on board, which is the second question you asked, is for others to judge, but we have had some successes.

Q160 Baroness Stern: Do you think that any of the recent privacy breaches - the big ones we have been talking about here - might have been averted if there were stronger safeguards in specific pieces of legislation, rather than general reliance on the Data Protection Act?

Mr Thomas: I would like to see the general Act strengthened. We put forward proposals some time ago, which I know are being seriously considered. I think the Ministry of Justice is bringing out a consultation paper shortly. We are looking for much stronger sanctions and penalties for deliberate or reckless breaches of the data protection principle - not just security - as Jonathan says, it is wider than that. I think that will serve a very symbolic purpose, not just because we want to hand out punishments to people but we want to raise the awareness of the seriousness of taking these things seriously. In another area I produced a report for Parliament 18 months ago about the pernicious illegal trade in personal information. We came across a whole network of private detectives, investigators, who are hired by a range of people - newspaper journalists but also law firms, financial institutions and even local authorities - to get hold of confidential personal information. We had so much information we published a tariff of what it was costing to get hold of this. The penalties were derisory. It has been a criminal offence now since the mid-1990s. We called for the sanctions to be increased to a prison sentence, not because we want to send people to prison but because we want to raise the status of the offence to deter this sort of activity in the first place. We are delighted that that is now clause 75 of the Criminal Justice and Immigration Bill before Parliament.

Q161 Lord Lester of Herne Hill: In view of the problem of enforcing criminal sanctions, have you thought about a civil regime, building on, for example, the kind of thing we have in equality legislation where your agency could bring public interest proceedings to get appropriate orders and, if necessary, more effective sanctions from the courts?

Mr Thomas: Thank you, Lord Lester. We have submitted a paper to the Ministry of Justice that is quite a comprehensive paper on powers and sanctions. One of the ideas we have put forward there is a civil regime, and civil penalties for those who breach the legislation in the serious ways that I was describing.

Q162 Lord Lester of Herne Hill: Can we have a copy?

Mr Thomas: I think we have offered the Committee a copy of our paper.

Chairman: That would be helpful.

Q163 John Austin: You have mentioned the Child Maintenance and Other Payments Bill, and clearly this is one that will involve a great deal of information transfer and sharing. The Minister, in his response to us, talked about compliance of legislation with the Human Rights Act, but made little or no reference to data protection. Have you been in touch with the Minister to discuss any arrangements that might be made for building stronger personal privacy protection in the Bill and into the legislation?

Mr Bamford: We have had discussions with the Department of Work and Pensions about the Bill. The area that we have concentrated on is the disclosures of credit reference agencies, of the absent parent and the arrangements they have put in place for the payments of child maintenance. We have concentrated very much on that area rather than on information-sharing more generally; it was essentially a replacement for the Child Support Agency's information-sharing regime. This was very new and raised for us some real issues in terms of that you seem to have a body with a range of sanctions to try and get payments out of absent payments; and it seemed to us to go through a diffuse mechanism of using credit reference agencies to affect people's credit ratings to achieve that objective, which they have actually got powers for. We have had lots of dealings with credit reference agencies over the years - that is one of the areas we have most inquiries about because people are concerned about the credit rating, and we know quite a lot about how they work. It was not clear to us precisely how this works in practice with the credit reference agencies, and the issue about the fact that this is not really necessarily about a person's ability to pay - some of the issues to do with non-payment of child maintenance may be down to other reasons that are nothing to do with the ability to pay - but credit reference is clearly aimed at people's ability to service debts and do those sorts of things. There is a whole host of issues about how you affect people who have a relationship with the absent parent, who is then here; issues about the consensual basis that has been proposed of information going there, and statements about improving people's credit reference and rating when actually it can have the converse if more outgoings are shown, and trying to understand how that works. Those discussions are going on because we are not satisfied at the moment about what is proposed with credit reference agencies -it is something we find acceptable in terms of data protection principles.

Q164 Chairman: You mentioned earlier on about the privacy impact assessment: have you discussed with the Government how that can be used when departments are drawing up legislation so that that can be one of the tools they refer to?

