Select Committee on Delegated Powers and Deregulation Eleventh Report


ANNEX


DATA PROTECTION BILL [HL]

Memorandum by the Home Office

This memorandum describes the powers to make subordinate legislation which will be conferred by the Data Protection Bill 1998. The principal purpose of this Bill is to implement the EC Data Protection Directive (95/46/EC) ("the Directive"), and to make a number of other amendments and additions to the data protection regime currently existing under the Data Protection Act 1984 ("the Act"). The provisions of this Bill repeal and replace in totality the provisions of the Act, and accordingly subordinate legislation made under the Act thereby ceases to have effect.

Clause 60(3) requires the Secretary of State to consult the Data Protection Commissioner ("the Commissioner") before making any order (other than a commencement order) or regulations under the Bill, with the exception of notification regulations which, as described below, are subject to a special consultation procedure.

Clause 7

  1.    Clause 7 gives subject access rights, implementing Article 12(a) of the Directive. Section 21(6) of the Act provides for compliance with subject access requests within a period of forty days. Clause 7(7), read with the definition of "prescribed period" in clause 7(9), obliges the data controller to comply with a request under clause 7(1) within that period or a period to be prescribed by regulations made by the Secretary of State. This power is required to provide flexibility. In some cases, (for example, those provided for under The Education (School Records) Regulations 1989 S.I.1989/1261) the appropriate period may be considerably shorter; in that case a period of 15 days was considered to be sufficient. This power may have a significant effect on both data controllers and data subjects, and any regulations made under this provision are accordingly subject to the negative resolution procedure by virtue of clause 60(5)(b).

  2.    Clause 7(1) sets out what information a data subject can request from the data controller. Under clause 7(2) of the Bill, a data controller is not obliged to supply any information except in response to a request in writing and on payment of such fee as he may require. This fee is subject to a prescribed maximum, and clause 7(9) defines this maximum as such amount as may be prescribed by the Secretary of State by regulations. Similar provision is made by section 21(2) and section 41 of the Act. The only difference is that, by virtue of clause 7(10), the Secretary of State not only has the power to set a maximum fee but also to determine different categories of request for access to which different fees may be applied. This is because of the increased range of data and types of data to which the Bill will extend subject access rights, and consequently the increased range of burdens which subject access requests may impose. There are also other enactments (such as the Access to Health Records Act 1990) which provide for an access fee of the "maximum prescribed" under the Act, and accordingly, the regulations prescribing fees will need to make special provision for such cases. Section 40(6) of the Act provides for regulations prescribing fees for these purposes to be laid before Parliament after being made. The same provision in respect of an order under this power is made by clause 60(6), both in respect of fees for the purposes of the Bill or any other enactment, as discussed above.

Clause 8

  3.    Clause 8(1) replaces the provision in section 21(2) of the Act and introduces a power to make regulations providing for a request for certain information under clause 7(1) to be treated as extending also to other information within the terms of that subsection. This is again necessitated by the increased range of types of data to which subject access may be required and by the extension of the types of subject access requests contemplated by the Directive. Any such regulations are of a largely procedural nature and are subject to the negative resolution procedure by virtue of clause 60(5)(c).

Clause 9

  4.    Article 14 of the Directive confers on data subjects a new "right to object" to the processing of two particular classes of data, namely personal data the processing of which might cause, in specified circumstances, significant damage or distress to the data subject or a third party, and personal data being used for direct marketing. In the former case, Article 14 allows the right to object to be disapplied by national legislation.

  5.    Clause 9(2)(a) exercises this power. However, in view of the difficulties involved in adequately envisaging and specifying all such circumstances at this stage, it is considered essential to maintain the flexibility provided by a power for the Secretary of State to specify further circumstances by order. Clause 9(2)(b) gives such a power. As this power would enable the Secretary of State to disapply a right-conferring provision, any such order is subject to the affirmative resolution procedure by virtue of clause 60(4).

Clause 13

  6.    A further new feature which does not appear in the Act is the set of rules relating to "automated decision-taking". Clause 13 closely follows the provision of Article 15 of the Directive which places a limitation on processing by giving a right to the data subject not to be subject to certain decisions "based solely" on automated processing. Article 15.2 then specifies certain exceptions to this limitation, one being where the decision with respect to the data subject "is authorised by a law which also lays down measures to safeguard the data subject's legitimate interests". Clause 13(2) accordingly excludes the limitation where the particular conditions set out in sub-clauses (3) and (4) are met. Power has also been given to the Secretary of State by clause 13(5) to disapply by order the limitation contained in clause 13(1) in other specified circumstances. The exercise of this power will of course be circumscribed by the Directive's stipulations as to safeguards. The general prohibition on automated decision-taking is itself somewhat in the nature of a procedural safeguard for data subjects. For these reasons, the power in clause 13(5) is subject to the negative resolution procedure (clause 60(5)(a)).

