Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Turner of Camden moved Amendment No. 144:

Page 30, line 5, at end insert--
("( ) Before granting--
(a) an approval for the purposes of paragraph 8 of Schedule 4, or
(b) an authorisation for the purposes of paragraph 9 of that Schedule,
the Commissioner shall satisfy himself as to the legal protection provided in the country to which a transfer of data is proposed.").

The noble Baroness said: It is with some trepidation that I move this amendment because we went over this ground in the previous Committee sitting; but, on the other hand, I would like to give it a bit of a run this evening because I am not entirely satisfied that the point has been covered. As I said at Second Reading, information in the investigation of a fraudulent claim cannot under the Bill be sent from any European member state to a country which does not have a data protection Act or something similar. As a result, it is feared that reports will not be able to be sent to a number of countries, including, most importantly, the USA.

It has been difficult to come up with a form of wording which will deal with the problem, and I am indebted to the Minister for the statement in his letter to

25 Feb 1998 : Column CWH124

me that it will be for data controllers to take the initial view on the adequacy of protection in the third country to which they wish to make a particular transfer.

    "If they take the view that protection is inadequate in a particular case, they may be able to rely on one of the exemptions in Schedule 4".

That is a quotation from the letter he very kindly sent me. I am seeking to spell this out in the Bill. Of course I may very well be told that the provision is unnecessary because it exists anyway.

It would be unreasonable, it seems to me, for a transfer not to be permitted to, say, the USA, since much insurance and other business also is global and there are considerable links with the United States. I cannot imagine that a data controller would rule that a transfer to the USA was prevented by the Bill, but my amendment is designed to put a clear obligation upon the commissioner. There may well be countries where there is some form of protection available which may not necessarily be a formal data protection Act.

This is a bit of a problem, and I am not quite certain that we entirely ventilated it when we discussed it at the first Committee day on Monday. I would be grateful for the Minister's response. He knows quite well what we are talking about. I beg to move.

Lord Williams of Mostyn: My noble friend's amendment, as she said, relates to Schedule 4, setting out the grounds on which transfers can be made to countries where adequacy of protection is not assured. Paragraphs 8 and 9 of the schedule allow those transfers where adequate safeguards are provided in the context of the actual transfer itself, so in terms of mechanical working, as it were, that offers a benefit to the sort of organisational users to which the noble Baroness referred.

Paragraph 8 allows transfers on terms of a kind approved by the commissioner to ensure safeguards. That is what one could call the model contract-type of approach--again something which could easily be used by business organisations, which do have legitimate questions, I readily recognise, of the sort outlined by my noble friend.

Paragraph 9 permits transfers to be made in a manner authorised by the commissioner. Those allow the commissioner flexibility so that there might be one-off authorisations or there might be authorisations of categories of transfer. It is unnecessary, of course, for any controller to seek to rely on either of those provisions if the receiving country indeed provides adequate protection.

If there is no adequate level of protection in third countries, a number of exemptions are offered. I am not sure whether my noble friend's purpose is to ensure that there is an adequate level of protection in the third countries in question before the commissioner exercises her powers under paragraphs 8 and 9; that would be rather circular because the exemptions would not be needed. I hope I have identified correctly the noble

25 Feb 1998 : Column CWH125

Baroness's concerns and I hope I have been able to address them sensibly in those brief remarks about the way that paragraphs 8 and 9 can be made to work.

Baroness Turner of Camden: I thank the Minister for his explanation, which is very useful. I agree with him. When I drafted the amendment I wondered whether I had achieved the purpose I was after. The Minister has put his finger on that in referring to the last sentence in the amendment. However, I am grateful to him that I now have on record his view about what the commissioner may do and the way in which the concerns that have already been voiced could adequately be dealt with. I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 51 agreed to.

Clauses 52 and 53 agreed to.

Clause 54 [Confidentiality of information]:

Baroness Nicholson of Winterbourne moved Amendment No. 145:

Leave out Clause 54 and insert the following new clause--

Confidentiality of information

(".--(1) Subject to subsection (2), the Commissioner or his current or former servant or agent shall not disclose any information about any person--
(a) which has come into his possession in the course of carrying out his functions;
(b) which is not generally available; and
, the disclosure of which would be potentially damaging to any person.
(2) Subsection (1) shall not apply where, and to the extent that--
(a) disclosure is necessary for the discharge of the functions of the Commissioner or his current or former servants or agents;
(b) there is an overriding public interest in disclosure; or
, the person who is the subject of the information consents to disclosure.").

