Eric Howe urged the Government to set up an inquiry to investigate a legal loophole that allows access to details of people's bank accounts, credit ratings and tax records. The problem arises when callers deceive organisations such as banks that they have legitimate access to sensitive information.
Banks use 'tracing agencies' to track down bad debts and they inform the data protection registrar they may have to pass customer information on to the agency. If a caller then fools bank staff into believing they are from a tracing agency the bank cannot then be prosecuted for handing out data for which it has already registered.
'I have drawn this to the attention of the Home Secretary, and Parliament might want to consider how big a market this is and how easy it is to use . . . perhaps making it an offence to have this form of intrusion by deceit,' Mr Howe said yesterday on the publication of his ninth annual report.
Mr Howe investigated the problem after complaints from Stella Rimington, the head of MI5, and Norman Lamont, the former Chancellor. Newspapers had published details of their private financial affairs bought from detective agencies.
'All organisations tell their staff to be as helpful as possible. It's a matter of getting the balance right so they don't give away information that is sensitive,' Mr Howe said. He added that neither the Data Protection Act 1984, nor the Computer Misuse Act 1990, seemed adequate.
Mr Howe, who oversees the use of all computer data held on individuals, is also concerned about the advent of National Health Service identification numbers, which he feels could become a de facto national identification scheme.
'The National Insurance number has appeared in tax schemes and I would not want a similar thing to happen to the NHS number,' he said.
He has raised the issue with Virginia Bottomley, Secretary of State for Health, who said she could limit use of the number by enforcing Crown copyright. Mr Howe is concerned, however, that other government agencies would still be able to use the number. An education authority, for example, might use the NHS identifier to link a child's education and health records.
'This would be quite outside the purpose for which it was intended,' Mr Howe said. 'I just have this nagging feeling that a very useful number for identifying people would be a helpful prize for people to get hold of. If ministers decide they want to bring in a national identification scheme then that's different.' He said he was disappointed that Mrs Bottomley had disagreed that use of the number should be limited by law.
He warned that pressure on public expenditure posed a threat to progress with data protection. This includes work with the police on the length of time they should be allowed to keep criminal records on computer.
The registrar is also looking at a new banking practice of passing on information to credit reference agencies. Some banks will only accept new customers if they agree to this.
Ninth Report of the Data Protection Registrar; HMSO; pounds 13.25.Reuse content