Examination of Witnesses (Questions 220
TUESDAY 13 FEBRUARY 2001
220. Are you happy that no-onesomeone
always could be are you reasonably confidentcould hack
into the system?
(Mrs France) No, of course I could not state that
was not the case. Hacking is actually, might I say, rarely our
problem. Hacking is a technical issue where somebody actually
tries, using technology, to get into computer systems. That is
not normally where we find the problem. In our experience the
problem usually arises from people deceiving others into providing
information or people being careless with the information. Clearly
those handling this sort of sensitive data have been doing so
for some time and all I can say is that we have not had brought
to our attention, that I am aware of, breaches which have caused
concern in this area. I am, however, worried, when information
gets into the hands of those not used to holding it, which is
why I am concerned that employers should not hold it for too long.
I am concerned that the CRB itself and this is where we are working
with them, are well aware of security standards and staff training
standards. However good your technical security, the way in which
we are seeing leakage of personal data, particularly from public
bodies, is by the clever use of deception, which will inevitably,
if the information is available to staff, beguile them into parting
with it if there is not very good training.
221. Would you like to see Parliament introduce
regulation if that is possible within the Act through statutory
instruments or whatever to control the number of weeks or days
perhaps by which an employer holds this information?
(Mrs France) That should not be necessary in that
there are powers under the Data Protection Act, if we find they
fail, we might have to come back to Parliament. I do have a statutory
duty to promote good practice and to interpret the Act. The Act
talks about information being held no longer than is necessary
and it is for me to interpret that in context. If I think it is
necessary, then we could issue a code of practice. There are already
two relevant codes of practice, the CRB's code of practice itself,
which will set out how CRB will deal with it. We have commented
on that and that is an enforceable code of practice. For CRB it
is reasonably ringfenced. For employers, as it happens, I am currently
consulting on a code of practice for employers generally on the
use of personal data. It has attracted a lot of media attention
and interest simply because it happens to cover the area of monitoring
of e-mails, but that is only a small part of the draft code, which
we hope will address the whole area of the holding of personal
data and the use of personal data by employers. That code of practice
is not directly enforceable but it is a code of practice which
will be issued under the Data Protection Act and if there were
alleged to be a breach of principle I would use that in order
to decide whether enforcement was necessary. The short answer
to your question is that we should try to see whether the Data
Protection Act provides what is necessary and if not come back
to Parliament in due course.
222. May I seek clarification? Is the Criminal
Records Bureau meant to cover the whole of the United Kingdom
or just part?
(Mrs France) My understanding is that it does not
223. Northern Ireland?
(Mr Bamford) My understanding is that the CRB has
a separate version available in Scotland which will be through
the records of the Scottish Criminal Records Office essentially
and in England, Wales and Northern Ireland the CRB applies.
224. So the CRB is an England, Wales and Northern
Ireland operation. We are looking at a one-stop shop for checks.
What are the issues which have to be overcome to enable bodies
which operate across the whole of the United Kingdom to apply
for checks on employees or volunteers, soft information which
is currently held in Scotland? How are you going to bring all
those aspects together?
(Mr Bamford) Some of those points are more correctly
addressed to the people who will be running the Criminal Records
Bureau. Clearly from the extent of the data available some details
are still made available through the PNC from the Scottish forces
and find their way onto the core criminal records collection.
You might well draw a parallel with the availability of local
force information, whether it be Strathclyde Police of Norfolk
Constabulary and the fact that in some instances you may have
to access other more locally held information, either on the Scottish
Criminal Record system or on local forces' systems to be able
to undertake certain levels of check.
225. Is the United Kingdom dimension something
which the data protection people have looked at?
(Mrs France) From a data protection point of view
my responsibilities cover the whole of the United Kingdom, the
Data Protection Act covers the whole of the United Kingdom and
the standards we set would apply throughout whether it was the
Scottish Criminal Record Office that was instrumental in providing
information or whether it was through the CRB.
226. You are confident that soft information
north of the border would find its way to the south.
