Previous Section Back to Table of Contents Lords Hansard Home Page


Baroness Turner of Camden: My Lords, I welcome this Bill and thank my noble friend the Minister for his comprehensive introduction to it. There are, however, one or two points that I should like to raise and I should be grateful for the Government's response.

I recently introduced a debate in this House about abuses by the press. I said at that time that I was in favour of an independent ombudsman since I objected to journalism which was invasive of personal privacy, and that although I did not advocate a privacy law, as

2 Feb 1998 : Column 470

some have done, I thought that there should be some form of redress for injured citizens. Replying to that debate, the noble Lord, Lord McIntosh, appeared to indicate that this Bill would give the opportunity for further debate on those issues--and so it does.

It is widely recognised that there is a need to reconcile two apparently conflicting rights: the right to personal privacy and the right to freedom of expression. A number of noble Lords have referred to that this afternoon. Broadly speaking, journalists tend to give greater emphasis to the latter freedom whereas those who have been damaged tend to stress the former, the right to privacy. The point that I should like to raise is whether the Bill gives greater weight to the freedom of information and expression to the disadvantage of the right to personal privacy.

Clause 2 sets out what are regarded as sensitive personal data--and I think that most people would agree with them. They include data about racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; physical health and, importantly, sexual life, as well as commission or alleged commission of offences. On the other hand, as we have heard, Clause 31 appears to provide for some exemption for journalists and literature and art where so-called "public interest" is involved. But what constitutes "public interest"? It surely should not be interpreted as public curiosity.

Article 17 of the UN International Covenant on Civil and Political Rights, adopted in 1996, requires that,


    "No-one shall be subjected to arbitrary or unlawful interference with his privacy, family, home and correspondence nor to unlawful attacks on his honour and reputation".

Article 10 of the European Convention on Human Rights, while upholding the right to freedom of expression, states that that freedom may be subject to other conditions and restrictions relating particularly to the interest of national security, the prevention of disorder or crime and for the protection of the reputation or the rights of others.

Article 9 of the directive, on which I think that the Bill is based, says that derogations and exemptions cannot be granted to journalists as such but only to anybody processing data for journalistic purposes. That is what I thought that most journalists did anyway. There would appear to be a let-out under Clause 31 in the event of public interest, but individuals are, so it is said, entitled to adequate forms of redress in the case of violation of their rights.

It seems to me that the key question of "public interest" is now widely interpreted by the media as giving them the right to say what they like and to invade the privacy of anyone who is even slightly "in the public eye". Most people have never heard of some of the Back-Bench parliamentarians about whom stories have been written, but presumably a "public interest" defence would be mounted by the press if taken to task, even if there had been breaches of the press code.

2 Feb 1998 : Column 471

It is sometimes suggested that a distinction might be made between ordinary individuals and those who have placed themselves in the public domain, such as politicians. Indeed, the noble Baroness, Lady Nicholson, made a similar point earlier. I do not see it in that way. I do not believe that people sacrifice their human rights simply because they have opted to play some role, at whatever level, in public life. As I said in the debate that I introduced on 14th January, libel action is only a possibility for the very wealthy. The forms of redress open to others are not, with respect to the noble Lord, Lord Wakeham, completely adequate. They do not include compensation. Does the Bill as drafted raise the possibility that compensation will be available? If so, I would be grateful to hear about it.

The intense competitiveness of the media industry and the growth of the use of the Internet (where anything can be made available immediately) mean that the kind of media frenzy that we have seen in the past week or so in the USA is equally possible here. The safeguards against it are not adequate, and although I do not want to see interference with the right to freedom of expression or with genuine investigative journalism, I believe that individuals could still be left dangerously exposed to malice and hurt. I noticed with interest that the highly respected organisation, Justice, makes a similar point in its briefing, which I received today.

My second point may at first glance seem to run counter to what I have just said--and yet it does not. I make a sharp distinction between what most people would regard as genuinely personal, family and sexual matters, and possible fraud or crime.

Your Lordships may be aware that for a long time I have maintained an interest in the financial services industry. I was once employed in insurance, and the union of which I was a senior official has many members employed in the financial services industries. I should like to follow up the remarks of the noble Lord, Lord Norton, in that connection. One of the major problems in the industry is insurance fraud. It is amazing what some people will do to claim on the insurance. According to an article in Post Magazine this week, motor insurance fraud alone accounts for everyone having to pay an additional 3.9 per cent. on premia to cover the cost. Arson cases have more than doubled in the past 10 years. There are now over 80,000 cases resulting in £500 million of insurance claims. All of us have to pay for it. It is as anti-social in its way as social security fraud, about which the Government are quite rightly concerned.