The noble Baroness said: This is a simple amendment. It merely changes the wording in Clause 54. I believe it offers a clearer and a shorter version of what is down already. I beg to move.

Lord Falconer of Thoroton: This is a difficult area. Article 28.7 of the directive, to which we are obliged to give effect, requires member states to put the national data protection supervisory authority, which in our case means the commissioner and her staff, under a duty of what the directive calls "professional secrecy". This duty is to apply even after the employment has ended.

We have thought carefully about how we can achieve this. The only thing that we have been able to come up with is the effect of creating a criminal offence which applies to the commissioner and her staff. I am aware--because I have been told this--that the Data Protection Registrar does not like the approach that the Bill follows. I am told that she believes that it is too heavy handed to put the commissioner's staff--she is less concerned about herself than she is about her staff--under threat of criminal sanction for breach of confidentiality. Speaking for myself, I can entirely understand that and I sympathise with her in relation to that.

25 Feb 1998 : Column CWH126

My noble friend Lord Williams has discussed the matter with her and he has told her that he is very ready to consider an alternative, workable approach if one can be found. So we are not at all adverse, if some solution can be brought to our attention, to put it into effect.

Unfortunately, I do not think that the noble Baroness's suggested formulation will work because it has no means of enforcement. That appears to be the problem, and I think the commission would look askance at it. If the noble Baroness herself or any other member of the Committee is able to think of a way to give effect to the directive's requirement without what the commissioner has described as the heavy handed approach of a criminal offence, we will readily consider it. If it works in the sense of compliance with obligation under Article 28.7, we will put it into the Bill. I can say no more than that.

Baroness Nicholson of Winterbourne: I thank the Minister for his kind reply. I believe this wording does in fact sit comfortably with the commissioner's own views, but if it is unenforceable, that is another matter. We shall have to try again. I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 54 agreed to.

Clauses 55 to 57 agreed to.

Baroness Nicholson of Winterbourne moved Amendment No. 146:

After Clause 57, insert the following new clause--

Data matching

(".--(1) In this section--
"data matching" means the matching of personal data held in different relevant filing systems, whether by different or the same data controller, for the purpose of obtaining information that cannot be obtained other than by such matching;
"government department" includes any executive agency for which the department is responsible.
(2) Every government department shall prepare, within six months of the date on which this Act is passed, a code of practice relating to data matching.
(3) A code of practice prepared under subsection (2) above--
(a) shall contain a commitment not to undertake data matching, whether involving data held within the department or in cooperation with other departments, except in circumstances where it is necessary--
(I) to fulfil any statutory obligation, or
(ii) to prevent fraud or other unlawful activity; and
(b) shall be laid before Parliament.").

The noble Baroness said: I seek the noble and learned Lord's permission to concentrate on inserting this new clause on data matching. Data matching is the automatic exchange of data held by different official bodies. I refer particularly to official bodies in this new clause, and therefore to Government.

I am already aware that the detailed drafting is not all that it might have been. It does not cover all relevant data, as has already been pointed out to me by the Data Protection Registrar, and it needs to be tidied up. However, that is not the point. This evening I wish to put the problem before the Committee. It is a large and

25 Feb 1998 : Column CWH127

important problem, and I have offered a solution in the form of codes of conduct for each department, which could be dealt with on the basis of a negative or positive resolution laid before Parliament.

Geoff Hoon, MP, was a Member of the European Parliament and introduced the legislation in February 1992 to the European Parliament, when he was the rapporteur to the Committee on Legal Affairs and Citizens Rights. He pointed out, correctly, that it is no exaggeration to say that today, in the European Community, it should be possible to write a detailed personal history of every man, woman and child by taking information contained in a variety of files. That is exactly what the Data Protection Bill is all about.

Data matching, however, is a particular aspect of that, which, even at this stage of the Committee's work, I must talk about, because once again this relates to the right to privacy. I quote again from the European Parliament debate on the legislation. At the convention in June 1995, Medina Ortega commented that the citizen's right to privacy is so large that it prevails over the right to communication, except in special circumstances when people in the public eye are involved. Sierra Gonzalez stated that, bearing in mind the trend for administrations to transfer many kinds of information to other public bodies--which is the key issue we are looking at in data matching--controlling the transfer of data becomes one of the fundamental issues of legislation aiming to regulate data protection. He talked particularly about data liable to manipulation, such as that pertaining to race and ethnic origin and so on.

Non-statutory codes of conduct covering data matching have already been put into practice in member states such as France and Germany, where data protection authorities have a role. Australia has an Act devoted entirely to data matching, and in New Zealand also, as in Australia, the privacy commissioners have powers to regulate and audit data matching exercises by public bodies.

