Personal data should become private property, not Google's or GCHQ's, says David Davis MP

MPs struggling to catch up with technology allow Google and GCHQ to treat personal data as their own

David Davis MP is commenting on the strict "no cameras" signs up all over Parliament - even though smartphones, which all have good cameras built-in these days, obviously aren't banned: "It's bonkers. I took a photograph in the [chamber of the] House of Commons just the other day with my phone. Technically, it's a breach of the rules, but so what? If you can break the rules, you will," he says.

Unlike many MPs these days, Davis had a proper career prior to going into politics, which took him from studying a joint degree in computer science and molecular science at the University of Warwick - in the early 1970s, back in the days of punch-card data entry - to a number of senior executive roles at sugar company Tate & Lyle, including a stint as IT director.

As a senior MP, Davis might be able to get away with taking the odd picture in Parliament on his Apple iPhone, but, he believes, such outdated rules reflect how MPs - and the authorities more broadly - are struggling to keep up with the march of technology. As a result, MPs have also struggled to comprehend the nature of the data-driven world today, underestimating the consequences of much of their rule- and policy-making in the area: from the way in which government casually absorbs, analyses and trades personal data, to the extensive surveillance by the security services of people's internet use.

Part of the reason for security services' extensive mass data collection, argues Davis, is that turning them around from their post-war focus on the Eastern Bloc in order to penetrate, understand and get the measure of potential Islamist terrorism, whether in the UK or elsewhere, has proven to be a harder challenge than spying on the Soviet Union.

"Agencies have had changing missions over the years. And when you change the mission, it disproportionately affects the human-resource intelligence gathering. For example, when we were up against the Soviet Union, which was a much more significant threat than the one we are facing now, we had a whole operation pointed at them - not just the UK, but the whole of Western Europe and the NATO alliance.

"We all had agents in place, recruits, systems of protecting those recruits and so on. But all of a sudden, in 1990, that ceased to be the prime threat," says Davis. The security services spent the next decade flailing around looking for a convincing role. But the Islamist terror threat, which they are currently focused on, requires entirely different skills and people to counter it on the ground compared to the old Soviet threat.

"The problem is that most of the guys we'd recruit in Moscow would be recruited at embassy cocktail parties. But mullahs don't go to embassy cocktail parties. Similarly - bluntly - the active part of the agencies were also very white and very male," says Davis.

In other words, the average MI5 recruit from Trinity College, Cambridge, would've struggled to fit in among the kind of circles that the security services now needed to penetrate. But expanding data collection processes and compromising backbone internet links could easily be done from someone's desk, with a little help from Whitehall persuading networking companies to comply. "It's much easier to change your mass data-collection... it was easier, faster and most expansive for the agencies to go down that route," says Davis.

The trouble is, he says, quite apart from privacy implications, the security services now have too much data to sift through, while the tools for automating the analysis of that data - regardless of all the hype over big data - remain unequal to the task. They therefore have more data than they can ever hope to comprehend, but respond not by targeting their surveillance activities more closely, but demanding ever-more resources - as well as more powers and more rights to access more data.

Defusing Care.data

Care.data, on the other hand, is a prime example of the way in which government and bureaucracy do not quite understand what they are dealing with when it comes to personal data, says Davis. "The people doing it do not really understand the implications of what they are doing. First, they don't understand 'anonymisation'," says Davis.

He points to the example of his own medical records, which ought to be pretty easy to find if what is in the public domain is cross-referenced with what ought to be in his medical records, including his age, which eliminates a vast number of people, and the fact that he's broken his nose five times. "That takes it down to about 50... even if they take out all postcodes, there will be other things in the public domain, which have been in the newspapers," says Davis.

"Second, they say that there's never been a loss of healthcare data. Have there, buggery! There's been lots of lots of medical records lost - small amounts so far - and not all these data losses are published on the internet," says Davis.

The data itself needs to be held by an organisation that fully understands the value of medical data, while users of it need to be licensed, with greater restrictions in its use, with the licensees being held to much higher standards than those proposed by the Health and Social Care Information Centre, the organisation responsible for Care.data.

[Please turn to page two]

Personal data should become private property, not Google's or GCHQ's, says David Davis MP

MPs struggling to catch up with technology allow Google and GCHQ to treat personal data as their own

Indeed, for the most part, Davis believes it would be better if the organisation holding on to the data conducted the analysis on behalf of the licensees, rather than handing the data over and trusting those organisations to keep their promises, "so nobody will get direct access to this data", he says.

Reclaiming personal data

Davis believes that whether the challenge is the one posed by an over-bearing state that has lost all sense of proportion when it comes to surveillance, or whether it's the data collection activities of major internet companies, a change in attitude is required - one that will see people's personal information being genuinely regarded as theirs, not Google's, Axciom's or anyone else's. "At some point, one of the major courts in the EU or the US will decide that, actually, your identity belongs to you," says Davis. "And at that point, they [Google et al] will have to re-do 'the deal'.

"The deal will be, 'I lend you my identity to use for the period that I use your services, but the moment I want them back, you [Google] have got to delete everything, and make sure that any onward use of that data is deleted too," says Davis.

That is partly why Davis supports the European Court of Justice's so-called "right to be forgotten". Although it doesn't, for example, require Google and other holders of personal data to delete the personal data they hold - instead, requiring search engines merely to stop people from finding information - it gave the required "jolt" to the likes of Google, who have been used to getting their own way for too long, believes Davis.

Unlike many MPs, Davis has put his political career on the line over civil liberties before, resigning his seat in 2008 to fight a by-election on the issue of the Communications Data Bill the first time it alighted in Parliament.

This was partly because Davis wanted a proper debate on the issues of technology and civil liberties, but also to bind the Conservative Party leader, David Cameron, to a promise to abolish such a law. In return, instead of returning to the role of Shadow Home Secretary, Cameron kept Davis out of both the shadow cabinet and the government when the coalition was elected in 2010. Cameron has since sought to re-introduce the Communications Data Bill on more than one occasion.

In-House IT

As for Parliament's IT, like in-house IT in so many places, Davis claims that the everyday reality is disappointing, although it is improving. "It's slow. It's behind the times. It's like any corporate IT - it's always one generation behind: there are thousands of people to serve and the IT department has got to keep them all protected, so have to be conservative about what they do. That tends to slow things down.

"My view is that over time, they have made some strategic errors," says Davis, such as the email system that invited a vast deluge of spam. Nor is Davis entirely happy about the Microsoft Office 365 implementation, which has gone live in recent years, given the Snowden revelations and their implications for the privacy of data held or processed in the cloud. "We are sending data through fibre-optic cables to Dublin and Amsterdam. That does not make me feel comfortable," he says.

On the plus side, however, if GCHQ and other countries' security services really are reading all the emails that MPs receive every day, they can be consoled by the fact that 99 per cent of it is spam.