Skip to main content

Identity Theft

Volume 702: debated on Wednesday 18 June 2008

asked Her Majesty’s Government what steps they are taking to address the issue of identity theft.

The noble Lord said: My Lords, this is a most timely and important debate, and, in the context of recent events concerning the Government’s inadequacies in the protection of their own information, one that is of crucial importance to a significant number of people. In the limited time available to me I should like to focus on the issue of identity theft and the enormous suffering that is caused to a great many people as a consequence of this hideous crime.

Home Office estimates suggest that identity fraud costs the United Kingdom economy more than £1.7 billion each year. This estimate represents an increase of £400 million over the past three years and is in all likelihood a conservative estimate of the trust cost. I welcome the contribution made to tackling this issue by the All-Party Parliamentary Group on Identity Fraud, and in particular its report published in October last year. The recommendations in that report were sound and deserve proper action. I hope that the Minister will have some positive news to report to the House on what has been done since its publication.

A broad theme in the report was the need to ensure that the police and the law enforcement agencies are provided with the appropriate resources to pursue those who make it their business to enact this most offensive behaviour, in particular by providing the strategic leadership to deliver the priority treatment in tackling this crime. The report made reference to the appointment of an identity fraud tsar and ensuring that sufficient energy and resources are available to identify and punish these fraudsters. Have the Government considered a review of the law and the resources available to law enforcement agencies? Will we see the establishment of dedicated identity fraud officers?

I would now like to talk about “phishing”. Phishing involves frauds when customers receive fraudulent emails purporting to come from banks, credit companies and other organisations. The intention is to trick people into divulging personal information which is used to commit a fraud. Phishing is one of the biggest identify frauds, and the fraudsters are often based overseas. The Metropolitan Police has set up a fraud alert website, but the police need more resources in view of the international dimension. Can more be done in conjunction with overseas countries?

Financial institutions and a number of other organisations often ask the prospective customer to produce a passport, and they have a policy of checking the document and obtaining verification through the government passport verification help line. We are pleased that the Government have set up this help line. However, there is no similar arrangement for checking driving licences or other government documents. Can that be looked into, and will the Minister comment on the possibility of checks being introduced for these documents? In regard to fraudulent passports, I am pleased to note that the Identity and Passport Service has deployed a database of lost and stolen passports and that a passport validation service is now available to public and private sector organisations. However, more can be done to encourage all relevant commercial organisations to utilise this service.

I understand that a national UK cybercrime policing unit is to be established which will enable the public to report cybercrime to a central unit. The unit will train officers and provide workshops for businesses across the country and will be staffed by dedicated officers. The problem is funding, to which the Government are not yet committed. I understand that the start-up costs amount to £1.3 million and that the total cost will be £4.5 million annually. Will the Minister comment on this unit and the provision of funding?

I further understand that the e-crime unit will form part of the emerging national fraud reporting centre which will be run by the national fraud strategic authority. There have been discussions between the Government and ACPO. Perhaps the Minister can clarify the outcome of those discussions.

There needs to be an extensive programme funded by the Government, relevant authorities and financial institutions to undertake the following: first, to make people aware that their credit files are available from credit reference agencies; and, secondly, where to go to report the theft of documents and correspondence and to obtain general advice and information. There must be an active programme to make people aware of precautions that they could take to guard against identity theft, which could include asking people to shred all personal documents, to check their bank statements, to chase the non-receipt of cheque books and cards, to redirect their post and update the electoral roll if they are moving home, and to regularly check their personal credit files. If people are sharing accommodation, they must take extra care over the security of their letters and documents. I am also pleased that national fraud prevention week takes place annually. More organisations could be encouraged to take part in this initiative.

There is also a problem with the impersonation of deceased persons, and I am pleased that there are now provisions to combat this awful practice. Powers are now granted to the General Register Office to supply a deceased person’s details to the police, crime agencies and other bodies for the purpose of prevention, detection, investigation and prosecution of offences. Members of the public should, however, be encouraged and advised to register with services that remove the deceased person’s details.

