Robin Wilton's esoterica

There's a storm brewing between Local Authorities and their employees, on the one hand, and the Audit Commission on the other. It centres around an existing programme called the National Fraud Initiative (NFI), under which Local Authorities have had a regulatory responsibility to let the Audit Commission know the names of employees. However, the NFI was extended recently to include a requirement for Local Authorities to include the bank account details of all employees as well (account numbers and sort codes). 

The banking details are compared against benefit claims in order to identify possible cases of benefit fraud.

It's hard to know just where to start with a Data Protection/Privacy analysis of this scenario, because almost every rock seems to have something unpleasant under it.

For instance; although Local Authority employees' bank details are subject to this reporting requirement, my bank details (as a private sector employee) are not... so is someone, somewhere, starting with the assumption that local government employees commit benefit fraud and commercial sector employees don't? That sounds fairly dubious. Not that I do commit benefit fraud, you understand.

Then again, as someone who shares a joint bank account with my spouse, isn't there something odd about the idea that my banking details are being passed around from one third party to another without my knowledge or consent?

Ah, well - you may say - the Data Protection Act has exemptions in it for law enforcement access... surely as this is fraud prevention, it must be covered by an exemption? I don't think so. Even law enforcers, when claiming an exemption under Section 29 of the Act, have to specify whose PII they wish to inspect. They are not allowed to conduct loosely-specified "fishing" enquiries. "Send us all your employees' bank details" sounds like an open-ended trawl to me.

Another point is that only certain public sector employees are subject to this requirement; it covers local government and the health service. It does not, for example, include the armed services, central government departments and (as mentioned above) any private sector employees... including agency staff working on contract to local government and health service employers.

The personal details in question are not actually processed by the Audit Commission -  they go to a commercial company. I have no information about what measures that company takes to protect my PII, or about how to exercise any of my rights under the Data Protection Act (such as the right to ask what they're doing with it, how long they will have it for, whether it's correct, how they will dispose of it, and so on).

So let's recap some of the salient points:

This policy manages to be both a 'fishing' exercise and discriminatory, which is quite an achievement. It grants one subset of public sector employees fewer data protection rights than other directly equivalent public sector employees, fewer rights than contract staff working for the same employer, and fewer rights than private sector employees in general;

It is justified as a fraud prevention measure, but does not account for the fact that all those other categories of employee (not subject to the disclosure) represent as probable a source of fraud as the subset who are affected;

It fails to safeguard the data protection rights of anyone who shares a joint bank account with one of the affected employees, including of course people who don't even work for the employer in question.

All in all, it's hard to view this as a shining example of best practice in data privacy and data protection. It's all the more worrying when you consider that the government's MISC31 Committee on Data Sharing in the Public Sector would apparently like this to be the way all public sector bodies treat our personal data... and when you recall that the government's own view is that our privacy interests are well served by aggregating all our identity data into a single National Identity Register.

An interesting news item this morning concerning the UK's Child Support Agency (or rather, its proposed replacement, the Child Maintenance and Enforcement Agency - the CSA now being recognised to have failed.

A White Paper by the Work and Pensions Secretary, John Hutton, apparently includes provisions for the CMEA to confiscate the passports and driving licences of payment defaulters, without having to apply to a court in order to do so. Isn't there something bizarre about a situation in which the CMEA is in a position to physically locate a defaulter and confiscate their passport and driving licence, but somehow cannot garnishee funds from that person's pay packet or bank account? I also wonder who will actually lay hands on the documents in question... would the CMEA have to bring a policeman along, or would they take on some kind of bailiff-like role and seize the papers by force?

Given the practical difficulties which seem to me to beset that approach, I would not be at all surprised if the proposal morphed into one whereby the CMEA is simply able to revoke these credentials without actually having to get physical possession of them.

Now, I don't condone the behaviour of parents who have been judged to have a maintenance responsibility for their children and seek to avoid it -  but three things about this proposal strike me as deeply worrying:

- First, the CSA did not exactly shine as an example of bureaucratic best practice; if the CMEA takes on any of the CSA's legacy, there must be a substantial chance that the wrong people will find they are no longer allowed to cross borders or drive a car. I'd be interested to know what measures are in place to stop 'false positives' like this, and what redress someone will have if they find themselves in such circumstances.

- Second, the lack of judicial oversight ought to cause grave concern - not least, it seems to me, because under this proposal, the CMEA would be 'reaching out' into the remit of completely separate agencies (the DVLA and the Passport Agency) and effectively barring the use of credentials issued by those other agencies. For that to happen without any reference to legal arbitration seems deeply dodgy to me.

- Third, this paints a pretty bleak picture for the future, in which (if government adoption plans are to be believed) driving licences and passports fall behind biometric ID cards in terms of reliability and pervasive usage. It's a small step from confiscation of a driving licence and passport to revocation of an ID card.

"Your 'licence to be' has been revoked, Mr Allitnil."

Finally (I know I said three things.. but I always like to give good value... ;^) there's the Prime Minister's extraordinary comment on this issue, which really gives me cause to ask if the pressures of the job aren't getting to the poor man.

"The truth of the matter is, whatever reforms we have put into the Child Support Agency, they have not worked," he said.

"It is extremely difficult when the agency is being asked to chase relatively small sums of money from people who don't want to pay in circumstances where the mother often doesn't want that to happen either."

So let me get this straight; Mr Blair envisages circumstances where someone who doesn't want to pay is being told to pay 'relatively small sums' to someone who doesn't want payment... and the appropriate course of action is for a third party agency to be given extra-judicial powers to seize the credentials issued by separate government agencies.

I wonder, I really do...