Identity Cards Bill

No doubt we shall be told that the requirement contained in the amendment is unnecessary as there are already obligations on government to provide maximum security in this area, and no doubt the Government will do their best. However, when I reread the detailed comments of the noble Baroness, Lady Scotland, I was a little surprised as clearly she had been given a brief that seemed to go rather further than I would have been comfortable with had I been the Minister concerned. I do not pretend to be a great expert in this matter. I was chairman of an IT company for a number of years and one thing I learnt was that I really was not an expert. However, I gained enormous admiration for the technical ability of the experts to develop new techniques. Yesterday, the noble Baroness described the safeguards which were being,"““designed to provide a ‘defence in depth’””." I am sure they are. She went on to say,"““The content of the national identity register will never be stored in a manner that would leave it exposed to the risk of data extraction””." That seems to me a pretty bold statement. She added:"““There will be a very small number of encrypted communications links serving the database, with no direct PC access to the register. It goes without saying that the register will be developed to be a fully secure method for storing and verifying registrable facts””.—[Official Report, 15/11/05; col. 989.]" I hope that events prove her right and that her optimism is justified, but I want to make one other point. The Government may be successful in making the actual register pretty secure, but we know—indeed, this clause deals with the fact—that a number of organisations, the police and others, will have to have access to registrable information. No doubt they will do so through encrypted communications links. But once they have the information, it will be on other systems, and there will be quite a lot of those systems. I very much doubt that all those systems will have been developed in the same way to the same level of security. If I am wrong and if all the other users who will be able to get the information out have systems of this kind, and it will be a requirement that they should have, we ought to be told. We should also be told the cost implications. We shall return later to the question of cost—it delayed us for well over two hours yesterday and I do not wish to say any more about it now. But if these and other systems have to be made secure, I suspect that—as we are finding in the health service—costs will continue to mount. When my IT company was engaged on a central government project, the Government came back again and again and again with changes to the specification to try to tighten security, because they discovered that the requirements altered almost week by week. I fear that that will happen in this case.