I would now like to talk about businesses and companies where identity frauds are committed, including offences relating to the directors. These frauds include changing details of the company such as the address, false appointment of directors and fraudulent use of information already held. More can be done to urge companies to file information online, sign up to submitting all papers online and subscribe to an alert system. At present a very limited number of companies are doing this.

Financial services organisations should be encouraged to put identity fraud at the forefront of their considerations, and discussions should take place at board level as a regular agenda item. Institutions need to set up risk assessment committees that constantly examine the situation and recommend and implement the necessary protections. The private sector’s deployment of resources to confront these crimes is of the utmost importance and customers must be told of the dangers and the appropriate action to take.

The problem of identity theft is linked to that of cybercrime, which continues to pose an immediate threat. I welcome my party’s proposals, which include the establishment of a new national cybercrime unit within the police force and a similar department within the Crown Prosecution Service. My party’s suggestions are excellent. Has the Minister any comments on our proposals? Those who use encryption as a mechanism to confront the threat of fraud are to be congratulated. What action are the Government taking to increase the use of encryption to protect personal data?

In conclusion, it is disappointing that the Government have allowed themselves to become so completely focused on the identity card issue that they are not perceived to be as proactive in promoting the prevention of identity theft as I believe they should be. I hope the Minister will reflect on the proposals that I have presented today and on the work of the all-party group that has done much sterling work in this area. I look forward to his response.

My Lords, we appreciate the initiative of the noble Lord, Lord Sheikh, in making us aware of the dangers of identity theft. However, we must ensure that remedies do not aggravate the situation and take away our cherished liberties, which we on these Benches are particularly concerned about. We must strike a healthy balance. Only last week we discussed the security of databases in a debate initiated by my noble friend Lady Miller of Chilthorne Domer. I need not say much more from these Benches, as all that I wanted to say was said last week. The noble Lord’s speech tonight reinvigorates our determination to find a proper, liberal way forward. We welcome the initiative. As I say, our views were expressed last week and have not changed since.

My Lords, I thank my noble friend Lord Sheikh for initiating this timely debate and for saying that the Government have concentrated too much attention on the ID card issue at the expense of tackling identity fraud. The clarion call of this debate is to draw attention to the progress that still needs to be made.

My noble friend rightly drew attention to the serious nature of the problem. As my honourable friend Nigel Evans, the chairman of the All-Party Group on Identity Fraud, has pointed out, the estimated cost of ID fraud is huge—in 2006, it was £1.7 billion, as my noble friend echoed. Nigel Evans has said that everyone is a potential victim of this crime and that an identity, if stolen, can take months to get back, involving the victim in costs of thousands of pounds. Often individuals who are totally unsophisticated in these matters are the innocent victims and in many cases are not in a position to afford these costs. With the increasing sophistication of cybernetics and the increasingly widespread skills possessed by many people, it is essential that the authorities and the Government keep ahead of the game.

Like my noble friend Lord Sheikh, I very much welcome the all-party group’s report on identity fraud, which was published in October 2007. This well researched report was critical of the banking industry’s reluctance in the early stages to admit the seriousness of the situation. I believe that this attitude has now changed. Certainly, the British Bankers’ Association gave an assurance that a working group to establish best practice had been set up. What ongoing dialogue are the Government having with the banking industry to address these problems? I hope that the Minister will take note of the recommendation in the report that they should explore the secure sharing of data between government and the private sector.

This is not the occasion to debate the all-party report in detail, but it is worth highlighting one or two constructive suggestions that the group came up with. These have been well covered by my noble friend Lord Sheikh. Some of them are possibly small in themselves but all contribute to a robust response to this ever increasing menace. For instance, there is the suggestion that councils should offer safe and secure disposal facilities for hard drives as part of their recycling process. The “electronic dustbin” is a fruitful source for cybercriminals. There should be a hotline to enable victims of an ID fraud attack to find out quickly how they should respond—a point again made by my noble friend. An advertising campaign should make people aware of the dangers posed by ID fraud, with dos and don’ts in plain language and simple precautions such as not giving banking details out on blogs and social networking websites—practices that are widespread particularly among young people.