Here in the United Kingdom, however, data matching has developed in a rather ad hoc manner. The Audit Commission, for example, has developed powers to require information from local authorities for efficiency studies and so on. Despite the exceptionally wide criticism of the 1997 Social Security Administration (Fraud) Bill--which, as the Ministers know, allows data matching between a very wide range of government departments and local authorities--as lacking any specific measures of data protection against abuse or error, only a non-statutory code of practice was promised. This has still not emerged as far as I know. I remind the Committee that the third data protection principle in the Data Protection Act 1984 is that,

    "personal data held for any purpose should not be used or disclosed in any manner incompatible with that purpose".

The Social Security Administration (Fraud) Bill changed those rules and has not yet given us any safety valve which would enable us to feel more comfortable with it.

25 Feb 1998 : Column CWH128

The data matching by the Audit Commission with the National Fraud Initiative is undertaken by participant authorities, but it does not give the citizen the right to object, or the knowledge that this might happen, despite the right in the convention to be informed of data processing operations involving oneself, of the right to object and of the application of the other principle, that personal data should be used as little as possible. There is also the purpose principle in European Union directives which covers who wishes to use what data, and why. Those principles on data matching are not being significantly enough addressed by the British Government.

Local authorities are far advanced in information technology mechanisms. They are so far advanced that, although they do not necessarily have data matching processes in practice, they have the capability to do that very easily indeed. I have considerable detail on that following my concern on the poll tax, which brought together for the first time significant amounts of tax and benefit material on individual citizens locally. It was pooled together and put on to computerised records.

Finally, let me remind the Committee that we are in a seismic explosion of information technology. The capacity for information storage, for example, which I have researched, continues to increase at the rate of 20 to 40 per cent. annually. Many new innovations are coming and there are significant developments of systems which are not influenced by human behaviour outside those systems. In other words, one starts the data-matching exercises and those systems are not human-dependent, they just continue.

There is also a new concept which should be considered with this which is called "data-mining". It is specifically aimed at probing files and discovering like characteristics of individuals. That has become an industry already in some parts of the world, with,

    "automated techniques used to extract buried or previously unknown pieces of related information from large databases".

Of course, it is extremely difficult in the modern world to stop these things happening. One place where there is an opportunity is in government, both local and central, because government have ownership of the information that they have collected on citizens and can control how it is used. My proposal suggests that for government purposes codes of practice should be developed by every single department and they should be placed in front of Parliament. I beg to move.

8 p.m.

The Earl of Northesk: If I may, I shall speak to Amendment No. 147 which is in this grouping. I do not have a great deal to add to the arguments of the noble Baroness, Lady Nicholson of Winterbourne, on data matching, except possibly to say that I suspect that the practice is very much more prevalent than we are prepared either to imagine or admit.

Certainly there is a strong argument in favour of some form of statutory control of data matching, bearing in mind its power as an analytical tool and how open it is to potential misinterpretation. My thinking on this

25 Feb 1998 : Column CWH129

matter has been guided in very great part by the observation in the report from the Delegated Powers and Deregulation Committee--I have already cited it--that,

    "developments in computer technology continue to push areas of the law into hitherto uncharted territory".

Data matching is but one such example, as is video surveillance by CCTV with its associated operations of digital enhancement and manipulation of images, referred to by the noble and gallant Lord, Lord Craig, in his Amendment No. 138.

To my mind, the difficulty here is how to draft the Bill in such a way that it can take account of technological developments which have data protection ramifications, at the same time as ensuring that appropriate checks and balances are in place to afford proper parliamentary scrutiny of the hitherto uncharted territory, as and when it occurs. Perhaps there is a reference back to Clause 28(4) here. The new clause I am proposing in this amendment seeks to address this problem.

In effect, it would supplement the duties relating to codes of practice given to the commissioner by virtue of Clause 49(3). In normal circumstances, these would be non-statutory as with trade associations cited in sub-paragraph (b). With respect to codes drawn up under the proposed new clause, that is to say those that entered uncharted territory, these would have statutory authority and as such would be open to wide consultation and parliamentary debate.

Obviously techniques such as data matching and CCTV, where under Clause 21 the processing would be particularly likely,

    "(a) to cause significant damage or distress to data subjects, or "(b) otherwise significantly prejudice the rights and freedoms of data subjects",

would fall within the remit of my proposed amendment.

Next Section Back to Table of Contents Lords Hansard Home Page