UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 365-i

House of COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

HOME AFFAIRS COMMITTEE

 

 

ID CARDS: DATA SECURITY ISSUES

 

 

Tuesday 26 February 2008

MEG HILLIER MP and DR DUNCAN HINE

Evidence heard in Public Questions 1 - 86

 

 

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

 

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

 

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

 

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

 


Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 26 February 2008

Members present

Keith Vaz, in the Chair

Ms Karen Buck

Mr James Clappison

Mrs Ann Cryer

David T. C. Davies

Patrick Mercer

Gwyn Prosser

Bob Russell

Martin Salter

Mr David Winnick

________________

Witnesses: Meg Hillier MP, Parliamentary Under-Secretary of State, Home Office, and Dr Duncan Hine, Executive Director of Integrity and Security, Immigration Passport Service, gave evidence.

Q1 Chairman: We now have Meg Hillier, the Minister for Identity Cards. Minister, welcome to this session. Can I formally welcome you to your first session before the Home Affairs Select Committee and also your official Dr Duncan Hine? Minister, we are here to consider one particular aspect of the Identity Card Scheme. We are not going to look as a committee into this area as a whole, we are specifically looking into the issue of the security of data, and that is what we are going to question you on today. We are still completing our inquiry into the surveillance society, so some of what you have to say may well be relevant to our inquiry. Can I begin by putting to you the comments made by your fellow minister in the Home Office, Lord West, who said that "as the National Identity Register is not yet in place, we will be able to learn any lessons from the HM Revenue and Customs incident", when data, of course, was lost. Has that incident changed the Government's approach to the identity scheme or, indeed, the way in which data is preserved and protected?

Meg Hillier: Thank you, Chairman. It is a pleasure to come before the Committee for the first time; I hope the first of many such appearances. I think we would agree that the data loss at HMRC dented public confidence in data management. In terms of its impact on the National Identity Register, it underlines the need to get the basics right in the first place, but there are quite big differences between that data and the National Identity Register. The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will be down encrypted links. The only physical transfer, for the most part, will be for disaster recovery, just as we do currently with the Police National Computer, just as we do currently for the passport database, for example, and there will be very, very limited access to other jurisdictions within Europe, but, again, the sort of thing we are currently doing, so we have a very different sort of database. In addition, the fingerprints that people will provide when they register, and their biographical data will be on two separate databases and the link will be when the individual allows verification of their identity. It is putting the power, in fact, in the hands of the individual.

Q2 Chairman: So there is no change to the way in which you are going to be preserving data as a result. There are no lessons to be learnt over what has happened in the last few weeks when data has gone missing in a number of different departments for a variety of reasons?

Meg Hillier: As I said, I think the important thing is to make sure that there is public confidence. We have not just got to do what we do well and get those basics right, we have got to demonstrate to the public that that is the case. What we have looked at particularly since that incident is not only ensuring that that security accreditation is in place at top government levels - and we have to have that before the database could get the go ahead to be used - not only ensuring that we have the Scheme Commissioner, which was already planned, in place with oversight from the Information Commissioner, but we are also looking to enhance parliamentary scrutiny of the scheme, and I would welcome any suggestions that the Committee has about that. We have plenty of time to get that sort of thing in place. We are currently going through the contractual process of procuring the contractor to deliver the scheme.

Q3 Chairman: When will that be completed?

Meg Hillier: That will be completed towards the end of this year - that is what we are expecting - or maybe early 2009.

Q4 Chairman: In respect of sharing of information with, for example, EU partners and specifically to do with the recent data sent by the Dutch Government to the CPS, not to the Home Office but to the CPS, are you satisfied that there is sufficient security in transferring data? It is my understanding that the disks arrived in an envelope, not under secure transmission, at the CPS and were just left on somebody's desk for over a year. Do you have any further information on that particular incident?

Meg Hillier: Obviously the Attorney General's Office is conducting an inquiry into the CPS's role in that - clearly there may be issues with the Dutch authorities - and from the point of view of the National Identity Register, there would be not be disks flying around in that way. Anything that was ever downloaded would be encrypted, and Dr Hine can happily explain more about how that would work, but there would be severe access controls so that, for example, certain data would only be allowed to be accessed even by two people. I went recently to visit the Police National Computer at Hendon and saw there the handful of staff that are involved in making sure that that database is run smoothly and that particular accesses are controlled. There is also, of course, going to be an audit log so anyone is able to look at their audit log to see personally who has looked at the record, but an audit log to make sure that no-one is making unauthorised access to it.

Q5 Chairman: But it is your intention to share this with EU partners through Europol and Eurojust?

Meg Hillier: Only in the way that we currently do now, which is mostly verification against a database. For instance, just a week ago we passed a statutory instrument in the House which allowed shared information about passenger name records and other data about passenger movements. To those names security controls would apply but to a much higher level for the nationalised database.

Q6 Chairman: There is no intention to send disks through the post or to transfer them manually to people?

Meg Hillier: Perhaps I could ask Dr Hine to come in on how exactly it would work.

Dr Hine: Certainly. All of the extracts (and these might be, for instance, for lost or stolen documents so we can alert our partners to look for those on the border and so on) will be heavily encrypted to government standards, and the action required to draw an extract off would require multiple people to agree that that is the case and actually trigger that action.

