02 May 2008
Keeping citizens' data centrally seemed such a good idea. It could help to catch terrorists, protect children, save patients' lives, and stop people from providing the same details to different departments. But then the government started losing files. Tash Shifrin reports
You don't know what you've got till it's gone – so the song goes. And the vast amount of citizens' personal data held by the government was probably not at the forefront of Chancellor Alistair Darling's mind until some of it went missing last November.
Darling – still reeling from the Northern Rock bank crisis – was forced to admit to Parliament that disks containing the personal details of 25 million people, including names, addresses and bank account information, had been lost. They had disappeared after being despatched from Revenue and Customs to the National Audit Office. Suddenly, the government's store of personal data – and its security – was big news.
Now the whereabouts of millions of people's personal details is again in question. Last week, it emerged that the information commissioner has been notified of almost 100 more data security breaches. Two-thirds of these were in the public sector, with almost a third in central government and a fifth in the NHS. The commissioner, Richard Thomas, says it is 'particularly disappointing' that the Revenue's experience had not prompted these organisations to keep their personal data safe.
The R&C scandal drew attention to the sheer amount of personal information held by the government. It also cast a new light on the many new database schemes – such as the National Identity Register, which will support identity cards; the ContactPoint database, which will hold basic information on all children from birth; and the Electronic Common Assessment Framework (Ecaf), a national system that will hold detailed casenotes on children at risk.
Some of the databases are part of huge projects – the ID cards scheme is expected to cost £5.6bn over the next ten years, while the controversial NHS data 'spine', holding electronic care records, is a central part of the health service's £12.4bn National Programme for IT. ContactPoint – which was held up for an urgent security review in the wake of the R&C scandal – will cost £224m to build and another £41m a year to run.
The government has invested massively in what opponents term 'the database state'. But it is not only building databases. Ministers believe that better information sharing between agencies is vital to improving public services. Former prime minister Tony Blair proposed a relaxation of the data protection laws to allow more sharing – a move, he said, that would reduce form-filling for the public. The idea is now a major plank of the Transformational Government programme to improve public services, overseen by the Cabinet Office.
It has also been enshrined in the Service Transformation Agreement, published alongside the 2007 Comprehensive Spending Review. This includes a commitment to eventually pilot a 'Tell Us Once' service – now at the feasibility study stage – that will allow people to inform public services just once about births, deaths or changes of address, rather than trailing round a string of agencies.
Sir David Varney championed this idea in a 2006 report for then chancellor Gordon Brown. Now, as the prime minister's adviser on service transformation, he will be able to nudge the project along.
Varney assured a Cabinet Office conference on Transformational Government in March that the government did not 'want to see every piece of information' on people. But data-sharing initiatives are sprouting. One project, piloted by the Department for Work and Pensions, R&C and half a dozen local councils, aims to streamline services for people moving into or out of work.
More quietly, Brown slipped increased data-sharing powers into three Bills in his first Queen's Speech: on terrorism, education and skills and the sale of student loans. These measures are focused not on improving the customer experience, but on crime, a welfare crackdown and government finance.
The spread of data-sharing schemes has alarmed civil liberties campaigners, who are concerned that the increased hoovering up of personal information and recording of data on people's movements and activities is an intrusive breach of the right to privacy.
Data sharing also means information can easily be used for purposes other than those for which it was collected. And, as government datasets grow and are linked, ever-larger numbers of staff have access to the information, creating more of a security risk.
Phil Booth, national co-ordinator of the campaign group No2ID, explains that its concerns go beyond ID cards. The campaigners are also worried about the proliferating databases. He accuses the government of 'over-accumulating and over-sharing data that will never actually be needed'. This is not just an attack on civil liberties, but a huge waste of resources, he says.
Booth is deeply concerned about systems such as MIAP, Managing Information Across Partners. This will hold education and training data on young people aged 14 and above, and allow employers to check qualifications. As such, it will 'create a lifelong identifier' that blurs the boundaries between childhood and adult life – a blow to privacy and civil liberties, he says.