(Mr Bamford) May I say that I am not absolutely confident
that any soft information in any force system will find its way
to the right people because that largely depends on the systems
which are established with the CRB and the forces, and the extent
to which the forces take the matter seriously. In some ways in
Scotland matters are helped in terms of soft information. My understanding
of the Scottish Criminal Records Office computer system, which
essentially holds Scottish criminal records, is that it has a
flag for local force intelligence data on its records, which I
do not think is generally present on PNC data. It is easier to
know there is another record available there. We have had separate
discussions with the Scottish Executive about the codes of practice
and other elements in Scotland.
Bob Russell: I am very grateful for that last
reply. I think we shall need to re-visit the whole United Kingdom
Criminal Records Bureau operation when we come to consider the
227. This Committee 11 years ago, and more lately
ACPO, saw the sense in court clerks inputting records onto the
Police National Computer. That hopefully could speed up the process
and restrict the area for mistakes. Is that something which would
give you any problems?
(Mrs France) Done properly, anything which makes the
information available in a more timely manner and encourages accurate
reporting is to be encouraged. I know that it has been a long-term
aim to achieve that and we would all be pleased to see progress
made as part of the integration of the criminal justice system.
228. I think it was the File on Four programme
broadcast on 5 December last year which revealed there is a discrepancy
between 15 days and 430 days which courts are taking via the present
routes to get this information in. You have been closely involved
with a number of the key players in the establishment of the Criminal
Records Bureau. Is it your impression that enough resource is
being attached to getting this right?
(Mrs France) It is always difficult when you talk
about resources to know what is enough. Following our contact
with those setting up the new Bureauand it is Mr Bamford
who has had most of the primary contact with those who are doing
thatwe would say they are well aware of the priorities
and the issues that they need to address in setting up systems
that focus on the identity of the person seeking the certificate,
the security arrangements to put in place and so on. There is
a distinction between the setting up of the CRB and addressing
the problems of the historic data that will feed it. They are
two distinct things. You are looking at a new project, with new
resources, where we have had good contact with those setting up
the office, who will do their best to see that it is set up in
a way that will operate effectively. The problem which they cannot
handle alone and which goes back historically a long way, the
difficulty at the end of the day, is whether the data feeding
through will be fit for purpose. That is the key question which
has to be addressed.
229. You were saying that for a number of employers
this whole area is going to be new. On top of the checks they
currently make about people they are considering employing there
is this other check system now which is on the one end. On the
other end that is going to be a large number of charities, voluntary
bodies, outside of the big ones like the guides and scouts who
are extremely used to this and they gave us the impression of
having very robust systems at the moment, a lot of new players
in this particular ballpark. To what extent does your office get
involved in the briefing given to these groups about both how
to make use of the provisions of the Bureau and the safety of
storage of information and the rest of it? Do you talk to the
Bureau about what they ought to be saying to these bodies and
so on, sit in, offer to conduct seminars?
(Mr Bamford) We have not offered to conduct any seminars,
though we do have a wide range of contacts with the voluntary
sector and other bodies wearing our general data protection hats
because they have other data protection responsibilities as well.
One of the key things as we see it, particularly where we are
talking about the standard disclosure and enhanced disclosure,
is that there is a provision in the Police Act essentially for
a statutory code of practice, a code of practice which the Secretary
of State and the guys at the CRB draw up and which will put certain
provisions and safeguards around the use of the information. That
is the key: how the information provided on certificates is actually
used. There is a sanction attached to non-compliance in terms
of the fact that the CRB would refuse to issue the certificate
information to any bodies in future which do not comply with those
standards. From the earliest days of this we have set great store
by the provisions which go in the Criminal Records Bureau code
of practice for how the information is used. We are very, very
keen to try to influence that, to ensure that the right standards
of information handling are included, that there are check mechanisms
which will allow compliance with that code to be policed and there
is a proper sanction which is applied at the end of it all to
ensure that people who move away from compliance do not receive
the information and are not trusted with it again. That is a mechanism
we are very, very keen to see work in practice.
