That's a good question.
I think part of it comes back to my concern around the issue of privacy engineering and security engineering. There could be an extent to which breaches at the technical level could be automatically reported and made visible without any human interpretation or obfuscation in the process. I'm trying to find polite ways of putting it.
Equally, I think we need to be wary of the idea that technology alone can provide the answer. I think it could certainly help. It could certainly enable us as citizens to see where, as in Estonia, records have perhaps been inappropriately accessed. It could also identify where that might be happening at scale. For example, if somebody, either an insider or an external agent, has tried to farm multiple records in rapid time, that type of thing should be caught quite quickly by a good computer system.
However, it seems that most of the breaches that come to light in the U.K. often involve insiders who have executed social engineering attacks. Even though the system has been well designed, if they bring up people's records on a screen and use analog attack methods, such as either writing down the details or taking a photograph of the screen, it's very difficult for the system alone to catch those types of things. You can spot patterns of behaviour over time, but if an official only does it as a one-off, it's going to be very hard to know.
I think there's also a disincentive in the system currently, in that the more honest the departments are, the worse they look on the leaked tables. They're seen as the departments with the biggest problem, whereas they may be the departments actually being the most honest with us.