The report was also critical of the Government. It noted that in the two years up to October 2007 there had been three Ministers with responsibility for identity theft. The report recommended the appointment of an identity fraud tsar, although this has been greeted by the banking industry with scepticism. My party has an alternative proposal. I raised the matter in the debate initiated by my noble friend Lady Trumpington on 20 March this year and was grateful for the thoughtful reply that we had from the Minister. My noble friend Lord Sheikh has spoken in some detail about the role of the police. My party has put forward some definitive proposals to deal with the problem.

In the March debate, I voiced my party’s concern that the decision to absorb the National Hi-Tech Crime Unit into the Serious Organised Crime Agency has all the marks of an exercise in cost-cutting and sends the wrong signals at this time, given the urgency of the problem that this debate has highlighted. We would like to see the NHTCU re-established with the Metropolitan Police as the ACPO head of cybercrime promoting a new police central e-crime unit. I look forward to hearing of the progress made in that respect from the Minister, although we felt that the proposal received no support from the Government at that time. I urge the Minister to look again at this sensible initiative. More fundamentally, as I said, we will designate a single Minister for cybercrime when and if we get back into office.

This debate also provides the opportunity to revisit two other points that I made in the March debate. Since April 2007, online financial fraud can no longer be reported to the police directly. It has to be reported first to the financial institution concerned and it is then up to that bank or credit card company to decide whether the matter should be reported to the police. I said then that this is a cumbersome method that distances the victim from the prosecuting authority. It is a fair assumption that this disconnect between victim and prosecutor could have contributed to the regrettably low number of convictions under the Computer Misuse Act 1990—only 89 in the five years between 2001 and 2006. How is this change in procedure working? I also voiced concern that the police database does not distinguish between crimes committed electronically or otherwise. In view of the urgency of the problem, which this debate has highlighted, this research shortcoming needs to be rectified.

We must not sleepwalk into complacency on the subject of cybercrime and, particularly, ID fraud. I hope that we shall have an early opportunity to debate cybercrime in depth. In the mean time, I express my thanks to my noble friend Lord Sheikh for giving us the opportunity to debate this subject and for the comprehensive review of company matters, which he covered in a very informed way. I look forward to hearing the Minister’s reply.

My Lords, I welcome the opportunity given to us by the noble Lord, Lord Sheikh, to discuss identity fraud, which the Government take very seriously. It is not a victimless crime that affects just government departments or financial institutions; it causes social harm to those individuals who have had their identities stolen by criminals to facilitate fraud. We know that some of the proceeds of identity fraud are used to finance wider criminal activity. I have my suspicions that sometimes such matters creep into terrorism as well. I am very concerned about that.

We have been working collectively with the financial community, law enforcement, the private sector and across government for some time to implement effective measures to counter identity fraud. We are not there yet, but I think that we are moving in the right direction. Polls show that the public see identity fraud as more important than terrorism, which is interesting. The noble Viscount, Lord Bridgeman, mentioned that to me; I checked it and he is absolutely right. It just shows how concerned people are.

Through collective working, a variety of activity has been undertaken to tackle identity fraud, focusing not just on investigation and enforcement, but also on raising public awareness by highlighting the dangers of identity theft and what individuals can do to protect themselves. The noble Lord, Lord Sheikh, mentioned the National Identity Fraud Prevention Week, which does that.

If I outline some of the things that we have done, that will cover some matters raised by noble Lords. The Identity Fraud Consumer Awareness Group manages an identity fraud awareness campaign, mentioned by the noble Lord, Lord Sheikh, which has produced, for example, an identity theft website and an information leaflet. The website and leaflet are very popular. The website receives an average of 16,000 visits per month and there are over 13 million leaflets in circulation. One has to be careful about such numbers, as the outcome depends on what impact and effect these things are having. However, they show that people have an interest and are trying to find out about this matter. The website is currently being redesigned to include specific advice and guidance for businesses, not only on how to protect themselves; businesses also have a duty of care to their customers and to safeguard their customers’ records. I think that that is improving.