Q7 Mr Clappison: Minister, could I ask you a little bit more about how this will come about? I take the point you make about the security of the information being transmitted to Europe, but I wonder if you could tell us a little bit more about how this information would come to be shared with our European partners, as you put it?

Meg Hillier: Currently we share quite a lot of information, but not randomly. It is shared only on the basis of the need for investigation. For example, with passenger names records, we share information where there may be concerns about terrorism or murder. Someone might ask us to interrogate our systems and there would be a process which would allow that information to be shared on a need-to-know basis for very high level issues. It is not as if there is anyone out there who is going to have the chance just to put their hand in and look at the data. We will certainly not be allowing that. Mostly it will be verification, yes or no, is this person the person that they say they are? The answer would come back, yes or no. No personal data, for most of the transactions, would be revealed.

Q8 Mr Clappison: This is different from the information you currently store, because this is going to be information about every individual in the country, their personal details, their biometric details and so forth.

Meg Hillier: Yes.

Q9 Mr Clappison: How will the relationship between yourself and your European partners be governed on this? How is it going to work?

Meg Hillier: The Information Commissioner has been closely involved and will continue to be involved, and we are keen for that to continue. Clearly, parliamentary scrutiny also has a role, but I just want to pick up, Chairman, on this issue about the information being very different to what we currently hold. If you look currently at the passport database, the information on that is very much what the information will be on the National Identity Register. If you look at the current passport, and I have my old one here, the information that is on the passport will be much the same as what is on the card.

Q10 Bob Russell: A very nice picture.

Meg Hillier: I was much younger. I brought my old one, Mr Russell, because I look much better in that, I fear.

Q11 Martin Salter: You have got nice blue eyes!

Meg Hillier: Blue eyes, yes. Forgive me, Chairman, I do not intend to be frivolous. The information on the identity card will be much the same as the information that is on the current passport, the readable zone. The information on the database will include National Insurance number, update of address and a log of who has ever looked at the record. I think it is just worth nailing, Chairman, as it was raised, this idea that there is going to be a lot of different information. This information is routinely provided by people to government and it is just going to be held in one place.

Q12 Mr Clappison: You mentioned our partners. Would it include, for example, Europol and Eurojust and European institutions which are part of the new enhanced European area of justice and security?

Dr Hine: Those sorts of policies will have to be worked out in more detail later. What I can say for the current passport database is that we pass our information through the Serious and Organised Crime Agency, who hold the lead for links to Interpol and some of the other agencies you mentioned.

Q13 Patrick Mercer: I was particularly interested, Minister, in what you were saying about the exchange of information to do with the terrorism. Can you give us some idea as to the protocols about that and what other European partners will have access to the information, whether this is carte blanche or how it works?

Meg Hillier: It will be covered by the existing protocols that we have. If there is a need for any more, that is something we can, indeed, look at, but I want to emphasise again that the information held on the National Identity Register will not be 100% of people, because it is a voluntary scheme. It does not include actually a great deal more information, well, it does not include much more information than is currently held in many other databases. The benefit is that it is held in one place, and so it is upgrading, in a sense, what we have already got by putting it in one place and, of course, the key things is securing someone's identity. If you look at what we have done with visas, everyone now applying for a visa to come into the UK is fingerprinted, and we have managed to identify people who have applied for visas before or have been rejected from this country and tried to apply under a different identity. The benefit of a fingerprint is really what is key in identifying an individual; so the protocols that we currently have will be in place.

Chairman: A supplementary from Mr Davies.

Q14 David Davies: Will non-European enforcement agencies have access to the database? For example, will the American law enforcement agencies have access to this database?

Meg Hillier: European nations are currently signing a protocol with the United States on passenger name records. The existing protocols that we have would govern the data from the National Identity Register.

Q15 David Davies: That is a, yes, then, basically.

Meg Hillier: Only very much on a need-to-know basis. We are talking about very, very limited access; it is not a willy-nilly, "You can go and look at it." No-one can look at it; I should stress that. You cannot actually go in and look at the details.

Q16 David Davies: But if they ask, they can have it?

Meg Hillier: If there is absolute need. It has to be proved to the highest level though.

Dr Hine: I just want to draw the distinction between pursuing a specific investigation and asking for particular facts about particular suspects, and so on, versus widespread access, which they will not necessarily have.

Q17 Mrs Cryer: Minister, can I ask you about any review that is taking place at the Home Office regarding their procedures on data? The Prime Minister asked the Cabinet Secretary and security experts to ensure that all departments, including the Home Office, and agencies, check their procedures for the storage and use of data. How have these checks been carried out at the Home Office and the Identity and Passport Service and what conclusions have been drawn about Home Office procedures?

Meg Hillier: Certainly the Home Office and the Identity and Passport Service have contributed to that discussion. The implementation will take place over the next 12 to 18 months. In terms of exact detail, I can write to you further about any very detailed lessons that we have learned, but actually HMRC was a human error, and I think with the National Identity Register we are assessing the risk and are taking proportionate action to make sure that human error potential is as limited as possible by having fewer than 100 people with access to the actual database, just as with the Police National Computer - there are very few there. So, there will be few people with direct access to it and we have got to make sure that that database is very secure, and that is why the security accreditation by government is particularly key. Any links are, if you like, hard-wired, and encrypted, but Dr Hine is better able to explain than I am about the encryption processes.