Booth also points to the number of large-scale government computer projects that have ended in failure and massive budget overruns. The drive for more data sharing results in increasingly complex computer systems, 'which in itself is a point of failure', he warns.
In the wake of the R&C debacle, the government has gone quiet on data sharing. Ministers are awaiting the results of several reviews: the examination of what went wrong at the Revenue by Kieran Poynter, chair of PricewaterhouseCoopers; Cabinet secretary Sir Gus O'Donnell's look at data handling across government; and a data-sharing study by information commissioner Richard Thomas and Wellcome Trust director Mark Wallport, ordered by Brown before the R&C disaster.
Such is the sensitivity about data sharing that the Cabinet Office said it would not provide a senior civil servant for interview until the O'Donnell review has been published. But a spokesman said: 'People want and expect joined-up and more personalised services from government. In order to deliver public services effectively and efficiently, it is essential that information is shared between different parts of government.
'Carefully controlled data sharing is not only essential to delivering public services, but also has an important role to play in tackling potential criminal activity. At its most extreme, incidents such as the death of Victoria Climbié and the Soham murders have shown how serious the consequences of failing to share information can be.'
This point is reinforced by John Coughlan, director of children's services at Hampshire County Council and immediate past president of the Association of Directors of Children's Services. The ContactPoint project emerged from the recommendations of Lord Laming's inquiry into the death of Victoria Climbié, he notes, while Ecaf will allow social workers to liaise effectively to support children at risk.
Coughlan argues that while privacy and data protection concerns should be taken seriously, it is lack of data sharing that harms child protection. 'Failure to accurately share information has been a real issue. Being overprotective in information terms can be very damaging.'
But not everyone feels the government has made its case. Peter Bradwell, co-author of a pamphlet from think-tank Demos, FYI: the new politics of personal information, says: 'At the moment, the government isn't good enough at coming up with coherent strategies either across government or in specific departments. People do have legitimate concerns about personal information, not just data security.'
He adds: 'The government hasn't asked really fundamental questions in public debate that gauges the public's aspirations. It makes it difficult to believe that function creep won't happen among those databases and who can use them.'
Fear of function creep – where data collected for one purpose is later used for another – have also prompted divisions within the government. In July last year, Home Secretary Jacqui Smith lifted Data Protection Act restrictions to allow car number plate data collected through London's congestion charging cameras to be transferred in bulk to the Metropolitan Police for use in anti-terrorism work.
But leaked Home Office papers revealed disagreements between Smith's office and the Department for Transport – and that plans to use the data from congestion charging and future road pricing schemes for wider crime-fighting purposes had been dropped amid government wrangling.
A similar row has broken out over data from Oyster cards, the electronic 'tickets' used on London's public transport, which can track the comings and goings of millions of people. At a hustings for the London mayoral campaign, organised by No2ID, candidates – excluding Labour's Ken Livingstone, who did not attend – unanimously opposed the use of Oyster card data for any purpose other than collecting fares, unless a court warrant was issued.
Political sensitivity is not the only concern. Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, believes the government will eventually fall foul of European Union law. This allows data sharing where there is 'a substantial risk of serious harm' but not systems that take in all children for general welfare purposes, he says.
'Now the government has chosen to ignore this and the information commissioner has chosen to shut up about it,' Anderson says. 'But sooner or later someone will go to the European Court of Justice, and Ecaf and ContactPoint will be declared unlawful.'
At the Information Commissioner's Office, deputy commissioner David Smith defends the watchdog, saying its role is not to set itself 'above Parliament'. He says EU law gives 'quite a lot of leeway to governments', although he concedes it is arguable that systems that 'collect too much data on everybody to address a problem that affects a minority could be in breach' of European human rights law. He cites a test case that is examining the retention of DNA data from two children who were arrested by police but not charged.
The ICO has presented evidence to a string of parliamentary committees warning of the dangers of 'a surveillance society'. Smith says: 'There are problems in some areas,' citing the National Identity Register, the database behind the ID card scheme, 'and the extent of the information held on it, particularly the transactional records – how and when the cards have been used, which builds up a pattern of how you live your life – who has access, and why'.
