3 Data protection in legislation
15. In our legislative scrutiny work, we have often
raised concerns relating to the arrangements for sharing data
and recommended that, where relevant, bills should include specific
data protection safeguards. In our view, appropriate safeguards
include clearly defining who should be allowed to access information;
to whom information may be disclosed; and the purposes for which
information may be shared.
16. The Government's response has generally been
to resist our recommendations. It points to the fact that public
authorities must comply with the provisions of the Data Protection
and Human Rights Acts and argues that, as a result, it is not
necessary to put specific safeguards in primary legislation. Table
1, below, lists the Government bills in relation to which we,
and our predecessors, have raised data protection concerns since
the Committee was set up in 2001, and summarises the Government's
1: JCHR scrutiny of data protection provisions in Government bills
||Issue raised by JCHR
||Government response (if any)
|Anti-Terrorism, Crime and Security
||2001-02, 2nd, 5th
||Information sharing for purposes of an unlimited range of criminal investigations: JCHR concern about range of offences covered, lack of statutory criteria to guide decisions, lack of procedural safeguards.
||Inadequate safeguards for information sharing by various public authorities (including with bodies outside of UK).
|Crime (International Cooperation)
||2002-03, 1st, 3rd, 7th
||Should be clarified that information sharing (relating to certain offenders) is subject to Data Protection and Human Rights Acts.
|Community Care (Delayed Discharges etc)
||2002-03, 7th, 8th
||Concern about duty to disclose information gathered for medical purposes without consent.
||Bill would not allow NHS bodies to reveal sensitive personal information without consent.
|Criminal Justice ||2002-03, 11th
||Overall control of the management of fingerprint and DNA databases not clearly held by a single public authority with responsibility for protecting ECHR rights. Bill provided for delegation of functions relating to the Criminal Records Bureau to third party. Uncertainty as to whether this body would be a public authority for the purposes of the Human Rights Act. More safeguards required.
||Third party would be a public authority, but not willing to specify this in legislation.
|Children ||2003-04, 12th, 19th
||Lack of detail in Bill and Explanatory Notes about how provisions relating to databases complied with Article 8 ECHR.
|Serious Organised Crime and Police
||2004-05, 4th, 8th
||Concern about the breadth of provisions for information gathering, use, storage and dissemination. Proposal to set out details in Codes of Practice inadequate.
||Further safeguards in primary legislation otiose.
|Commissioners for Revenue and Customs
||2004-05, 6th, 13th
||Inadequacy of safeguards relating to HMRC information sharing powers.
||Would be administrative safeguards.
||Safeguards relating to information sharing powers not on the face of the Bill.
||Lack of detail in enabling provisions for collection of data on teachers and support staff.
|Identity Cards||2005-06, 1st, 2004-05, 5th, 8th
||See paragraphs 41-46 below.
|Immigration, Asylum and Nationality
||2005-06, 5 th, 11th
|| Key safeguards absent from the Bill.
||Inclusion of safeguards in Code of Practice will provide greater level of detail than is possible in primary legislation and will be more flexible.
|Provision for disclosure of information relating to administration of elections and prevention of fraud considerably wider and more intrusive of privacy rights than envisaged by the Government.
|Safeguarding Vulnerable Groups
||2005-06, 25th, 31st
||Information sharing provisions may, in practice, seriously impact on the private lives of individuals working with children or vulnerable adults. Guidance should address this and point out requirements of Data Protection Act.
||Remit of 'Independent Monitor' not to be extended to cover dissemination of good practice and guidance on information sharing.
|Welfare Reform||2006-07, 2nd, 11th
||Bill should be amended to limit purposes for which information may be used; not possible to assess whether regulation making powers in this area are compliant with Article 8 ECHR.
||Bill should be amended to restrict information disclosure to occasions where it is necessary, not merely expedient.
|Serious Crime||2006-07, 12th
||Power of public authorities to share information with anti-fraud organisations is drafted in terms which are too general to be compliant with Article 8 ECHR; various amendments recommended; proposed delegation of discretion to anti-fraud organisations to decide to whom they will disclose sensitive personal data is inappropriate.
|Child Maintenance and Other Payments
||See paragraphs 17-19 below.