Dr Hine: Certainly if I can speak for IPS, when we carried out the review, as requested, we found that we were broadly compliant with all of the guidance. I think the one area that has been clarified is the level of encryption required for the movement of sensitive personal information.

Q18 Bob Russell: Minister, I wonder if I can pin you down on this very direct question. How many people will have access to National Identity Register information held on each of the systems?

Meg Hillier: Fewer than 100 - I cannot give a precise figure; at this point we do not have the register up and running - would have full access.

Q19 Chairman: More than one and fewer than 100?

Meg Hillier: Yes. More than one, I can certainly say. It would be in double figures, or that is what we anticipate.

Q20 Chairman: That does not sound very precise.

Meg Hillier: We have not actually got the National Identity Register up and running at the moment. I am not going to make a commitment how many staff are going to be employed to do that, but if you look at what happens with the Police National Computer, you do not need that many people to do that bit of it; what you have got to be clear about really, the bigger issue, is who has access remotely, and most of that access will be about verification checks. Currently we do that with passports. If you are an employer and someone presents to you with their passport, you would make a phone call to---

Q21 Chairman: We do not need to see your passport again. We believe it is you!

Meg Hillier: But they would then check that as verification: "Is this a real passport?", and you would get that, yes, or, no, answer.

Q22 Bob Russell: Minister, some months back we had experts in here who said it was actually more of a security risk to put all the eggs in one basket, so to speak, but today you have stated that putting all the eggs in one basket is the best way of safeguarding the security of the identity of people.

Meg Hillier: It is actually eggs in two baskets, if we are using that analogy, because there will be one database for fingerprints and facial image and that will be separate to the database which will be built upon a DWDP database of biographical information, which is what is currently on the passport database, plus those other points I mentioned. The key thing is that the link can only be because the individual authorises it.

Q23 Bob Russell: So, there are two baskets, there are two systems. The Strategic Action Plan for the Identity Card Scheme says that each of the systems that will hold National Identity Register information will have its own specific security controls.

Meg Hillier: Yes.

Q24 Bob Russell: Are you building extra security controls into existing systems?

Meg Hillier: The biometric database, the one that holds fingerprints and facial images, is going to be a brand new database, but we have examples of that, for example, the ARC card produced for asylum seekers. We collect data currently for visas, so it is not as if we have not done it before, but perhaps Dr Hine can talk about the very precise security.

Dr Hine: Yes. There are two main repositories, one for biographic, one for biometric information. The biometric information is held at a higher standard of security, for various technical and risk-based reasons. If it is necessary to harden either of those repositories where they are based on an existing system, we will be doing so.

Q25 Bob Russell: Perhaps I can continue, Chairman, on that line directly with Dr Hine. We have been told that two expert groups will be put in place to make sure that the NIR operation is secure, but what expert advice, if any, is being taken through the procurement phase of the scheme to ensure that the NIR is, indeed, designed for security and privacy as well as the efficient delivery of public services?

Dr Hine: We are supported by a number of experts who are working with us on the team. We are also supported by the Communications Electronic Security Group (CESG), which is part of GCHQ, we are supported by CPNI (Centre for the Protection of National Infrastructure) and CSIO (Central Sponsor for Information Assurance). We need to satisfy all three of those bodies that the design is fit for purpose.

Q26 Bob Russell: Minister, are any of those experts coming from outside companies who have a direct interest in the identity card scheme if it goes ahead?

Dr Hine: I can take that. One of my other roles is to run a conflict of interest register which maintains that all employees, whether they are temporary or permanent, must avoid, at all costs, any conflict of interest on the supply programme.

Q27 Bob Russell: Finally, Minister, we have been told the Information Commissioner's office has reportedly turned down an informal request that it use the National Identity Scheme as a test case for the introduction of privacy impact assessments. Is this correct and, if so, what reasons did the ICO give for turning down the request?

Meg Hillier: I think you would need to raise that with the Information Commissioner direct, but the Home Office does do privacy impact assessments of its own.

Mr Clappison: Three quick factual questions. In precisely what circumstances will European Union institutions have access to the information on this database, which institutions will have access and will we be told about it when they have had access to it?

Q28 Chairman: And quick answers, and if you do not have the answers, you can perhaps write to us.

Meg Hillier: I think, if I list all the institutions, I might miss one out, so I would prefer to write to the Committee on that.

Q29 Mr Clappison: There are quite a lot then!

Meg Hillier: Well, no, I am---

Q30 Chairman: If you could write to me, it would be very helpful.

Meg Hillier: I will certainly write to you on that, Chairman. I am sorry, the second question was?

Q31 Mr Clappison: In precisely what circumstances will European Union institutions be able to request, to simply ask? What will determine whether they can ask?

Meg Hillier: There is a level of proof. We have protocols that are currently in place and a level of proof. You cannot just ring up and ask for information, they have to prove that there is an on-going investigation and we currently have that in place. The third question was?

Q32 Mr Clappison: Will we be told about it when the European Union has been given information about us from the database?

Dr Hine: Any access to information about individuals will be recorded in forensic and audit logs. The only exception to that would be if the individual was part of a major investigation.

Q33 Mr Clappison: Will we be told about that?

Dr Hine: If the individual enquires, they will be told.

Chairman: Thank you, Mr Clappison. Karen Buck.

