15. In our legislative scrutiny work, we have often raised concerns relating to the arrangements for sharing data and recommended that, where relevant, bills should include specific data protection safeguards. In our view, appropriate safeguards include clearly defining who should be allowed to access information; to whom information may be disclosed; and the purposes for which information may be shared.

16. The Government's response has generally been to resist our recommendations. It points to the fact that public authorities must comply with the provisions of the Data Protection and Human Rights Acts and argues that, as a result, it is not necessary to put specific safeguards in primary legislation. Table 1, below, lists the Government bills in relation to which we, and our predecessors, have raised data protection concerns since the Committee was set up in 2001, and summarises the Government's response.[17]Table 1: JCHR scrutiny of data protection provisions in Government bills since 2001

Bill	Report	Issue raised by JCHR	Government response (if any)
Anti-Terrorism, Crime and Security	2001-02, 2nd, 5th	Information sharing for purposes of an unlimited range of criminal investigations: JCHR concern about range of offences covered, lack of statutory criteria to guide decisions, lack of procedural safeguards.
Enterprise	2001-02, 18th	Inadequate safeguards for information sharing by various public authorities (including with bodies outside of UK).	-
Crime (International Cooperation)	2002-03, 1st, 3rd, 7th	Should be clarified that information sharing (relating to certain offenders) is subject to Data Protection and Human Rights Acts.	-
Community Care (Delayed Discharges etc)	2002-03, 7th, 8th	Concern about duty to disclose information gathered for medical purposes without consent.	Bill would not allow NHS bodies to reveal sensitive personal information without consent.
Criminal Justice	2002-03, 11th	Overall control of the management of fingerprint and DNA databases not clearly held by a single public authority with responsibility for protecting ECHR rights. Bill provided for delegation of functions relating to the Criminal Records Bureau to third party. Uncertainty as to whether this body would be a public authority for the purposes of the Human Rights Act. More safeguards required.	Third party would be a public authority, but not willing to specify this in legislation.
Children	2003-04, 12th, 19th	Lack of detail in Bill and Explanatory Notes about how provisions relating to databases complied with Article 8 ECHR.	-
Serious Organised Crime and Police	2004-05, 4th, 8th	Concern about the breadth of provisions for information gathering, use, storage and dissemination. Proposal to set out details in Codes of Practice inadequate.	Further safeguards in primary legislation otiose.
Commissioners for Revenue and Customs	2004-05, 6th, 13th	Inadequacy of safeguards relating to HMRC information sharing powers.	Would be administrative safeguards.
Gambling	2004-05, 7th	Safeguards relating to information sharing powers not on the face of the Bill.	-
Education	2004-05, 12th	Lack of detail in enabling provisions for collection of data on teachers and support staff.	-
Identity Cards	2005-06, 1st, 2004-05, 5th, 8th	See paragraphs 41-46 below.	-
Immigration, Asylum and Nationality	2005-06, 5 th, 11th	Key safeguards absent from the Bill.	Inclusion of safeguards in Code of Practice will provide greater level of detail than is possible in primary legislation and will be more flexible.
Electoral Administration	2005-06, 11th	Provision for disclosure of information relating to administration of elections and prevention of fraud considerably wider and more intrusive of privacy rights than envisaged by the Government.	-
Safeguarding Vulnerable Groups	2005-06, 25th, 31st	Information sharing provisions may, in practice, seriously impact on the private lives of individuals working with children or vulnerable adults. Guidance should address this and point out requirements of Data Protection Act.	Remit of 'Independent Monitor' not to be extended to cover dissemination of good practice and guidance on information sharing.
Welfare Reform	2006-07, 2nd, 11th	Bill should be amended to limit purposes for which information may be used; not possible to assess whether regulation making powers in this area are compliant with Article 8 ECHR.	Recommendation accepted.
Offender Management	2006-07, 3rd	Bill should be amended to restrict information disclosure to occasions where it is necessary, not merely expedient.	-
Serious Crime	2006-07, 12th	Power of public authorities to share information with anti-fraud organisations is drafted in terms which are too general to be compliant with Article 8 ECHR; various amendments recommended; proposed delegation of discretion to anti-fraud organisations to decide to whom they will disclose sensitive personal data is inappropriate.	-
Child Maintenance and Other Payments	2007-08, 1st	See paragraphs 17-19 below.

