HL Deb 12 February 2004 vol 656 cc172-4WA
Lord Hodgson of Astley Abbotts

asked Her Majesty's Government:

Whether it is still the case that the data from a Criminal Records Bureau application form which are input in India are name, date of birth and addresses for the past five years; and [HL1069]

Whether any information from any source other than the application form is input in India on behalf of the Criminal Records Bureau; what information other than name, date of birth or address is input in India; whether any other information is accessed from India; whether any other overseas location is involved in data access or data input for the Criminal Records Bureau system; and whether the Government or the bureau have plans to increase the extent of work done overseas; and [HL1070]

Whether any personal information other than name, date of birth and address is input overseas into the Criminal Records Bureau system; and whether overseas personnel have access to any other personal information such as bank details; and [HL1072]

Whether the application form for a Criminal Records Bureau check now carries an instruction that the section on bank details must be left blank; and [HL1073]

How many unprocessed Criminal Records Bureau applications are on forms which asked for bank details to be completed; and how forms already processed which contain bank details are being stored. [HL1074]

Baroness Scotland of Asthal

Work—consisting solely of manually inputting all personal information contained on Criminal Records Bureau (CRB) disclosure application forms (including the mandatory details such as the applicant's name, date of birth, current and previous addresses during the past five years, position applied for, the organisation concerned and details of the documents used as evidence of an applicant's identification, such as passport, driving licence and birth certificate)—is undertaken at a site in India.

The data transferred are those contained on the disclosure application form. The form is scanned, encrypted and then transferred via a secure link to a site in India. On receipt of the scanned image, the data are entered onto a system compatible with those used by the CRB to process disclosure applications. On completion the data are again encrypted and transferred back to the UK via the secure link. The data are retained in India only for the duration of time taken to input. Thereafter, the data are destroyed. The overseas personnel involved in the data input are fully trained in data security and privacy and abide by a strict code of conduct.

The form is set out in Schedule 2 to the Police Act 1997 (Criminal Records) Regulations 2002. No other overseas location is involved in data access or data input for the CRB. There are no plans to increase or extend the work carried out overseas.

Although pending redesign and reprinting, the current disclosure application form includes a section in which applicants were originally invited to show certain other personal information, including their bank details, for the purpose of assisting in verifying the applicant's identity. It was decided in December 2002 that this section should no longer be used and customers were informed in January 2003. The section was formally revoked by the Police Act (Criminal Records) (Amendment No. 2) Regulations 2003 with effect from February 2003.

It is the responsibility of a registered body to verify the applicant's identity using guidelines issued by the CRB. All registered bodies have been informed that applicants no longer need to supply bank details. They have been made aware via both the disclosure website and the customer newsletter. Applicants themselves are made aware via the application guidance notes, which clearly state that there is no longer a requirement to supply bank details.

As at 24 January 2004, the number of fully completed applications within the CRB system that are available for processing was 107,145. This represents less than three weeks' work.

Lord Hodgson of Astley Abbotts

asked Her Majesty's Government:

What checks and audits are undertaken, and at what intervals, to ensure that the provisions of the Data Protection Act 1998 are being met in connection with Criminal Records Bureau checks (a) overseas; and (b) within the United Kingdom [HL1071]

Baroness Scotland of Asthal

It has at all times been the intention that, in terms of data protection, security and other aspects, the arrangements for processing data should entail no material increase to the risk of misuse of data. Consequently, before agreement was given for any data to be processed in India, the site was visited by senior officials from the Criminal Records Bureau (CRB), who were fully satisfied that this was the case. The main CRB contract, (signed in August 2000) requires that the CRB's private sector partner, Capita, and any sub-contractor of Capita must comply with the Data Protection Act 1998; and that Capita may not enter into a sub-contracting arrangement without the permission of the CRB.

The CRB undertakes a wide range of checks and audits on all systems and processes to satisfy the security expectations of the Data Protection Act 1998. In addition to daily routine auditing of CRB systems, the CRB undertakes yearly security accreditation and BS7799 compliance and has undergone a full data protection adequacy audit. Where processing is conducted by a data processor overseas, the same security standards are applied. Additionally, all staff members both within the CRB agency and within organisations processing data on behalf of the CRB agency receive regular data protection and security training.