Q34 Ms Buck: Following on from that, in respect of the EU and the United States requests, are all protocols based on reciprocity?

Meg Hillier: Yes.

Q35 Ms Buck: We have exactly the same capacity to check exactly the same data in all cases?

Meg Hillier: Yes, although, of course, in some cases our databases may be different to other countries, but the principle of reciprocity---

Q36 Ms Buck: It is not the principle, it is the same information. I accept the systems may be different, but it is exactly the same source of information, exactly the same data?

Meg Hillier: Yes. I would not say it is categorically the same data. There may be some countries in Europe, for instance the new accession countries, which may not have that data so easily accessible as we currently do, but we are moving towards European standards on all this data sharing anyway.

Q37 Ms Buck: And it is the case with the US?

Meg Hillier: Yes.

Q38 Ms Buck: You have talked about some of the safeguards that you are putting in place in the light of the catastrophic loss of confidence over the data systems, but is it not the case that it was not so much the procedures, it was not the protocols that failed, it was the fact that people did not follow the protocols that were already in place? How can you be sure, with a system that effectively does upgrade the risk by upgrading the scale of the system, that it is not just a question of having the right protocols in place but that you will be constantly vigilant to the capacity of the individuals working with it?

Meg Hillier: The audit log that will take place in the centre of where the scheme is, is similar to the other large databases, for example the passport database. Even within the Criminal Records Bureau there is a log to make sure that any unauthorised access is quickly picked up. There are regular logs, but there are also ad hoc audits that are taken so that it can be seen if there is any unusual activity that therefore has to be justified, and that audits individual's access to any register entry. Of course the sanctions are very strong. Under section 27 of the ID Cards Act 2006 it is a criminal offence. First of all, if you disclose any information on the database, you can get up to two years' imprisonment, and, if you tamper with it, you can get up to ten years' imprisonment. The combination of the risk-management and the stick, if you like, the sanction, that someone would basically access it, effectively would be---

Q39 Ms Buck: Presumably we did have, not exactly comparable but similar safeguards and penalties that apply elsewhere in government departments, and that did not protect the catastrophic data losses. Why should this?

Dr Hine: I think, based on our experience of maintaining security around the passport database, the thing that we found most valuable was an on-going programme of audit and compliance. We do not assume the thing continues to comply, we check that physically, we check the business process and we check people's understanding and behaviours and, if they need extra awareness raising or training, we deliver that before we get a problem.

Meg Hillier: I think, Chairman, it is worth highlighting that the passport database is a very good example of what can be done. We have had a good success rate on the passport database.

Q40 Chairman: You have not lost any data yet.

Meg Hillier: Not that I know of.

Q41 Chairman: There is a lot of wood around you, so you can use that.

Meg Hillier: It is certainly a very, very secure database. If you stopped the average man or woman in the street and asked them if they were worried about their information on the passport database, they are not; and I would say to people: do not be worried about the National Identity Register. It is really very much the same information. The only other bits are things that you actually supply all the time to different bits of government and you actually have access to see who exactly has looked at it. It is actually giving you some protection against the State or anyone coming in to look at your data. You can actually see the activity that has been taking place and you do have the power to control who receives that, except for those very few circumstances like when the security services may---

Q42 Ms Buck: Was that research done after these high-profile losses?

Meg Hillier: I am sorry; I was not referring to that. I am surmising that if you were to stop anyone in the street and talk about the---

Q43 Ms Buck: But do we know?

Meg Hillier: We do regular polling, and I can check and get back to you, Chairman. Most of our information comes about from the National Identity Register rather than the passport database, so I am not sure we have any specific questions, but I will go back and check.

Q44 Ms Buck: It would be helpful to know. You talked about other government departments having access to information on the databases without the consent, obviously, of individuals. In each of those circumstances can we be confident that, again, it is about requesting validation of data and not increasing the number of people who have access to the database itself, i.e. the Security Services, Customs?

Meg Hillier: Yes. We are talking about very, very few cases where someone like the Security Services may need access. Most of the day to day access would be only because the individual has allowed it. Under section 13 of the Act, a public service cannot require an identity card in order to access a service. For example, the NHS could not require that you produce your identity card unless there was a change in legislation; so it would be within the hands of Parliament to do that. There is a lot of protection there.

Q45 Ms Buck: In terms of other government departments that can seek access to the information on the database without my consent, in each case is it always that that information will be a data request and that those agencies will not have direct access to the database?

Meg Hillier: Yes.

Q46 Ms Buck: Always: Security Services, Police, Customs?

Meg Hillier: We have to have two people providing the access.

Q47 Ms Buck: But it will not be, for example, the Police or Customs will have any access to the database itself? It will always be filtered through that one to 100 members of staff who are vetted and trained for the purpose of managing this database.

Meg Hillier: It depends whether you mean in terms of the actual data. Verification is quite straightforward, yes or no. I think that is clear. Dr Hine might want to come in on that.

Dr Hine: Broadly, we will be following the same policy we do with the passport database, which is to provide verification against a specific question rather than wholesale complete extracts of the data.

Q48 Ms Buck: The word "broadly" alarms me. What we are talking about here is: what are the exceptions as a general assurance.

Dr Hine: A number of exceptions are picked out in the original legislation around law enforcement and intelligence services. There may be other exceptions from time to time but, broadly, we are resisting those.