We have supported the National Identity Fraud Prevention Week. We have established a single point of contact in all police forces and a range of government departments and agencies to co-ordinate identity fraud investigations and prosecutions. It is clear that, as more people undertake banking, shopping and a range of other activities online, they need to be aware of the methods that can be used by fraudsters to try to access their online personal details. The noble Lord, Lord Sheikh, mentioned phishing, which is a way of doing that. That can then be used to commit offences, including those associated with identity fraud.

In the past few weeks, my wife has been a victim. She was phoned by her bank and asked, “Have you been buying things here and there?”. She had not. This can impact on everyone. Some two years ago, a postbag was stolen and someone cashed cheques on my bank account. These things happen to us all and they take time to sort out, as has been pointed out.

Another worry is social activities on websites such as Facebook, MySpace and Bebo. Young people in particular are disclosing a lot of personal information that can be very useful to fraudsters to facilitate identity fraud. A bank often asks for your mother’s maiden name and you will find that people put that kind of information on Facebook. There is also the nuisance of unsolicited and unwanted spam e-mails and the serious threat that they pose, as they make unwary e-mail users reveal things that would not otherwise be revealed. We have to be alert to such threats.

The Get Safe Online public awareness campaign, a partnership between government, law enforcement and the business sector, has now been running for two years. This campaign aims to increase internet security and to provide authoritative, trustworthy and independent government and law enforcement-generated information and advice to online users.

On the formation of an online e-crime unit, the noble Viscount, Lord Bridgeman, should be aware that, after the debate that we had in this House about cybercrime, I talked with my honourable friend Vernon Coaker in the other place about the issue, saying that we had to start to form an e-crime unit. It is too serious to wait. We have talked to the Home Secretary about it, who has said that she believes that we should move quickly. She has said that she will make the funding available to establish it.

The debate is about how we take this forward. What is the best overall approach? How does this fit in with the National Fraud Reporting Centre? How exactly will this tie together? As a result of debates in this House, things are moving forward. We need to get going. I will not get into cybercrime, which I see as more of a state issue. We talked about it the other day in the House. I am looking at the e-crime aspect, but cybercrime is also crucial. We are moving forward on that as well.

It is vital that legislation keeps pace with the changing techniques employed by fraudsters. That is why we have introduced a range of new legislation so that those who commit fraud can be investigated and prosecuted and proper deterrents are in place. The Identity Cards Act 2006 created a new criminal offence of being in possession of or controlling false identity documents. That is useful. The scope of these new offences is wide and covers not just false identity documents but the possession of genuine documents that have been improperly obtained or relate to someone else. These offences provide the police with additional means to disrupt the activities of organised criminals, terrorists and those supporting them.

In the first six months of operation, forces across the country have used the new laws to prosecute more than 500 identity crimes. This will grow and escalate. It is a timely thing to have done. By updating the law on fraud through the Fraud Act, we have created offences that can be used to prosecute identity fraudsters. To tackle the unauthorised access to or tampering of computer data, we have revised the sentences and offences under the Computer Misuse Act 1990. We are moving forward there.

Data protection has been mentioned on a number of occasions in this House. It is a global concern. Both the public sector and the private sector are faced with challenges in keeping the data that they hold safe and in tackling information security breaches. We know how difficult that can be, but that does not mean that we can uninvent and remove it. We have to have firm controls. The Government and the private sector face many challenges in combating these things.

The Government seek to ensure that data are held securely and used properly. This balance is maintained by a good legislative framework, particularly in the Data Protection and Human Rights Acts. The Information Commissioner is the UK’s independent regulator for data protection. He performs the dual role of promoting good practice, educating data controllers and taking appropriate action. The Data Protection Act provides a robust and responsive framework to protect and enable the sharing of data. That does not mean we have got it right in the past—we have not. It is crucial that we tighten it up because it gives away too much if we do not. However, we have a grip on this now and we are doing better.

