Identity Cards Bill

I speak to Amendment No. 219, which would insert the new clause printed on the Marshalled List. As our debates have already revealed, Clauses 11 and 19 to 23 envisage widespread cross-pollination of data between a national identity register and a host of other databases currently in operation across government. Indeed, it is worth noting that the propositions of data sharing and data matching have been a persistent theme of the current Administration. As the Performance and Innovation Unit’s publication of 2002—Privacy and Data-Sharing—puts it,"““The ability of the public sector to deliver high quality services, develop well-targeted policies and ensure efficient government depends on the effective use of knowledge and information—including personal information about citizens (such as health records, tax returns, welfare benefits, law enforcement records, driving licence information, and so on)." It continues:"““This requires more joined-up approaches to the use of personal data across organisations””." Moreover, the statute book is groaning under the weight of successive legislation aimed essentially at creating a more permissive regime for data sharing—as with, for example, the Children Act 2004, which has been translated into the recently announced information sharing index, the Commissioners for Revenue and Customs Act 2005 and the Immigration, Asylum and Nationality Bill. In other words, the prevalence of legislative provision in this area is pervasive. I understand the rationale for the data sharing envisaged in the Bill. On the face of it, it could serve at least two potentially beneficial functions: more efficient and effective public service provision and verification of the information held on the register. In the context of the scheme, both of those could be deemed to be desirable although, on the latter, there is the real risk, to which my noble friend Lady Anelay referred earlier: that the national identity register will fall prey to cross-infection of inaccurate and corrupt data from other databases. For example, it was revealed last year that the DVLA data set is only 40 per cent accurate. Be that as it may, however attractive the concept of data sharing and whatever its potential benefits—the Government agree with this—it needs to be conducted within the context of human rights and data protection legislation. I again refer to the PIU report. It states:"““there are signs that public concern about privacy is on the rise—both in the public and private sectors””." Rightly, the report also states:"““While there is huge potential to make better use of personal data to deliver benefits to the public . . . this will only be realised if the public trusts the way the public sector handles its personal information—which means meeting their rights and legitimate expectations or the protection of personal privacy””." According to the Joint Committee on Human Rights, the Bill does not appear to satisfy that criterion of public trust. Its report states:"““a number of provisions of the Bill could result in disclosure of information in a way that disproportionately interferes with private life in violation of Article 8””." In particular, it observes that,"““the majority of disclosures of information under the Bill are not made subject to the criterion of necessity””." There is an additional point here. With so much data sloshing between the register and other government databases, there is a distinct possibility that virtual databases could be created. To that extent, it is wholly feasible that the register could have access—not hold, but have access—to sensitive data, as defined by the Data Protection Act. In other words, the Government’s sincere intention that the register will not hold such information will not hold such information will, in practice, be pretty much meaningless. For my part, I acknowledge that statutory gateways for data sharing and data matching should exist. To echo comments from my noble friend Lord Lucas, we would be unwise to seek to prevent the inevitable. Rather, like my noble friend, I am much more concerned that we get the administrative detail of privacy rights correct. Here, in contrast to the drafting in the Bill and the Government’s apparent strategic policy in this area, I favour the approach of Liberty. Albeit in a different context but, nevertheless, equally relevant here, it has commented:"““The starting point for such consideration should be the presumption that each and every measure allowing for information sharing needs to be justified rather than the presumption that information sharing is an unqualified good to which exceptions must be justified””." That seems to be sensible and appropriate. The new clause is intended to address all those concerns. It proposes that the Secretary of State draws up statutory guidelines in respect of the information disclosure provisions of the Bill, with the intention that these be enforceable in law. I have no doubt that the Minister will argue that such a proposition is unnecessary because the Human Rights Act and the Data Protection Act will apply to this Bill in any event. I regret to say that I cannot be quite so sanguine about the matter, nor am I wholly comforted by her responses to previous amendments. As I have indicated more than once during our debates, it is wholly feasible that, despite the Government’s intentions, sensitive personal data will be accessible from the register, regardless of the provisions of the Data Protection Act. Moreover, there is a great deal of evidence that public authorities across the board are confused about what is and what is not permissible in this area. For example, a current statutory instrument from the DfES—the Education (Information About Individual Pupils) (England) (Amendment) Regulations 2005—envisages the retention of named personal data about children for as long as 20 years. It is difficult to see how that can be interpreted as being proportionate within the terms of the Data Protection Act. I apologise for taking some time to explain the new clause, but this is a complex area. Nevertheless, I sincerely believe that this new clause or something like it is necessary as a buttress to the Data Protection Act.