House of Commons portcullis
House of Commons
Session 2005 - 06
Publications on the internet
Standing Committee Debates

Draft Data Protection (Processing of Sensitive Personal Data) Order 2006

The Committee consisted of the following Members:

Chairman: Janet Anderson
Baird, Vera (Parliamentary Under-Secretary of State for Constitutional Affairs)
Chaytor, Mr. David (Bury, North) (Lab)
Cohen, Harry (Leyton and Wanstead) (Lab)
Connarty, Michael (Linlithgow and East Falkirk) (Lab)
Heath, Mr. David (Somerton and Frome) (LD)
Hughes, Simon (North Southwark and Bermondsey) (LD)
Linton, Martin (Battersea) (Lab)
Moran, Margaret (Luton, South) (Lab)
Owen, Albert (Ynys Môn) (Lab)
Prentice, Mr. Gordon (Pendle) (Lab)
Shaw, Jonathan (Chatham and Aylesford) (Lab)
Vis, Dr. Rudi (Finchley and Golders Green) (Lab)
Wallace, Mr. Ben (Lancaster and Wyre) (Con)
Walter, Mr. Robert (North Dorset) (Con)
Watkinson, Angela (Upminster) (Con)
Wilson, Mr. Rob (Reading, East) (Con)
Wright, Jeremy (Rugby and Kenilworth) (Con)
Geoffrey Farrar, Committee Clerk
† attended the Committee

Fifth Standing Committee on Delegated Legislation

Wednesday 5 July 2006

[Janet Anderson in the Chair]