Q49 Ms Buck: I am sorry, Chairman, I think this is really important. We need to drill down into those exceptions, not into the generality, on which I am perfectly happy to accept assurances, but those exceptions, what are the criteria and how many people, because in the end all of this data loss and the anxiety of that data loss relates to those exceptions, to those extra people, to that chain that can open up quite quickly. What happens to that data there? Do we know, will we know, when will we know exactly what those criteria are that apply to those exceptions? I am afraid, with the greatest respect, being told that it is going to be a few hard cases is not good enough.

Dr Hine: For even the exceptions, I would say that we still consider ourselves the stewards of that information; so any information is only passed to another party after they have satisfied us that they have got the security processes, the right accreditations, the right business process and procedures and we continue to audit those on a regular basis.

Q50 Ms Buck: This is my last question. The proposal that integrates passport, identity card and life registration systems seems me to open up the possibility, unwittingly, of a data link, that people can seek to verify one piece of information and find they get access, or be given access, to a much wider pool of information. People may have a perfectly valid reason to know about my passport; they will not necessarily have any right to know whether I got married. Are we absolutely certain that in all circumstances, including for example EU or US requests for data or Customs and Excise requests for data, they will only ever have access to the information that they specifically request and not to a larger pool of data?

Meg Hillier: Yes, that is the intention and, clearly, when we design the scheme we have got to make sure that the very questions you ask are dealt with.

Dr Hine: The inadvertent leaking of private information is something we have guarded against from a very early stage of the design. For instance, if a small level transaction required you to prove your age, whether you were over 21 or not, all we would prove is whether you are over 21; we would not reveal your date of birth.

Q51 Mr Clappison: I think people would like to know, additionally, when information about them has been given. I was a bit concerned about what you were telling me earlier on, for example when information goes to the European Union, that we would only find out about it if we asked.

Meg Hillier: But we only find out about any information, Chairman, if we ask.

Q52 Mr Clappison: People will not be told that this information has been shared. How will they know it has been shared?

Meg Hillier: Chairman, I think we have to have a bit of a reality-check about where we are now. If someone were to access any of the other data that government holds on you, we would not actually have a log of that, we would not know that. With the National Identity Register, one of the key things to try and make sure that the public are confident is that, were the Rt Hon gentleman to want to know who had looked at his information, Chairman, if you wanted to look at that, you could ask to see the audit log of who has actually looked at the information.

Q53 Chairman: Who would you ask, in answer to Mr Clappison's question?

Meg Hillier: You would ask the custodian of the National Identity Register.

Q54 Chairman: Who is the custodian?

Meg Hillier: We do not have a custodian yet.

Q55 Chairman: You do not know yet, but there will be a custodian?

Meg Hillier: There will be a custodian.

Q56 Mr Clappison: How will you know it has happened in the first place though?

Meg Hillier: We are damned if we do and damned if we do not. If we have a log people criticise the idea that people can see their transactions, but it does enable the individual to see exactly who has looked at their information, and I think that is quite an important protection. It is a bit like a credit card reference: how would you know to look at your credit card reference? Some people look that up. People look for different reasons: some may do it because there has been an issue; some may just chose to do it.

Q57 Chairman: We understand that. The point Mr Clappison is trying to make is how will we know someone has accessed this information? Will we have to send an email to the custodian every day? How will we know it happens?

Meg Hillier: It is up to the individual. The power is in the hands of the individual to ask. It cannot be fairer than that.

Q58 Chairman: Would not that mean many, many citizens would be asking every day for information that is not necessary?

Meg Hillier: If you look, for example, at credit reference agencies or other information people may ask about, for instance, under freedom of information, there is a steady flow of business. It is not as though every citizen is asking every day. People are usually reasonably content to ask when they need to know. We were in a position here where we put the power in the hands of the individual, we put the responsibility, to a degree, into the hands of the individual to make that request.

Q59 Chairman: There could not be a Google alert whereby somebody is told that somebody has asked for this information?

Meg Hillier: It is an interesting idea.

Q60 Chairman: Has that been examined, Dr Hine?

Dr Hine: I just want to bring out the fact that, of course, the vast majority of verifications will actually be initiated by the citizen, and that is the overwhelming majority. They will know that they are about to buy a house, they want to prove their identity as part of that transaction and they will ask us to verify themselves. They may want to come back to the audit log to say: did that happen?

Q61 Mr Clappison: On the European Union point, but it might apply elsewhere, do you understand that people might have some concerns that institutions of the European Union have been able to find out their personal details, which are stored on your database, and have access to it and they will not know about that unless they bother to ask? Do you see that some people might be concerned about that?

Meg Hillier: I think, Chairman, we are going down an interesting line here because actually it is not going to be a regular, random sharing of information with the European Union. The people who might be affected by that are likely to be suspects in serious crime or terrorist incidents, or immigration offences. It is not that every person in this room would have an expectation that their information would be checked. It is difficult. The idea of a Google alert sounds easy, but that would be a huge flow of information actually revealing things, potentially, at risk and the security implications of that are more complex than someone choosing to access it in their own terms.

Q62 Chairman: I hope you sense that the Committee is very concerned about this.

Meg Hillier: Absolutely.

Chairman: We need to really explore this further. We will have one last question, because Mr Salter is waiting to come in.