230. Let us imagine I am a manager in Birmingham
Social Services Department and I am responsible, with colleagues,
for the appointment of a manager for a children's home. I narrow
down the applicants to a short list of five. Prudently I decide
I shall ask for an enhanced certificate from the Criminal Records
Bureau. What system will you have in place to ensure that after
whatever period they are allowed to hold that information after
that selection process is over it will then be destroyed? Would
it be your advice to the Bureau that they should get a return
from the employer that that information has been destroyed? Would
you want to be satisfied it has been destroyed?
(Mrs France) We have not gone so far as to say they
would need to return it at this stage, although the code of practice
is still in draft. We have not actually said that. Our view is
that may not be effective because it would not, from our point
of view, stop somebody keeping a copy. We would want to be clear
what we thought was best practice and we have discussed the fact
that we need to put something in our own code of practice to employers.
We would not normally then check up proactively, though we might
from time to time use other powers we have to look at a major
public body or a major charity, at their data protection compliance
231. Would you do this instead of or as well
as the Bureau?
(Mrs France) We have our own responsibilities broadly
for data protection. CRB have their responsibilities which are
narrowly focused on the information given in the enhanced certificate.
In data protection terms, we are interested in all the personal
data being held by whichever body it is we are looking at. The
advice we would give would go beyond certificate information.
The advice we would give in our code of practice as opposed to
the CRB code of practice would be about the handling of personal
data more broadly but would focus in on this as a heading. We
would then normally, I have to say, because of the resources available
to us and the size of our office, be reactive in looking at what
was going on. In other words, we may have the opportunity to be
proactive from time to time in studying a major charity or a major
employer of some kind, but more generally it would be when somebody
brought to our attention a possible breach of the code, either
of our code or the CRB code.
232. In which case that perhaps puts a greater
burden on the Bureau itself to check that whatever code of conduct
is drawn up is being adhered to.
(Mrs France) Yes.
233. Given in a sense very new players, unfamiliar
with this territory, particularly at the start of the life of
the Bureau, it is something to which they need to pay particular
(Mrs France) Yes, it is and it is something we will
pick up in our wider brief. You asked about training and seminars,
we often speak to voluntary sector groups and it will now be something
we will always include when we do. So that would be just part
of a wider education about handling sensitive personal data.
234. Twelve or 18 months down the road could
you decide to do an audit of the way the Criminal Records Bureau
is actually carrying this out?
(Mrs France) My powers allow me to do something referred
to as a study with consent, because Parliament decided that audit
powers were not appropriate.
235. You cannot break down the door, you have
to have their consent?
(Mrs France) I would not be surprised if I were to
invite myself to do something of that kind once the CRB was established,
if that invitation were not accepted.
236. It would seem to be sensible, would it
not, certainly from the Bureau's point of view?
(Mrs France) It could be mutually useful at the point
when it is fully up and running for us to have a look with them.
(Mr Bamford) May I add that the Bureau have already
suggested prior to commencement of their operations that we do
come in and have a look at the systems of work they have put in
place? There is a good step in the right direction there.
Chairman: I take your point about being reactive
rather than proactive because of your kind of organisation, but
it is all these new bits.
237. It is not a subject with which I am greatly
familiar but a couple of quick questions. Imagine I am the vicar
of my local parish and a member of the congregation I do not know
very well asks whether they can come and run the Sunday School.
Am I at the moment entitled to ring up the police station and
ask whether this chap has a criminal record?
(Mr Bamford) My understanding is that you are not
generally entitled to do that.
238. Under this new system, am I entitled to
come to you to find out background about him?
(Mr Bamford) I am not wearing a CRB hat. In theory
you would be able to ask an individual to show you a certificate
of the lowest level, a basic disclosure certificate, which would
not show such convictions or intelligence.
239. I cannot come to you as a vicar?
(Mrs France) We do not have a role directly in this.
We are an independent supervisory body. The CRB are the people
you can go to.