Draft Data Protection (Processing of Sensitive Personal Data) Order 2006

2.30 pm
The Parliamentary Under-Secretary of State for Constitutional Affairs (Vera Baird): I beg to move,
That the Committee has considered the draft Data Protection (Processing of Sensitive Personal Data) Order 2006.
It is a real pleasure for me to serve under your chairpersonship, Mrs. Anderson. The order, which was laid on 13 June, will facilitate payment card issuers in processing sensitive personal data provided by law enforcement authorities on offenders who have been convicted of or cautioned for crimes relating to child abuse images where a payment card has been used to commit the offence. The sensitive personal data are, of course, that they have been convicted of or cautioned about such an offence.
The order is needed because although card issuers ordinarily have the power, based on their contracts with customers, to remove any payment card and close an account that has been used to make an illegal purchase, they have found it difficult to exercise that right without details of convictions and cautions, and some have been unsure whether they can process such data and close accounts.
That is because, under the Data Protection Act 1998, information on convictions and cautions, such as data on an individual’s racial or ethnic origin, or their health, is sensitive personal data. As such, that information can be processed only if one of the conditions in schedule 3 of the Act is met.
Some card issuers can process that information already, because they have drafted the terms and conditions of their contracts to ensure that they have the explicit consent of their customers to process it, which brings them within schedule 3. However, some card issuers are not sure whether they can process that information, and it is possible that some cannot under their terms and conditions.
Consequently, the order creates a new schedule 3 condition to ensure that all card issuers can process the facts of convictions and so on for the purposes of closing down an account, or otherwise administering it.
Simon Hughes (North Southwark and Bermondsey) (LD): This is obviously important business. Will the Minister give us the best communication that she can—I am not trying to put her on the spot, but it would be helpful for this debate—of the number of convictions and cautions in recent years under the five offences listed in the order? Obviously, that will give the Committee and those who read the report of our proceedings an indication of the scale of the important issues with which we are dealing.
Vera Baird: The best information that I have, and it is not bad, is that there were 1,579 in 2004.
The measures in the 1998 Act ensure that sensitive data are processed in a manner that provides the appropriate protection for the individuals whose data are concerned. Under the power in paragraph 10 of schedule 3 to the Act, the Secretary of State can make an order to stipulate further circumstances in which the processing of sensitive personal data can take place. We have used that power here.
The Association for Payment Clearing Services, or APACS, which is the UK trade association for payments and institutions that deliver payment services to customers and which represents about 98 per cent. of card issuers, approached the Government about establishing a secure route to freeing all card issuers of all the doubt that I have mentioned and allowing them to access and process sensitive personal data for the purposes that I set out.
The Government are obviously keen to act and to provide the necessary support to the industry. There has been a cross-governmental project involving my Department, the Child Exploitation and Online Protection Centre, which was launched in April this year, law enforcement officers, specialist children’s charities and the industry to approach holistically the growing problem of child abuse, focusing on these high-risk, high-impact offenders. Of course, the Home Office was also part of that.
The order facilitates the necessary data sharing and provides the necessary safeguards under the Act for APACS members to process such information when it is provided to them. I have here a small diagram that indicates that information on convictions will come from the law enforcement agencies to the CEOP and then go directly to the card issuers. The process will be supported by a memorandum of understanding to add further safeguards for the card issuers. That is how it will work.
The Information Commissioner has been asked to comment on that, and is broadly content with the nature of the order. Clearly, facilitating the removal of payment cards and closing accounts used to purchase indecent images are only small steps in tackling paedophile behaviour and protecting children, but any steps that disrupt such activity and reduce reoffending can only make a positive difference.
Simon Hughes: The Minister’s officials were good enough to tell my office that my reading of the Information Commissioner’s initial response was correct. There was, apparently, originally an objection from the Information Commissioner. Is it fair to say that he was then persuaded by the arguments put by the Minister’s Department that, on balance, his instinctive concerns about data transfer should be overridden by the answers that the order gives? That is why the Minister used the careful phrase that she did; initially, he was not persuaded, but by the end of the engagement, he was.
We think that if the terms and conditions of the account are broken, which they would be by someone’s using the card for an unlawful purpose, the card issuer is entitled to terminate the account entirely. It seems likely that it would take such action, because APACS came to us to ask for help with this power. In those circumstances, I ask that the order be approved.
2.37 pm
Jeremy Wright (Rugby and Kenilworth) (Con): I, too, welcome you to the Chair, Mrs. Anderson, and I thank the Minister for the way that she opened the debate.
Broadly speaking, the Conservative party welcomes the order. The Committee will recognise the importance of combating the offences relating to child pornography that are set out in the order, and to which the order relates, and of ensuring that we have a range of instruments to combat those offences and the offenders concerned. One such instrument is the power to limit the opportunities for offenders to pay for child pornography with credit or debit cards, and the order will allow that instrument to be used more effectively.
It is also right to say at this stage that, as the Minister knows from her previous working life, and as I know from mine, those who commit the offences listed in the order often claim that viewing child pornography is a victimless crime. That, of course, is not so. By seeking out such material, those people create a market for the terrible abuse and exploitation that have ruined so many children’s lives, so they share responsibility for that abuse.
The internet has made it easier to commit those offences and harder to control them, with images downloaded, and paid for by credit and debit cards. As the Minister said, the order will permit card issuers to have the information they need to cancel cards used in offending or otherwise to prevent offenders from using accounts to obtain child pornography. In our judgment, that is a sensible and necessary objective, and we support it.
Against that background, will the Minister clarify two matters? In her exchanges with the hon.Member for North Southwark and Bermondsey (Simon Hughes), she dealt with the Information Commissioner’s view of this measure and his particular reservations on the phrase “administering an account”. May I ask about another matter relating to that? Will the Minister help the Committee with regard to when a credit or debit card account is held jointly by more than one person and one account holder only has committed a relevant offence?
Article 2(2) of the order permits a bank or other financial institution to process information about an offender’s conviction or caution for the purposes of cancelling a payment card or of administering an account to which that payment card relates.
I see no difficulty with the cancellation of payment cards; the bank may simply cancel the card used by the offender without necessarily affecting the service provided to the other joint account holder. But what of administering the account? What might that include? If, as the Minister has suggested, it encompasses a variety of actions up to and including the closure of an account, administration of the account as a result of one joint account holder’s offence might have detrimental consequences for the other account holder, who might be uninvolved.