Mr Thomas: We certainly have started those discussions. We did not publish the handbook until the beginning of December. We had a major conference in Manchester and public officials were at that conference. I think it is arousing a greater interest. Jonathan has already mentioned that we started discussions with the Office of Government Commerce to make this a feature of the procurement process where major new IT schemes are put in place which collect personal information. We are promoting this very heavily around the rest of the public sector. It is an idea that we have borrowed from elsewhere in the world. They are quite widely used in Canada and Australia. In the United States they are mandatory at the federal level. We are not putting forward the argument for mandatory use because that can become somewhat bureaucratic; this is meant to be a tool to help organisations get it right. It is a very interactive process. Some of the material may look a bit off-putting at first, but when you get into the interactive use of the privacy impact assessment, I think organisations are finding that they can be very helpful, to alert them to the sorts of questions they should be asking, and then the sort of safeguards they need to put in place. I mentioned earlier the review of data-handling which Gus O'Donnell, the Cabinet Secretary, is carrying out. He published his interim report just before Christmas. There will be a further full report in the spring. At that level I have been discussing the benefit of privacy impact assessments, and the Ministry of Justice, which has its own communication network across Government, I believe, is also promoting PIAs.

Q165 Chairman: This is an idea of the Ministry of Justice, in particular on the issue of data protection, to go around proselytising this idea across departments.

Mr Thomas: I hope that the Minister is doing this already. I hope you will give a very clear message from this Committee that it will be extremely useful.

Q166 Chairman: You do not know that he is doing it.

Mr Thomas: I do not follow his every movement, but my understanding is that his department is sympathetic to the use of PIAs.

Mr Bamford: We do have a systematic plan to go round and try and make sure maximum take-up, and put in place user forums and all sorts of things. One lesson that we have learnt from other jurisdictions is the need for the data protection authority to promote these to try and build competence. We have an action plan to try and take that forward in the next year. It is our office that plans to do that.

Q167 Lord Dubs: ID cards or the national identity register: you have dealt with some of this but I do not want to take away your chance of elaborating on the answers you might wish to give. Ministers have been a bit optimistic in the recent past about the security of databases but in view of the recent problems what are your concerns about the proposed national identity register?

Mr Thomas: We have been consistently sceptical about aspects of this programme. Our concerns are focused much more on the database rather than the use of the card per se. We have had and still have concerns about the need for absolute clarity as to the rationale and purpose for the identity card scheme. Until one is absolutely clear what is the primary purpose, it makes it difficult for anybody to judge the acceptability of what is on the database and how that is doing to be used.

Q168 Earl of Onslow: So you are saying you do not understand the point of an identity card! That is what I heard you then to say.

Mr Thomas: We are familiar with Section 1 of the Act -----

Q169 Earl of Onslow: Sorry - if I was you, that is the answer I would have given, but I am not you!

Mr Thomas: Section 1, in relation to which we argued very strenuously that there should be a purpose clause - that was not there originally, so at least there is now a purpose clause. The problem is that there are a number of purposes and they are not ranked in order of priority. They are fairly wide-ranging. I am saying - and I hope this is clear to everybody - that we need to have - society generally - clarity as to the primary purpose. One can talk in terms of law enforcement or immigration control, improving public services and safeguarding against identity theft, but we need to have maximum clarity about the purpose, because only when you are clear about the purpose can you judge how much information should be collected and stored. That is where we have raised concerns. If I could just elaborate that, we have particular concerns about a suggestion of collecting what I might call transactional data. It is one thing to collect the basic identity information - name, address, date of birth and so on; but if one is going to record details of every time that card is used or every time that card is passed through a reader of some sort, one then begins to build up a very detailed picture of the daily lives of citizens. I have said in the past, and I say again, that that does go to the heart of the relationship between state and citizens. I recognise the risks involved there, and I think Government recognises the risks. In recent weeks there has been ever-increasing emphasis on the voluntary nature of the existing statutory framework, and one has far less concern about voluntary schemes than compulsory schemes. Clearly, if there is to be a move towards compulsion, that has to come back to Parliament; but perhaps that is a debate for another day. We have also focused on such issues as access to the data, who and under what circumstances has access to the database and for what purposes, and I think the current situation is that perhaps the ball is in the Government's court. We can react to what comes forward but I do not think it is for us to make suggestions or to comment on hypotheticals.

Q170 Mr Shepherd: Is this not constructed as an involuntary system - application for passports, for instance? Once you start taking up things like that - it is programmed in the Act.

