Statistics and Registration Service Bill

My Lords, I put my name to the amendment, because there is an important point of principle behind it. I thank the Minister for his words at the previous stage of the Bill and I fully accept his good intentions. The real challenge, about which I entirely agree with the noble Earl, Lord Northesk, is that a matter has to be brought to the attention of the Information Commissioner before he can act on it. He cannot act proactively under his current powers. There must be a complaint—it does not have to be much of one. One of the protections is, of course, that the data controller can ask him about some laxity, but how likely is the person in charge to make such a request of someone who might point fingers at him? One would hope that that would happen, if only to get good advice and to obtain verification from a third party that best practice was being carried out, but it tends not to happen, particularly when there are budget cuts. The problem on the other side is that you do not know what you do not know. You would not know that there had been a breach or whatever until after it had happened. You would not realise that wrong procedures were in place because no one would previously have known that, unless someone had general oversight. The data controller, or whoever was in charge at the agency, might be very good at their job, but keeping up with information security is a full-time job these days and is very time consuming. The situation is moving all the time. Only a couple of years ago, everyone thought that firewalls were brilliant and that you could create a fortress around an organisation. We now know that you cannot. Considering how things are moving, data leak out very quickly despite any fortress. Data sharing means that such information will move across such firewalls. The trouble is that things can appear to be anonymous—they can be pseudo-anonymised, or whatever—but the way that we are now breaking down demographics to get better statistical information from which government can make properly informed decisions means that if I carry out cross-matching between people, profile and post code, I can end up with a good idea of who is who and what they are doing. If you are the only person with an income above a certain level or who satisfies certain criteria within a post-code block of, say, five, 20 or 30 houses, I can probably identify you from the statistics provided by the statistics service. We probably need to look at this issue from time to time, and the problem is that the Office for National Statistics will be under pressure to produce results—but at the end of the day they may not be in the best interests of the citizen. We should give the Information Commissioner a little bit more power to keep an eye on this issue. After all, we have surveillance commissioners and people who look after all the other things that intrude into our lives when government bodies have similar powers. It would be a good idea to reinforce that a little more in this matter by giving the Information Commissioner more proactive power.