Q63 Ms Buck: I need to come back on that point. When the Committee went to Washington and had a number of discussions about this, one of the things that most alarmed us was the scale of false positives, the extent to which the US database included huge numbers of people who were on that database incorrectly, and assuring us that we are not going to be on it may well be true, it almost certainly is true, but it does not provide any absolute backstop of guarantee against the fact that any one of us could be on it through some rogue question, through some mistake, and the implications of that are potentially devastating. Just being assured that it is going to be all right does not do anything to deal with that.

Meg Hillier: Can I speak clearly? I was not quite sure. Let us say the US authorities request this information. Are you suggesting that they might then include that information on their own database?

Ms Buck: No, I am talking about the US experience. The lists that they compile of people for their no-fly purposes, and so forth, included, I think, half million, was it, we were told---

Martin Salter: And some fairly mad categories.

Q64 Ms Buck: ---of people who were false positives, people who were on there inaccurately. With the best will in the world, our agencies, Customs, the United States, the EU countries, whatever, may make inquiries of an individual in error, possibly not even in error, and the implications of that are really quite serious, and just being assured that it is not going to happen, or it is not going to happen very much, is not what we are looking for?

Meg Hillier: Dr Hine has recently come back from America, so perhaps he can comment.

Q65 Chairman: Unless he can answer the points that have been raised. Can you?

Dr Hine: I can, yes. I have recently returned from the US, visiting my colleagues over there in similar programmes. The complete point that they made on this one is that you do not look for just biometric matching or watch-list matching; you actually combine all of that with the same humans that were very skilled on the immigration and border controls and you work all of those things together. People may be on the list but then, after the questions, you can clarify that situation. The list is not a hard list, it is a list of possible matches, just as when they have taken our fingerprints they may get a match or a partial match but then a few questions clear it up.

Q66 Chairman: Minister, the Committee is concerned about this and we will be including reference to this in our surveillance society report. If there is anything you can send us that will reassure the points made by Mr Clappison and Karen Buck, it will be most appreciated because we are very concerned.

Meg Hillier: Chairman, I hear the concerns and certainly we will send any further information we can.

Q67 Chairman: It is about public confidence in the end.

Meg Hillier: Much of what is happening happens anyway. This is how international watch-lists work. I think there are, therefore, wider issues.

Chairman: Let us turn to biometric information.

Q68 Martin Salter: Minister, we are interested to know what measures you either have put in place or are planning to put in place to protect biometric information. Also, there appears to be a changed emphasis. Back in December you talked about identity cards having a biometric fingerprint and a facial image being locked into a digital chip. Does that mean you have abandoned the plans for iris recognition?

Meg Hillier: Iris recognition is not currently planned for the first generation of identity cards or passports. The major roll-out will be at about the same time, and we are upgrading the passport. Modern passports now have a digital chip containing the facial image and they will have fingerprints, as will identity cards. I would not say we are ruling out iris technology for ever. The aim is to build a system that works from day one, we get the system up and running, but that it has got upgradeable potential. Who knows who will be in my job deciding those things, and Parliament will make decisions around that down the line? I would not say it is ruled out, but it is not going to be coming in with the first identity cards, either the foreign nationals this year or the first ones for British citizens next year.

Q69 Martin Salter: The first question was what special measures have you put in place to protect biometric information, in the context of who else do we give biometric information to, assuming we are not members of MI5 who have currently got biometric processes for other purposes? Who else would ever receive biometric information at the moment, because as I see it is going to be only the National Identity Register?

Meg Hillier: The point about having it on a National Identity Register is it links you, Mr Salter, to your biographical information, and you can make that link yourself, you are the one that allows someone to verify against it, and it is a verification against. We are not going to be sending pictures of fingerprints around the country and between organisations. It is a verification against. Dr Hine can explain in more technical terms how it works.

Dr Hine: The important thing to register is that the biometric repository is held at a higher level of security than the biographic. There will be multi-layer defences, perpetual intruder detection and various other counter-measures that stop people attacking it or drawing information out of it erroneously. The most frequent use of biometric will be to prove absolutely against imposture so that on a very high strength transaction you can actually fundamentally prove that I am the person that relates to that biography through the use of the biometric.

Meg Hillier: Chairman, when you are given a passport now, or an identity card, there are different mechanisms, different levels of proof. Very often when we meet people we quite happily take on proof that when Mr Salter introduces himself I believe he is Martin Salter MP. If you go perhaps to pick up a parcel you may need to have some photo ID; they will look at the photograph and verify that. The sort of thing you might need to use your fingerprint for would be at the border, for example, where already we see some countries collecting fingerprints. We collect fingerprints for visas. The degree of identity check will depend on the transaction. It would be, I think, not something we would tend to think was a good idea if suddenly you had to use your fingerprint or have a register check to get a library book out. Most libraries would probably be happy to accept---

Q70 Martin Salter: I agree with the Minister; it would be appalling if we went down that road.

Meg Hillier: There are no proposals!

Q71 Martin Salter: We are being told that biometric information will be held on a high degree of security, but if that security were ever breached, it could be fairly cataclysmic for the individuals concerned. I had my identity stolen by a tabloid journalist who was seeking to find where I had moved, and I have got his name and address and at some point I will register it as a crime with the police, but how confident can we be that the high level of security that you talk about is going to be impenetrable.