17. A recent, and apposite, example is the Child Maintenance and
Other Payments Bill, on which we reported in January 2008. The
Bill provides for the establishment of the Child Maintenance and
Enforcement Commission (C-MEC) which will assume certain statutory
powers and responsibilities for child support currently held by
the Secretary of State and exercised by the Child Support Agency.
It also provides for new information sharing gateways involving
C-MEC, HM Revenue and Customs and the Department for Work and
18. We expressed concern that the proposed information
sharing gateways are "very wide and allow for the broad exchange
of information between the named agencies or their associated
contractors for any of the broad functions to be undertaken by
C-MEC, HMRC or the Department". Following the loss of child
benefit data, we recommended that the Government reconsider the
adequacy of the safeguards accompanying the information sharing
provisions in the Bill and reconsider whether more detailed safeguards
could be included on the face of the Bill "such as more detailed
provision on when information should be shared, the specific purpose
for sharing information
and including specific criteria
or conditions about the use, storage and disposal of personal
information". We also raised concerns about the adequacy
of the safeguards accompanying the proposal that C-MEC should
have the power to share information with credit reference agencies.
19. In its reply to our Report, the Department for
Work and Pensions said that it had "carefully considered"
our recommendations but was "confident our proposals strike
the right balance between the individual's right to respect for
their personal information and improving administrative processes
and information gathering, so as to get money more quickly to
relation to providing more details in the Bill about when information
should be shared, the specific purposes for sharing information
and criteria or conditions about the use, storage or disposal
of personal information, the department said:
[it] does not believe that the face of the Bill is
the right place to set out practical security arrangements and
data handling processes. These matters, by their very nature,
require flexibility and the ability to respond, pro-actively and
reactively, to the changing operational reality. By confining
these matters to primary legislation we would risk tying C-MEC
to outdated and counter-productive security measures, which may
not be fit for purpose.
Compliance with the Data Protection Act was also
cited as sufficient to ensure that the Bill's provisions would
not contravene the right to respect for private life under Article
20. We fundamentally disagree with the Government's approach
to data sharing legislation, which is to include very broad enabling
provisions in primary legislation and to leave the data protection
safeguards to be set out later in secondary legislation. Where
there is a demonstrable need to legislate to permit data sharing
between public sector bodies, or between public and private sector
bodies, the Government's intentions should be set out clearly
in primary legislation. This would enable Parliament to scrutinise
the Government's proposals more effectively and, bearing in mind
that secondary legislation cannot usually be amended, would increase
the opportunity for Parliament to hold the executive to account.
21. Another advantage of including specific data protection
provisions in primary legislation would be to help ensure that
data protection is a primary concern of managers and front-line
staff in the public sector. We have commented before on the need
for the safeguarding and promotion of human rights to be central
to the work of public sector bodies, in particular in healthcare,
for example. The attention
paid to human rights, outside of the legal department, is likely
to be very scant if the concept is regarded solely in terms of compliance
with the Human Rights Act. In our view, the same is true of data
protection and the Data Protection Act. Setting out the purposes
of data sharing and the limitations on data sharing powers in primary
legislation would give a clear indication to the staff utilising
such powers of the significance of data protection. We comment below
on other means of ensuring that public sector staff pay serious
attention to data protection.
17 The Government is not obliged to respond to our
legislative scrutiny Reports. Back
Third Report, Session 2007-08, Legislative Scrutiny: 1) Child
Maintenance and Other Payments Bill; 2) Other Bills, paragraphs
1.21 to 1.29. Back
Twelfth Report, 2007-08, Legislative Scrutiny: 1) Health and
Social Care Bill and 2) Child Maintenance and Other Payments Bill:
Government Response, Appendix, paragraph 12. Back
Ibid, paragraph 13. Back
Ibid, paragraph 14. Back
Eighteenth Report, Session 2006-07, The Human Rights of Older
People in Healthcare, HC 378-I, HL Paper 156-I and Seventh
Report, Session 2007-08, A Life Like Any Other? The Human Rights
of Adults with Learning Disabilities, HC 73-I, HL Paper 40-I. Back