Open Secrets – Part II of a Scottish Review investigation


Kenneth Roy

In October 2007, HM Revenue and Customs lost two discs containing a copy of the entire child benefit database. It was a relatively early example of the fragility of apparently ‘secure’ systems and caused a certain amount of panic in the ranks of Scotland’s population profilers – the people in charge of the Scottish citizens’ database, then just past the conceptual stage.
     In view of the sensitivity of the questions about to be asked, the answers about to be recorded, the information about to be shared electronically by the approved ‘practitioners’ in government national and local, the health service and the police – questions as intimate as the sexuality of the client or patient – the panic was understandable. The integrity of the scheme depended on the safety of the database, and yet here was a major government department losing millions of records without breaking sweat.
     In June 2008, nine months after this unfortunate incident, Scotland’s ‘National Data Sharing Forum’ met in Edinburgh under the chairmanship of Philip Jones, chief executive of Dumfries and Galloway Council. If you have not heard of the National Data Sharing Forum, you lose no brownie points; it is one of the more obscure public bodies. Yet the membership of this advisory group is impressive: a director of social work, a director of public health, a deputy chief constable, a local authority chief executive, the principal reporter of the Scottish Children’s Reporter Administration, someone from the information commissioner’s office, the registrar-general for Scotland – in short, a cross-section of all those with a vested interest in the citizens’ database.

This worrying thought is compounded by what follows in the minute – an acknowledgement that ‘there have been instances of data protection officers’ advice being ignored’.

     The shock waves from the loss of Britain’s child benefit database – remember, this was long before the present wave of enthusiasm for the somewhat larger loss of secret documents from the Pentagon, among other fruits of Wikileaks – were still being felt.
     SR has sourced the minute of the June 2008 meeting of the National Data Sharing Forum. It makes fascinating reading. The members discussed what the minute refers to tactfully as ‘the security breaches’ at HM Revenue and Customs before agreeing a strategy for dealing with a disaster potentially damaging to the credibility of Scotland’s emerging data-sharing project. It was agreed that staff should be ‘made aware of their responsibilities when it comes to data sharing and protection’. This was considered ‘vital’ to the success of the project, which had recently been launched in selected local authority areas.
     It is worth pausing here. ‘Made aware of their responsibilities’ – are we to take it that, before the loss of the child benefit database, staff handling the records of Scottish citizens had not been made aware of their responsibilities? This worrying thought is compounded by what follows in the minute – an acknowledgement that ‘there have been instances of data protection officers’ advice being ignored’ [my italics].
     Oh, really? Ignored in what way? How badly? With what results? On these questions, the minute is unforthcoming.
     SR has sourced the minute of a meeting of another body closely linked to the citizens’ database: the e-Care Programme Board. For the uninitiated (ie most of the citizens whose lives it will monitor), e-Care is the name given to the Scottish government’s ‘multi-agency information-sharing framework’ – another way of describing the profiling of an entire population through our access to essential public services such as health, social work, education and transport.
     e-Care is responsible (according to the Scottish government) for ‘implementing a framework which enables secure sharing of sensitive personal information’. Sensitive indeed: as we reported yesterday, the personal information will include questions of religious belief, country of origin, and current living arrangements, as well as sexuality. It would be difficult to imagine questions more sensitive than the ones being asked for the purposes of recording, and sharing, on the citizens’ database.
     But secure? We are assured that e-Care ‘maintains an audit of those accessing shared records’, that there is or will be a ‘Care Information Security Co-ordinator’, and that only those who have received ‘proper authorisation from their employing agency’ will have access to a database which will eventually contain the email addresses, marital status and employment details of up to five million people, a database which will include a dedicated note of anyone living alone.
     Given the ‘sensitivity’ of these records, how secure is secure? As secure as the Pentagon’s? In that case, it seems we’re in trouble.

‘CR [presumably Craig Russell] stated that he welcomed the opportunity to reflect on where we are and where we should go. If there were agreement on the direction of travel, we should go forward in a joint manner.’

     By October 2009, however, the loss of the entire child benefit database seems to have been forgotten – at least by the e-Care Programme Board at its meeting in Edinburgh. The meeting was chaired by George Brechin, the chief executive of NHS Fife, and was attended by Craig Russell (head of ‘efficient government delivery’ at the Scottish government), Paul Rhodes (programme director of e-Health), Mike Martin (head of ‘partnership, improvement and outcomes division’ at the Scottish government), Lesley Fraser (deputy director of ‘Safer Children, Stronger Families’ at the Scottish government, and Angela Leitch. This may be the same Angela Leitch who is now chief executive of Clackmannanshire Council.
     The meeting, far from being chastened by the experience of HM Revenue and Customs, was in bullish mood. It was minuted that those agencies choosing not to adopt the e-Care framework (ie the citizens’ database) ‘need to articulate the consequences of not adopting and to be able to explain how they will share information to achieve outcomes’. What was to happen to agencies which rejected the e-Care framework and declined to articulate the consequences? Their fate was unspoken.
     The minute includes a clarion call worth quoting:
     ‘CR [presumably Craig Russell] stated that he welcomed the opportunity to reflect on where we are and where we should go. If there were agreement on the direction of travel, we should go forward in a joint manner.’
     As the crew departs on this exciting journey in its joint manner, only one question remains: who is the driver? SR has studied the composition of both the National Data Sharing Forum and the e-Care Programme Board and found that no one on either of these bodies has been elected by anyone. As Scotland confronts the reality of the citizens’ database, with its alarming implications for civil liberties, the lack of immediate democratic accountability is astonishing.
     Where are the politicians in all this? Who, if anyone, in power knows what is going on? Who is prepared to make the people of Scotland aware of the citizens’ database – and defend it?

Tomorrow: Part III of Open Secrets

This article has been reproduced with the kind permission of Kenneth Roy.

Read Kenneth Roy in the Scottish Review.