Meg Hillier: Can I just say, before Dr Hine comes in on the technical side, you have had your identity stolen. Had you been required to use an identity card to prove your identity that the impostor had, they would not have got very far, because any verification against the identity register would make it clear that it was not the person, that they were not Martin Salter, and that is because the unique identifier is the fingerprint that only you have, and so someone could not pretend to be you.

Dr Hine: Like any security system, it will be designed around risk and impact design. We have designed in the highest levels of controls that we can identify for the biometric store, and that relates to both technical infrastructure, staff, coercion resistance, security clearance and multiple access and multiple locks, so that even if an inadvertent or a determined effort were made to penetrate it, we would discover that at the very earliest stage and be able to stop it.

Meg Hillier: I should also say, of course we have IDENT1, the police fingerprint database, and that is very secure.

Chairman: Indeed. Thank you Mr Salter. Gwyn Prosser.

Q72 Gwyn Prosser: Minister, I am in favour of identity cards, you will be pleased to know, and that is mainly on my experience in Dover when biometric cards for people claiming asylum were so effective and still are effective today. I carried out a survey at that time, and over 80% of the people who responded in my constituency supported it. I do not think I would get anywhere near that at the moment, and even my own faith in the security has been shaken a bit, and you can see from the flavour of the questions today, the Committee shares that. In your opening remarks you talked about building public confidence, and the Home Office have said repeatedly that it will never be a success unless we do gain public confidence. There is a huge task ahead, is there not?

Meg Hillier: Chairman, it may seem a huge task, but just ten days ago I was in Crawley at an event to talk to various potential partners in the scheme - voluntary groups, business, local government - and, I have to say, there was widespread support. What we were talking about there was the practicalities of what it could deliver and how we could make sure it delivers what those organisations want. I am going to be working to engage business, and local government in particular, further. I think lots of people are beginning to see the practical benefits will have a difference. If you look at what has happened in the past, we have had a passport which was used for external verification of identity, a National Insurance number, which was used internally, and now 80% of British citizens have a passport and we should see an identity card, like a passport, in country, if you like, that entitles people - we are not using it as an entitlement card, but it gives people easier access to certain services. What was very interesting in Crawley was that the discussion was very much about the practical and not about the "if". The concerns in points raised were actually often about cost, about how an organisation might check it, what benefits there would be of checking it in terms of speed and cost savings for the organisation. Those are all points that I am welcoming comment on because they are things we need to be feeding into how the scheme is designed.

Q73 Gwyn Prosser: To the person in the street, to the punter, I do not think you find that level of confidence. Does the Government have any plans for measuring opinion on identity cards in the light of the security failures, and is it going to be a robust strategy? Have you got any ideas in mind of how to build? Frankly, I do not think it is sufficient to say we will have this level of encrypting and only these people will know and we will not share the data very much. I think there has got to be a very strenuous campaign to get people on side. Do you not agree.

Meg Hillier: Which is why I am going to be going round the country talking to the public and some of the organisations I have mentioned to do that. We do gauge people with opinion and there has not actually been a huge drop.

Q74 Gwyn Prosser: What is it now?

Meg Hillier: I think it is hovering around the 60% mark of people in favour. I can provide the Committee with the exact up-to-date position after this meeting.

Q75 Chairman: Has it gone up or down?

Meg Hillier: It fluctuates a couple of per cent up and down at different times. It often depends whether there was a headline in the news one way or another before a survey takes place. I think that does affect it. If you look at where the passport is now, if you can remember, 50 years ago how many people had passports? Now 80% of British citizens have a passport, and the number of entrants to Britain is increasing because of EU membership, tourism, being a world financial centre, a world student centre, so we do need to move down the route of effectively modernising what we are doing with passports and allowing that access to people. It is in the public interest to make sure that what we are doing with passports and the other data like National Insurance numbers is held together. I think it makes it a lot more convenient for people, and I think we do have to go out and win hearts and minds. When I arrived in the Home Office, quite rightly, we were looking at the costs and other issues. I have spent the months I have been there beavering away to work out how we can practically deliver it and make sure that we deliver a real deliverable solution, and I need to be now going out and talking to people about how that will practically work for them, what their concerns and interests are so that we can make sure we are also taking those points into account. So, watch this space, I would say, Mr Prosser. We are going to do more of this and I will happily come down to your constituency, if you think that would be helpful.

Q76 Gwyn Prosser: You would be most welcome. Can I make a last remark? During the course of the research failures, serious as they were, ministers did not resign, and we can understand why that is to an extent. Taking into account the very serious nature of a leak or breach in the national system, when it comes into place, and the fact that ministers and, indeed, home secretaries are robustly supporting the system and saying how safe it is going to be, would it not be proper if the Minister with responsibility for the database would actually, before its introduction, say, "If it fails, then I will resign"? Would that build confidence?

Meg Hillier: I have to say, Mr Prosser, with all respect, I am not sure that the average member of the public really worries about my position or the person in my position. What they want to see is a scheme that works. I want to see a scheme that works. I have been working away to make sure of the practicalities. We are part way through a procurement process at the moment. We will have that contractor in place. Once we have that contractor in place, we are really going to bottom out a number of issues the committee has raised, and others, to make sure we do build a scheme that is strong and confident. Chairman, Mr Prosser obviously has a greater hope about my longevity in this job, for which the average length of stay is around 13 months.