Mr Thomas: The legislation is voluntary in the sense that nobody can be compelled to have an identity card, but I take the point you are making, which is that it is a bit like a supermarket: buy one and get one free. When you apply for a passport you only apply -----

Q171 Mr Shepherd: It is more negative than that. That is a positive assertion. This is demanding information if you want to exercise rights that you currently have to travel abroad for instance.

Mr Thomas: I take the point, and I think the debate will continue.

Q172 Lord Dubs: Do you think the insecurity of such a database is something that the Government can do something about perhaps by avoiding transactional data, or perhaps by making the database smaller? Is there some way in which one can improve the security?

Mr Thomas: I think there is the obvious point that I have made before, which is data minimisation. The less you collect, the less the risk of it getting into the wrong hands. I think there is a wider point, which is that perhaps there has been a lot of faith in the power of technology but sometimes the easier it is to use a technology, the easier it can be to lose the data. There is no doubt whatsoever in my mind that the HMRC incident and one or two since then have been a massive wake-up call, and the sorts of questions that you are putting there, Lord Dubs, I am sure are being asked inside the Home Office and elsewhere as we move forward. The general point is the one you are making, which is that there are risks associated with collecting information, and they are risks that can affect large numbers of people; or they can affect small numbers of people at a very serious level. If there has been a silver lining to the recent clouds, it has been to very sharply increase awareness of those risks. I do not think it is quite enough to say that we will tighten up on security because security - as I have tried to say this afternoon - is not the end of the story.

Q173 Lord Dubs: So how confident are you in fact, having said all that, that the Government can deliver the secure national identity register? You say that security is not the only thing, but let us vocalise this: how confident are you in view of what has happened in recent weeks?

Mr Thomas: We have a long, long way to go before we see the detail of the Government's proposals. We had the legislation, which has gone through this House, and that is a framework, enabling legislation to a large extent; but we are still waiting to see the detailed arrangements and proposals for secondary legislation that will have to flow from the basic Act. Our last meeting, ironically, was on 14 November, the very day that I was told about the data loss, and that was the last meeting we had at official level when we were told that proposals would be coming forward at some stage. That of course was before the Home Office knew of the problems down the road at the Treasury.

Q174 Lord Dubs: Are the Government listening to you sufficiently?

Mr Thomas: Let us put it this way, Lord Dubs: they are listening to us a great deal more actively and more frequently and more seriously in the last month or so than before!

Q175 Earl of Onslow: The security thing is divisible into two: there is the ungodly hacking into and the incompetent leaving it on a train. I am simplifying it obviously, but those are the two -----

Mr Thomas: I think I would repeat what I said when we made our public announcement in relation to the data breach at HMRC: there are searching questions to be asked about policies, procedures and human error. I suspect that when the PriceWaterhouse report comes out, it will uncover problems at each of those levels. To give you one example, there may be software solutions which could prevent the downloading of an entire database, and we need to find out whether that was put in place at HMRC, because I have serious questions about the ability of any individual, at whatever level in an organisation, without proper authority to be able to unload such a massive database. Many people I think were surprised that you can download so much data onto two disks, but that is secondary to the fundamental question of what safeguards are in place to prevent that sort of thing happening in the first place.

Q176 Lord Dubs: Michael Wills told us that the Government would review the national identity register in view of these problems. Have you any idea what has been planned?

Mr Thomas: No, Lord Dubs, I have not had any official communication since that meeting in November before the HMRC problems. I read the newspapers, but I have not had any message from a minister or an official on this subject.

Q177 Lord Dubs: Are you surprised at that, or disappointed?

Mr Thomas: Neutral, I think. Things have moved very fast in recent weeks and we have had Christmas inbetween, but I suspect that people will come to me when they are ready to do so.

Q178 Chairman: Is there anything you would like to add to any you have said?

Mr Thomas: I think you have given us a good run for our money, Chairman! We could talk a great deal about the programme we are putting in place to help organisations get it right. We have always tried to say that complying with data protection is a matter of enlightened self-interest. The law has got rather a mixed reputation of being rather complicated and sometimes rather difficult, and will blame data protection too easily; but that will not happen in future. The fundamental principle that has been shown here this afternoon is that of plain English, easy to understand: and getting it right is a matter of enlightened self-interest for organisations. Our strategy has been to help organisations, where possible and to be tough in the small minority of cases where we really need to intervene. I also say we are a tiny organisation and that has been a reflection of perhaps not taking some of these matters with sufficient seriousness in the past.

Chairman: Thank you very much.