The watchdog has also raised concerns about ContactPoint, the Electronic Common Assessment Framework, the NHS's electronic care records, the DNA register and other projects. The ICO has 'concerns that there's been pressure to do information sharing for information sharing's sake', Smith says. 'The knee-jerk reaction to a problem is setting up a database.'
Anderson says this is something the technology industry has encouraged. 'Since 2002, there has been an enormous spending splurge on IT, which the industry lobbied for after the dot.com crash. The government has become [the industry's] biggest customer,' he notes.
Smith argues: 'The whole approach to data sharing or constructing big new databases should be one of looking first at the business case for their development, if there is any intrusion into privacy and whether the benefits outweigh that.'
It is this careful assessment of how far specific datasets really need to be collected or shared against the benefits that is a key theme emerging from the Thomas-Wallport review, which has attracted more than 200 submissions. Like Bradwell, Wallport emphasises that a one-size-fits-all policy will not do. 'Data sharing isn't something you look at in a generic sense,' he says. The question should be whether 'sharing these particular data for this particular purpose is a good thing or not'.
He cites two initiatives at the Driver and Vehicle Licensing Agency. The DVLA's online system for tax disc applications, which brings together driver details, MOT test results and insurance information, is seen as a convenient service. But releasing car ownership data to private clamping companies is viewed in a very different light. 'It illustrates the upside and the downside,' Wallport says. 'If you do it well, you provide a service [that people like]. Do it wrong and there's big upset.'
Schemes such as the NHS's emerging electronic patient records system can usefully help GPs to share information on patients who might be treated by several doctors, Wallport says. But there is a risk inherent in major data-sharing schemes. 'The corollary is that if something does go wrong, it can go wrong on a very large scale.'
Glyn Evans, a member of the Chief Information Officer council – the group of top public sector IT managers charged with steering the strategy to support the Transformational Government agenda – says: 'There's no doubt whatever that we can deliver services that better meet people's needs if we can share data.'
But Evans, who is also corporate director of business change at Birmingham City Council and chair of the Society of Information Technology Management's 'information age' group, has a more nuanced personal view. 'If we were truly customer-focused, we would allow customers to define how they want their data to be shared,' he says. Introducing technological means of doing this into public bodies' computer systems would be 'complex, but not beyond the bounds of feasibility', he argues.
Evans has made this point at the CIO, he says, but adds: 'I wouldn't say there's a large flood of people saying that's a good idea.'
Others are also looking at ways of engineering systems to protect privacy and perhaps win back public trust in government data stores. The ICO is producing guidance on what it calls 'privacy by design' and wants this incorporated into new computer systems.
No2ID's Phil Booth argues that the public sector should focus on secure messaging systems, which would allow professional staff such as social workers to alert relevant agencies on a case-by-case basis, rather than giving hundreds of thousands of staff continual access to huge databases. He wants pared-down systems that do not track individuals through a lifetime of transactions. 'Share by exception, with the decision taken by a professional, and use credentials that authenticate rather than identify,' he urges.
All sides also recognise that the security of data held by public bodies must improve. 'We recognise that action is needed to restore public trust in the government's ability to handle personal data securely,' the Cabinet Office spokesman says.
Peter Bradwell suggests in his Demos pamphlet that the government should implement 'cash-handling' disciplines for data – the sort of tight, auditable governance procedures used for financial matters.
Booth agrees: 'People are holding vast amounts of ID capital that's not factored into their risk management or insurance. Until personal information is treated as valuable, I don't think we will see any meaningful change in the way people build systems.'
The impending data handling and security reviews will perhaps signal where the government's policy is going. But Varney has hinted that he recognises the public will increasingly want a say in what happens to their personal information. 'There's a political debate about whose information it is,' he told delegates at the Cabinet Office conference.
'It would be wise to develop an idea of consent, of informed consent. I think we do need a more informed consent if we're going to share information like that.'
PFmay2008