Q77 Gwyn Prosser: I would was not referring to you, because you will be Home Secretary by the time this comes in! The reality is that it is not a question of the public being concerned whether the Minister resigns or not, it is a question that if a minister has got direct responsibility to that extent, then he or she will ensure, every day perhaps, that the systems which have been put in place are being adhered to. What we know from our recent sad experience over the last three months is that that has not been the case for a long time?

Meg Hillier: Can I assure you, Chairman, that I take a very hands-on approach to making sure that we get practical delivery and, in addition - obviously I am working closely with the police, including the Home Secretary, and officials - we will be looking constantly to answer (and they are very helpful questions that have been raised today) any concerns and we are making sure that we can rigorously prove that they are being addressed. Once we have a contractor in place, we will be able to pin that down more. Getting into the issues about who could or not could not or might resign in the future, I do not have a crystal ball and I am not going to go down that route, but I think we need to be reassured of that, and I would be welcoming the Committee's comments in particular about how we can strengthen parliamentary oversight and scrutiny. If there is anything in particular that you think that the Home Office ought to be doing, the Government ought to be doing, to make sure that Parliament has a stronger role, I will happily take that back.

Chairman: Indeed. It is unlikely that pre-emptive resignation will be one of our recommendations.

Q78 Martin Salter: Minister, I should not worry too much about your longevity in government, I think you have done very well here and have done very well in the post so far, but could you share with us briefly the poll data that you have, not just in terms of support for ID cards, which undoubtedly has taken a hit, as Mr Prosser says, as a result of the loss of data and the ability of the Government to screw up major IT systems with alarming regulatory, but what is the public support for having an ID card for foreign nationals?

Meg Hillier: I will certainly look up that data and share it with you.

Q79 Chairman: I have a question on the DNA database, not about the case that is going to the European Court tomorrow, but generally on the mistakes that seem to be on the DNA database. The Government, of course, has rejected the concept of a universal DNA database for British citizens and people resident in this country, but of the current names on there, it is alleged that half a million are inaccurate. Is that figure correct and what is the Government doing to clean up the database so it has accurate information?

Meg Hillier: It is in that region, Chairman. I would reassure members that those inaccuracies, as you describe them, do not have any impact on crime detection. What would happen is that if, for example, I was arrested and I gave my sister's name, that data would then be on the database in that way. If I was arrested at a later date and gave my own name, clearly there would be two records: the same DNA, but two different people. In the past that clean up did not happen straightaway. What happens now, because of IDENT1, the live scanning of fingerprints, that is picked up straightway, so you do not get a second record because very quickly you can identify that there are two people, there is already that biometric information held, the DNA will be held, so we are certainly cleaning it up now. Where that arises it is cleaned up straightaway. During last year the number of duplicates on the database was 13.7%. As of December it is 13.3, so it is going down, but it does not have a material impact on crime detection because you can still find the person through the DNA.

Q80 Chairman: Some have suggested that there should be an extension. If you are stopped, for example, for not putting on your seatbelt, the DNA can be taken from you. There are no proposals from the Government to extend any of those areas.

Meg Hillier: DNA is currently taken if you are arrested or cautioned for an offence, whether or not you are charged, whether or not you are convicted. Tomorrow in the European Court of Human Rights there is an important case which is testing the UK's right to retain DNA. The Government's view is, very clearly, that that has led to some significant impacts. If I can give some examples of the benefits of the DNA database: the 3,500 matches a month, on average, in 2006/2007 has helped solve 452 homicides, 644 rapes, 222 other sexual offences and just short of 2,000 other violence crimes and over 8,500 domestic burglary offences. I think that demonstrates the value of the DNA database.

Chairman: Indeed. Ms Buck, a quick question about minors.

Q81 Ms Buck: Is it also taken from minors who are arrested?

Meg Hillier: Yes, minors are held on it. Again, parents have to give permission, but if a child is arrested and convicted, then that information is taken.

Q82 Ms Buck: If they are arrested and not charged or convicted, is it taken?

Meg Hillier: It is taken, but there has to be parental consent, and I have actually asked that the consent forms are looked at in terms of their design to see that it is very clear that people know what they are signing up to.

Q83 Chairman: That is the issue tomorrow, is it not, whether or not it can be removed?

Meg Hillier: The issue in court tomorrow I do not want to comment too much on.

Q84 Chairman: We know you are a party to it.

Meg Hillier: Yes. This is about a teenager, who cannot be named because of age, and a Mr Marper, who contest that their DNA should be retained because they were not, in the end, convicted.

Q85 Martin Salter: I want to invite you to put on the record or confirm that if the Government had, in its policy towards the retention of DNA, followed the demands of Liberty that DNA only be stored for convicted sex offenders, the recent conviction of Steve Wright for the murder of the Ipswich women and others would not have taken place.

Meg Hillier: Absolutely, and I reiterate what I said, that DNA is a very valuable tool and I would not want to be sitting in the same room as somebody whose child or other family member was murdered and say, "We could have done it had we retained this but we did not."

Q86 Chairman: Minister, thank you for giving evidence today. We did not explore, of course, Mr Russell's irises and the problems he had which he explored with Home Secretary, but thank you for giving evidence. There are a number of points that you will write to this Committee on and we may call on you again in the future to discuss these issues.

Meg Hillier: I would be very happy to come along.