Much of the investigation into possible insurance fraud is conducted by people known as loss adjusters. They have their own institute, with whose representatives I recently had discussions. They are concerned about certain clauses of the Bill because they believe that they will make their jobs much more difficult, possibly resulting in even greater losses for which policyholders will ultimately find themselves picking up the tab in increased premia. For example, they say:


    "The Bill states that the data subject ... must have freely given agreement to the investigation of himself/herself".

2 Feb 1998 : Column 472

They believe that this could result in a suspect fraudster preventing an investigation which would validate the fraud. They go on to make the cogent point:


    "Unless the initial contract of insurance is accepted as permission by the policyholder to any subsequent investigation, in the event of a claim, the process of fraudulent claims investigation will be thwarted".

The Bill also requires information to be held no longer than is necessary for the purpose for which it is collected. Accordingly, files on fraudulent claims, once concluded, must be destroyed. This does not assist the industry in protecting against future fraudulent claims by the same individuals. Apparently some people have a habit of making dubious insurance claims. They go on to say:


    "The data subject will be entitled to request details gathered upon him/her. This must be complied with within 40 days. This will not assist the investigation of fraudulent claims ... Personal information/data obtained, for instance, in the investigation of a fraudulent claim, cannot, under the Bill, be sent from any European member state to a country that does not have a Data Protection Act or something similar. In the current world of global insurance and hence fraud, reports cannot therefore be sent to insurance clients in numerous countries, including the USA. Many US insurers operate within the UK with reports on major claims above a certain reserve having to revert back to the US for instruction. This will be prevented by the Bill".
They also question whether investigators of insurance claims will in future need some form of licence to operate.

I believe that those are legitimate concerns to raise, and I should be very grateful if my noble and learned friend would respond to them.

5.33 p.m.

Viscount Chelmsford: My Lords, I am director of the parliamentary group EURIM, which has been closely involved in data protection for some time. EURIM exists to put corporate and not for profit associations together with MPs and MEPs to debate policy issues arising out of information and communication technology and to lobby Brussels and, if necessary, Whitehall. The very first project in which EURIM was involved in 1994 concerned the second draft of the European Data Protection Directive. We recognised then that the simplicity of the 1981 Council of Europe Convention had been lost in the directive. I believe that others have made that point. We were concerned about bureaucratic rigidity and automated decision-making. We recognised that the second draft allowed cash dispensers to be used satisfactorily but we still had a query about automatic profiling for marketing.

At that time the British Bankers Association was concerned about trans-border data flow. It felt that if that were restricted it would restrict the association in preventing or limiting fraud. We had a query about the interpretation of manual data and worries about the term "consent", express or implied. A year later the Council of Ministers made significant changes to the directive. We looked at it again. It was then that we made our first call for UK primary legislation to implement the directive. We also recommended that the UK made maximum use of the new and significant EU derogations to minimise the adverse effects on us in the UK relative to our 1984 Act.

2 Feb 1998 : Column 473

We recognised that "express consent" had been altered; it was now called "explicit consent", but our doubt about the scope or meaning of the word remained. We also looked, as indeed is the Minister today, for a balance between the reasonable needs of corporates for marketing opportunities and the reasonable needs of individuals to avoid unwanted mail. We still asked what was "manual data". We suggested that structured files only should represent the manual data brought into the Act, and only such structured files as were set up after the implementation of the directive by the Act.

A year later, in July 1986, we, like many others, responded to the Home Office consultation. We were still concerned about bureaucratic rigidity. We then called for the function of the registrar to be more like that of a parliamentary commissioner and, perhaps because of the knowledge of my fellow director MPs, we recognised that anyway the registrar reported to Parliament, not the Home Office. We were perhaps the first to make that call which the directive will now establish.

We called for the registrar's advisory role to be enhanced and for fees to be delinked from registration and to be variable and work-related--all things that are beginning to happen under the new Bill. We still believed that primary legislation was highly desirable and that attempts to simplify the directive must continue. Our concern about cross-border exchange of data had changed to a concern that the protection arrangements for certain countries would be deemed inadequate.

I believe that the Bill offers four out of the seven changes that we put to the Home Office in July 1996. The areas that still remain open on EURIM's agenda are: bureaucratic rigidity, the fact that the Bill adds complexity rather than simplification, the problem of cross-border data exchange and, from the early EURIM briefings, the question of what is manual data and what is consent.