17. A recent, and apposite, example is the Child Maintenance and Other Payments Bill, on which we reported in January 2008. The Bill provides for the establishment of the Child Maintenance and Enforcement Commission (C-MEC) which will assume certain statutory powers and responsibilities for child support currently held by the Secretary of State and exercised by the Child Support Agency. It also provides for new information sharing gateways involving C-MEC, HM Revenue and Customs and the Department for Work and Pensions.

18. We expressed concern that the proposed information sharing gateways are "very wide and allow for the broad exchange of information between the named agencies or their associated contractors for any of the broad functions to be undertaken by C-MEC, HMRC or the Department". Following the loss of child benefit data, we recommended that the Government reconsider the adequacy of the safeguards accompanying the information sharing provisions in the Bill and reconsider whether more detailed safeguards could be included on the face of the Bill "such as more detailed provision on when information should be shared, the specific purpose for sharing information … and including specific criteria or conditions about the use, storage and disposal of personal information". We also raised concerns about the adequacy of the safeguards accompanying the proposal that C-MEC should have the power to share information with credit reference agencies.[18]

19. In its reply to our Report, the Department for Work and Pensions said that it had "carefully considered" our recommendations but was "confident our proposals strike the right balance between the individual's right to respect for their personal information and improving administrative processes and information gathering, so as to get money more quickly to children".[19] In relation to providing more details in the Bill about when information should be shared, the specific purposes for sharing information and criteria or conditions about the use, storage or disposal of personal information, the department said:

[it] does not believe that the face of the Bill is the right place to set out practical security arrangements and data handling processes. These matters, by their very nature, require flexibility and the ability to respond, pro-actively and reactively, to the changing operational reality. By confining these matters to primary legislation we would risk tying C-MEC to outdated and counter-productive security measures, which may not be fit for purpose.[20]

Compliance with the Data Protection Act was also cited as sufficient to ensure that the Bill's provisions would not contravene the right to respect for private life under Article 8 ECHR.[21]

20. We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account.

21. Another advantage of including specific data protection provisions in primary legislation would be to help ensure that data protection is a primary concern of managers and front-line staff in the public sector. We have commented before on the need for the safeguarding and promotion of human rights to be central to the work of public sector bodies, in particular in healthcare, for example.[22] The attention paid to human rights, outside of the legal department, is likely to be very scant if the concept is regarded solely in terms of compliance with the Human Rights Act. In our view, the same is true of data protection and the Data Protection Act. Setting out the purposes of data sharing and the limitations on data sharing powers in primary legislation would give a clear indication to the staff utilising such powers of the significance of data protection. We comment below on other means of ensuring that public sector staff pay serious attention to data protection.

18   Third Report, Session 2007-08, Legislative Scrutiny: 1) Child Maintenance and Other Payments Bill; 2) Other Bills, paragraphs 1.21 to 1.29. Back

19   Twelfth Report, 2007-08, Legislative Scrutiny: 1) Health and Social Care Bill and 2) Child Maintenance and Other Payments Bill: Government Response, Appendix, paragraph 12. Back

20   Ibid, paragraph 13. Back

21   Ibid, paragraph 14. Back

22   Eighteenth Report, Session 2006-07, The Human Rights of Older People in Healthcare, HC 378-I, HL Paper 156-I and Seventh Report, Session 2007-08, A Life Like Any Other? The Human Rights of Adults with Learning Disabilities, HC 73-I, HL Paper 40-I. Back