Q&A: The ID card commissioner talks cards and controversy

We spoke to ID card commissioner Sir John Pilling about his thoughts on the identity scheme and why we might all think he's a bit of prat down the line.

I am perfectly willing to criticism them. What I usually say about this and I'll say it again to you because it's terribly important is that I'm not only independent of the Government and the IPS, but I'm also independent to the opposition.

I'm independent of the small 'o' opposition to identity cards, which means in effect that because opinion is so polarised on the subject, I'm pretty well bound to be regarded by somebody as a kind of toady stool pigeon, whether to the opposition capital 'o' and small 'o' or to ministers and IPS.

If I'm lucky, I'll find things to say that irritate both sides, and that will make it quite difficult to pigeon hole me as wholly lacking independence and having already made up my mind and being on one side.

Why am I independent? Of course, you can't convince people you're independent by saying you're independent, you can only do it by showing them. But, I'm perfectly confident myself about my independent approach to the role, and it's founded by the fact that when I worked I was always perfectly willing to say uncomfortable things to Government ministers that they didn't wish me to say.

Advertisement
Advertisement - Article continues below

It's not absolutely every civil servant who has the courage to say things to ministers that they don't want to hear. Secondly I'm not trying to make a career out of this. If I have to stop doing this job tomorrow, my wife would be delighted and I wouldn't mind.

Therefore, I've got nothing to gain by refusing to tell the truth as I see it and nothing to lose personally by telling the truth as I see it.

So I'm interested in telling the truth, which I think is what this job is about. Actually, it's first and foremost about finding the truth, and that's quite hard work. It's all pretty detailed stuff, it's not capable of being done in three or four months, which is what we've had to do it in so far.

You come from a completely cold start, and first of all have to understand what the IPS is like, its own structures, and then there's the use to which the cards might be put, and there's the security systems built into the IT. There's the way members of the public are dealt with when they come into an interview regarding the cards, there's the way the cards are manufactured, and the way they're dispatched to people it goes on and on and on, many of which we're miles away from having got to the bottom of.

I wondered whether to just duck expressing any opinion at all in this report. In many ways it would have just been more comfortable for me to say it's too soon to say anything at all, but I decided that was cowardly.They have impressed me as a serious managed organisation trying very hard, well motivated with quite high morale in the staff. I thought I better say that, as that's what I found, and it's truthful and honest.

I also wanted to make it clear that the fact that was my judgement after three months...didn't mean that I thought there was no job to do and I was now going to give up and put my feet on the desk and say everything was for the best in all possible worlds.

I'm continuing to try to make their lives miserable by asking a lot of questions and having a lot of meetings with them. I think it will be a lot of months yet before I feel I've got to the bottom of the present arrangements, and of course there may be further arrangements made which I may have to look into.

You said it's been a "pretty good job" so far. What were the things that seemed to be working quite well and things that already need to be improved?

I haven't found things that aren't working. I've found one or two things I'd quite like to see them do more work [on], and they are doing some.

One issue which doesn't yet arise because the database isn't yet big enough to warrant it, is what procedures would surround the conscious and deliberate sharing of data from the database with other public safety organisations who believe they have a fair and lawful reason to ask for such information based on the provisions of the 2006 act.

Advertisement
Advertisement - Article continues below

Given they've got about 5,000 people's data, it would be rather surprising that anyone were beating their door down asking for access to that information at the moment. But they aspire to have a database that will one day have millions and millions of records on it. It will be a very attractive source for law enforcement agencies and the legislation does recognise that.

I want to see how they decide to handle those sorts of requests, who will handle them, what sort of training, what sort of guidance they'll be operating in. I want to be sure that where information should be shared, it is being shared, and where it shouldn't be shared, it isn't being shared.

That's one instance where I can't say they're doing anything wrong because they're not doing anything at all in terms of sharing information...but what sorts of work are they going to do, and are they doing the right sorts of things now to have themselves in the right place when the time comes?

I think they were prudent to begin slowly. I think they were prudent to being with just civil servants, because then anything that did go wrong, would go wrong with people who weren't going to run to the newspapers to scream about it.

They seem to me to have taken security pretty seriously, to have developed systems that will make it relatively difficult to forge a document or obtain one fraudulently.

I've met quite a few junior people away from their managers and I've done this in other organisations so I'm not wet behind the ears when it comes to assessing people...

My instinct is that their staff are quite sensitive to looking after people's data, that they're more consumer or customer orientated than most parts of the public sector that I've come across...They feel almost surprisingly proud to be part of IPS... The trouble with that sort of analysis is that it only takes you so far.

IPS could be appallingly let down by two people out of their few thousand that work for them. The fact that 98 per cent of people are professional and courteous and security conscious will not stop them from being completely ruined if a couple of people seriously misbehave with information from their database.

I don't want you to think that because of these nice things I've said that I don't think something could go wrong it could be going wrong even as we sit here today, and those bits you read out from my report and what I've said today will make me seem like a complete prat.

The Government has suffered quite a few data breaches, and they often do come down to one or two people not following procedures or not doing what they're supposed to. Do you think that the technical side of security is in place? Is it good enough? Or will it be forever dependent on the people side of things?

Advertisement
Advertisement - Article continues below

I don't think you can eliminate the people side of things altogether, but by the processes you develop you can make it less likely to happen. You can make it very difficult for a single individual to do something without detection.

And, I think they are doing pretty well. The sorts of things you need to do to minimise the risks. I think the leaders of the organisation are as aware as you and I are that that risk can't be eliminated altogether, so that means they're working at it to keep it as small as possible.

I think they know how appalling it would be for them if they did go the route of a number of public and private sector bodies who've been found to be careless or corrupt with other people's personal information.

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354191/xerox-threatens-hostile-takeover-after-hp-rebuffs
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/security/bugs/354180/google-to-offer-15m-to-anyone-that-can-break-a-pixel-4
bugs

Google to offer $1.5m to anyone that can break a Pixel 4

22 Nov 2019
Visit/public-cloud/34850/salesforce-takes-aws-relationship-to-the-next-level
News

Salesforce takes AWS relationship to the next level

19 Nov 2019