A subsidiary question: what will the bank be obliged to tell the innocent joint account holder, as its client, of the reasons for closing the account? Presumably, the bank will not be entitled to tell the innocent joint account holder of the conviction or caution held by the offending joint account holder, because in those circumstances the limited permission for prevention of crime to breach the offender’s right to privacy under article 8 of the European convention on human rights will not apply, but it might produce difficulties for the bank or financial institution in dealing with the other joint account holder. I would be grateful if the Minister addressed that.
Will the Minister confirm that the Government believe that the order covers the full range of methods by which downloaded child pornography can be paid for? For example, items bought on eBay can be paid for through PayPal, which is administered by a separate organisation, from the bank account that the card draws on. Will the order cover any similar system that might be used by a pornography website? I would be grateful for reassurance on those points, if she can give it.
I believe that it is our duty as legislators to provide those who attempt to combat child pornography, whether they be police officers or bank officials, with the tools that they need to keep our children safe. I do not intend to invite my colleagues to vote against the order.
2.42 pm
Simon Hughes: I am pleased to serve under you,Mrs. Anderson. I shall be as brief as the hon. Member for Rugby and Kenilworth (Jeremy Wright), and my points will be similar to his. I apologise on behalf of my hon. Friend the Member for Somerton and Frome (Mr. Heath), who cannot be with us, but who shares my view on such matters. I am sure that there is consensus in the Committee.
There is a general determination among the public to ensure that we as a country, and the countries within the UK, do all that we can to prevent the direct or indirect abuse and exploitation of children. The order will prevent indirect exploitation. As the hon. Member for Rugby and Kenilworth said, such crime is not victimless. Anybody who downloads images of children for sexual gratification or pornographic purposes can do so only if a child is photographed further up the line, as it were. It seems to me that one must take all steps necessary to prevent that either from not being governed by criminal law and prosecuted or—if it is an offence, as this is—from not being an offence that can be dealt with effectively.
I asked the Minister for the number of offences, and she gave a good answer from the last year for which figures were available. I understood her to say that 1,500 people were convicted or cautioned—in other words, prosecuted with a disposal that records that the offence was accepted and was committed—for one of the five offences listed in the order, which will govern Northern Ireland, Scotland, England and Wales, or for conspiracy to commit such an offence.
Sadly, there might be much more of that activity that has not yet been tracked down and dealt with. We must close the loophole that, to be honest, is perceived as one that might be used by more professional and well-off members of society who have access to credit and debit cards, but that is not available to others. However, we must be careful when we give power to any authority to transfer information from one organisation to another. That is why we are debating the order.
I understand the proper concern that the Information Commissioner wanted to address to ensure that the power was appropriate. The hon. Member for Rugby and Kenilworth raised the one complicating factor, which is that an account might be held by more than one person. One person might have abused that account and broken the law. Another person, who might be a partner or a wife, and who might be a co-holder of the account—it could be held by more than two people, but that is not normally the case—might become a perfectly innocent victim. On the one hand, it is perfectly proper to ensure that their interests are looked after; on the other, we must ensure that the right to privacy for people who have a conviction is not broken in the transfer of information.
The last issue in the original debate, as I understand it, was whether it is sufficient to confiscate the credit or debit card. It clearly is not sufficient to confiscate a credit or debit card because nowadays we can purchase things on the internet—we all know that—by using a card number, if one has the password. Therefore, the fact that the card company has taken the card away does not prevent access to the service.
It is important that there is an ability to deal with the account. What that effectively means is that the remaining loophole, which could not be governed by the company’s contract saying, “You have abused the account, so we are going to close it,” can now be dealt with automatically on the transfer of that information.
That is important, and it should mean that people who have funds available and who are probably the most significant drivers of offences of that sort—potentially, they can pay significant sums of money to do that—can be caught and followed. I hope that the police will be given the ability to track down more people who are committing those offences and to caution or prosecute them, and see them convicted as appropriate.
I hope that this sends out a strong consensual signal from the House of Commons, and from Parliament as a whole, that we have identified a serious malaise—an evil—in our society and that we are trying to deal with it as best we can, but are mindful of the rights of individuals and the duty to ensure that information is passed around only when that is appropriate, compatible with the need for firm enforcement of the criminal law.
I welcome the order and am glad that we will have it on the statute book in the very near future.
2.47 pm
Harry Cohen (Leyton and Wanstead) (Lab): I want to make a few points. I understand the wish to strengthen the law and I support it. The news alert service,, published by Pinsent Mason, ran a story, and this is how it began:
“The Information Commissioner advised the Home Office against a key measure of its recent Data Protection Act amendment giving banks the ‘power to administer an account without the knowledge of the account holders’.”
My office contacted senior staff at the Office of the Information Commissioner, who told me that the OIC is not persuaded by the part of the order that relates to administering the account that that is necessary. Why keep criminal records for account administration on an account that is being closed? But that is not quite what the Minister said, and I would be interested to know just where the difference with the Information Commissioner is. If an account is closed, what is there to administer? The Minister needs to explain that point.
Basic data protection analysis would merely state something such as, “Account closed because of inappropriate use of the card.” That is all that needs to be retained on the record. After all, the explanatory memorandum says that the contract allows the bank to take the card away.
I want to tie that up with the employment aspect. To use an analogy, when employers vet employees using the Criminal Records Bureau, the CRB code of practice says:
“The criminal record data should not be retained in employee files”.
The reason for that is that criminal conviction data are relevant to making an informed decision on whether to employ someone. However, once the decision is taken to employ a person with a criminal record, the criminal conviction details become irrelevant and should not be stored.
For example, a person who declares his offences should not have the detail of those offences retained in personal data, if the employer decides that the offences are not a barrier to the employment. However, it is valid for the employer to retain a measure such as, “We checked criminal records and the CRB certificate number, and there was nothing in that certificate to bar this person from employment.” However, the content of the criminal record would not be retained in those circumstances. That is a contradiction.
The order allows the criminal conviction data to be retained by a bank to close an account or to administer a closed account, but such data should not be retained if a bank wants to employ the same person. The Minister seems to be arguing for a position whereby criminal data are not needed for employment contracts, but are needed for a contract with a bank for financial services. I would like to know why. Perhaps she will explain that apparent contradiction.
I would like to follow up a point made by other hon. Members about the problem for the co-holder of a card. Someone who accepts a caution for a relevant offence could find themselves without financial services, and so could the co-holders of a card. That could be considered an additional punishment to the one already agreed in respect of them.
Contents Continue
House of Commons 
home page Parliament home page House of 
Lords home page search page enquiries ordering index

©Parliamentary copyright 2006
Prepared 6 July 2006