Before I deal with the detail, I was the third member of the team involved in the briefing by loss adjusters, as the noble Lord, Lord Norton, and the noble Baroness, Lady Turner, have already mentioned. I should like to deal with these matters from a slightly different angle from previous speakers. I begin with personal data which is defined as data whether it is gathered with or without the consent of the data subject. Clearly, investigators will be gathering data without such consent. Can they comply with Schedule 2? Is investigation a legitimate interest of a data controller?

Let us take two examples, the first of which is insurance claims. We have already heard about a proposal form with a box that may be inserted. One may have to put an "X" in the box if one is not prepared to have the insurer investigate the claim. If one puts an "X" in the box perhaps one does not get insurance. Is this a legitimate form of consent under the Bill?

Let us take the divorce courts. Instead of corporates doing the investigation, now it is very likely that individuals will make checks on potentially errant spouses. Are they legal? Clause 28(1) exempts the

2 Feb 1998 : Column 474

prevention of the detection of crime, but what happens if there is not a crime in the first place? It is a civil action. What is the position of the police if they investigate a possible crime and find that there is not one? Have they then collected data illegally? If investigators fail under Schedule 2--exemption six--is all investigation short of a crime now illegal? Even if exemption applies and an investigation is lawful, is it ever fair?

How does one define "fair"? Under the 1984 Act which referred to data, manual data or data where equipment is operating automatically, investigators stayed as manual as possible and thought that they had avoided the problem. I support the registrar's determination to have a clearer definition of the manual records covered by the Act. I welcome the Minister's statement that he is open to suggestions. I hope that the insurance and investigative industries will return to us with some thoughts on that. We need the long transition period that has been talked about.

I turn to consent: explicit or implicit? Schedules 2 and 4 require the data subject's consent, but Schedule 3 requires explicit consent. That implies a lower level of consent needed for Schedules 2 and 4. Is the box on the proposal form a consent to investigate claims? Is that a fair consent? Is that consent acceptable?

Let me turn to another example. One of EURIM's members is busy trying to put an electronic directory around the globe. There is concern as to whether it has the right to put up the personal data represented by employees: names, jobs, telephone numbers, fax numbers and E-mail numbers. If that becomes part of the standard employment contract will that be an acceptable form of consent under the Bill? If it were limited, for example, to the fact that anyone becoming an employee agreed that they should put their business details out to countries which otherwise would be excluded by the eighth protection principle, would that be acceptable? Will implied consent in a standard employment contract satisfy the consent required in Schedule 4?

I turn now to data principle five. If UK law requires that insurance liability files are held for 10 years for court purposes, presumably that is a period which is necessary under the terms of the Data Protection Act. Let us go further and look at advice coming out of the USA in respect of US court judgments on liability claims where files are held by UK insurance brokers, which may possibly include personal data about people in the UK. They need not necessarily be UK people but people within the UK. Is that acceptable in terms of the period for which files may legitimately be held? One can be even more extreme and talk about a EU regulator--perhaps a French regulator--requiring files to be held in case they have to return to a French court. What is accepted with regard to explicit or implicit consent? Will the commissioner have the power to decide, in a pragmatic and practical way, when files are no longer needed for the purposes for which data are gathered?

I shall deal finally with complexity and bureaucratic rigidity. The Bill is made complex by its many objectives. Bureaucratic? I have been impressed by the

2 Feb 1998 : Column 475

registrar's efforts to implement the 1984 Act through common sense. Agreement to her few remaining points may help to reduce the bureaucracy further and add to the practical simplicity of the Bill.

The Bill is of course just one of three legs, as we have already heard: freedom of information, human rights and data protection. The balance, as the Government have said, is complex. The good news is that it outlaws major injustice; equally, the bad news is that most of us have never been involved in major injustice, and we are all constrained. Costs have been added all around, as other noble Lords have said. I have a Library document which suggests that set-up costs for compliance alone will total £279 million. "Set-up" worries me because it suggests that computers may need altering. EURIM, under a different set of briefs, has been busy advising Ministers to be careful about new legislation which requires computer change. There are insufficient computer skills to handle the year 2000 and changes to EMU at this time, let alone to handle further major legislative changes which require massive computer change.

I have a long-held theory--I do not necessarily expect others to agree with it--that the collapse of civilisation will not occur because of the nuclear bomb, nerve gas or a meteorite striking from space. It is much more likely to occur because of the ever-increasing costs of trying to obtain fairness. Where is the 80/20 rule today? Where is it in our legislation? The theory behind the three Bills is great, but we survived without them. Can we afford their cost? I hope that the Minister will be able to answer some of the points that I have made.

5.45 p.m.


Next Section Back to Table of Contents Lords Hansard Home Page