To further underline the Government’s commitment to the protection of personal data, recent changes were made to the Data Protection Act through the Criminal Justice and Immigration Act 2008. This introduced new powers for the Information Commissioner to impose a monetary penalty for serious contraventions of the data protection principles, and to increase, by order, the penalty for those found guilty of unlawfully obtaining, procuring or disclosing personal data. So the tools are in place for us to ensure that these things happen. It gives a strong signal that the lucrative and illegal trade in personal data will not be tolerated and there is a much stronger deterrent in place. We have also initiated a number of reviews of the areas where we have had problems. They are at various stages of reporting and will give us good guidance for what we should do in future.

The noble Viscount, Lord Bridgeman, mentioned data sharing. We are working to improve that, because it can dramatically help to prevent fraud occurring. The Serious Crime Act 2007 allows for targeted exchange of data on fraud between public and private sector and between different public sector organisations, through anti-fraud organisations, to highlight potentially fraudulent applications. As he said, that is extremely important. Expressions of interest from organisations wishing to become a specified anti-fraud organisation are being sought. The Police and Justice Act 2006 allows for the release of information on the recently deceased to law enforcement and specified organisations to help prevent exactly the sort of crime that the noble Lord, Lord Sheikh, was talking about. I hope that that might close that loophole, but we have to watch it carefully.

The fraud review of the noble and learned Lord the then Attorney-General recommended actions that could be taken by the Government in partnership with law enforcement and the business community to tackle fraud and the harm that it has done. Last year we announced funding of £29 million over three years to develop the fraud review recommendations, which include establishing a national fraud strategic authority, a national fraud strategy, a lead force and a national fraud reporting centre. Those will all be extremely valuable as well.

The noble Lord, Lord Sheikh, mentioned the business of the parliamentary group. Meg Hillier has met it and committed to providing quarterly updates. That will be useful and again shows how seriously we take the matter. We have established a national lead force on fraud—it is the City of London Police—as part of the fraud review, to combat fraud and ID fraud more effectively.

The noble Lord, Lord Sheikh, raised the question of combating phishing internationally. We have already put in a lot of effort with industry, government and law enforcement to achieve that, have had quite close dealings with the US and Australia, and will continue those efforts. We are getting somewhere on that.

We are in discussions with the DVLA about driving licence validity. It is absolutely right that more can be done in that area as well, but we are achieving something there.

The noble Viscount, Lord Bridgeman, mentioned an identity tsar. I am not a great believer in tsars, ever since the Romanovs; there seem to be too many tsars everywhere. The idea of a single Minister for cybercrime is interesting; I touched on it when we debated cybercrime the other day. We are still looking at it and trying to come up with the best answer. We have had useful Cabinet meetings on cybercrime and have moved forward dramatically since the middle of last year, when I arrived and was particularly worried that we were not moving on it. We are moving forward much more quickly now, in the right direction.

We must all use encryption more. We must do it privately ourselves; we are not good at that. It needs to be done better in the public arena and the private arena. There is no doubt about it: if the terrorists can use brilliant encryption, we can as well. It is not that difficult, and we jolly well ought to do it a lot more.

We have a great dialogue with banks including safe exchange of data with the public sector, as I mentioned, and have gone a long way there.

Although the national identity scheme may not be that popular, it will make a difference. Its introduction will provide people with a secure means of protecting their identity. Therefore, we are great believers in it. I believe that it will be useful to have one document that can help us. The fact that biometrics are involved makes it much more secure. Can one get round it? Of course clever people can always get round things, but they will find it a lot more difficult than they do today, so it is a useful way forward and I am a great supporter of it.

It is important to emphasise that everyone—members of the public as well as public and private sector organisations—has a role to play in helping to tackle the problem. We all need to be aware and to make people more aware. Those who spoke today are all well aware of the problem but we have not got the message out enough. We have to let people know what they can do to protect themselves, and how crucial it is to do so and to protect their personal information. I thank the noble Lord, Lord Sheikh, for raising the issue and those who have been here for the debate. It is an important area and one that the nation, outside of government, might not take as seriously as it should. It is up to all of us to make sure that the message gets across.

House adjourned at 10.10 pm.