Clauses 16-19 and 24 - notification regulations

  7.    Central to the new regime, Articles 18 and 19 of the Directive as transposed in the Bill provide for a new notification system which will replace the Act's requirement of registration (sections 4-10). Under the new system, notification is to be a wholly administrative function whose purpose is one of transparency rather than enforcement of the data protection principles as is currently the case. Whilst the fundamental principles and extent of the notification system are set out in the Bill, the Directive permits Member States a considerable amount of discretion as to the mechanics of the system. The Bill takes full advantage of this, leaving the detail of the scheme to be set out in notification regulations.

  8.    "Notification regulations" means regulations made by the Secretary of State under Part III of the Bill (clause 15(2)). The intention is that the regulations should be, as far as possible, a self-contained and free-standing document setting out the form, contents and procedure for notification. The aim is to require a minimum of cross reference to the Bill so that the regulations are capable of being readily accessed and applied by both data controllers and the Commissioner. These regulations are unusual because clause 24(4) requires the Secretary of State to consult, and consider any proposals made by, the Commissioner before making any such regulations.

  9.    The principal matters to be dealt with in notification regulations are referred to in the Bill:-

      (a)  the regulations may provide for such matters as

        -exemptions from the obligation to notify (clause 16(3)),

        -notification by partnerships and other cases where there are two or more data controllers in respect of the same data (clause 17(4)),

        -refunding of notification or confirmatory fees (clause 17(6)),

        -the effective date of notification (clause 18(3)),

        -variation of the period for which a data controller's notification remains on the register without the need for the payment of a confirmatory fee (clause 18(5)),

        -exemption from the obligation to give information in cases of processing operations exempt from the notification requirement (clause 23(3)), and

        -the effect on notification of the service of an enforcement notice (clause 38(8)).

      (b)  the regulations must include an obligation on data controllers to notify changes in their notification particulars to the Commissioner (clause 19(1)).

  10.    In the case of clause 16(3), there are limits on the regulation-making power arising from Community law. The power is expressed in general terms: it can be exercised where it appears to the Secretary of State that processing of a particular description is "unlikely to prejudice the rights and freedoms of data subjects". However, Article 18 of the Directive, which allows Member States to make their own provisions for the exemption from notification, goes on (in the first indent at 18.2) to particularise the types of exemptions which can be made and expressly prohibits exemption other than in the cases and conditions listed. Although these further specifications do not appear on the face of the Bill, the Secretary of State is thus constrained by the more particular conditions contained in the Directive.

  11.    It is submitted that the appropriate level of parliamentary control for the notification regulations is the negative resolution procedure for which clause 60(5)(d) provides. Although the power under section 4(8) of the Act to vary registration particulars is subject to the affirmative procedure, the lower level of parliamentary scrutiny in the Bill reflects the differences in character between the old regime of registration and the new system of notification; for example, notification particulars will no longer trigger direct controls on processing.

Clauses 17 and 18 - notification fees

  12.    Clauses 17(5), 18(4) and 18(7) provide for certain fees in connection with notification to be prescribed in fees regulations as defined in clause 15(2). Clause 25 sets out the considerations to which the Secretary of State must or may have regard in making such fees regulations. In keeping with the treatment throughout the Bill of regulations prescribing fees and in accordance with the present requirement in the Act, any fees regulations made in relation to the notification provisions are required to be laid before Parliament after being made (clause 60(6)(a)).

Clause 21

  13.    Another significant addition to the existing regime is the introduction of the system of "prior checking". Article 20 of the Directive outlines the concept, involving the assessment of certain processing operations before those operations may commence. Article 20.1 confers a wide discretion on Member States to determine the processing operations "likely to present specific risks to the rights and freedoms of data subjects" and it is envisaged that categories such as operations involving genetic data, "data matching" operations and processing by private inquiry agents could come within this definition. By granting the Secretary of State the power to make an order specifying processing to which prior checking is applicable, clause 21(1) retains the flexibility that will be needed in order to deal with issues which will be constantly changing and are likely to be of a highly sensitive nature.

  14.    The concept of prior checking is not only new to UK law but will inevitably involve issues of public concern, and the targeting of particular forms of activity for this special procedure is considered politically sensitive. It seems appropriate therefore for any order made pursuant to these procedures to be subject to the affirmative procedure. Clause 60(4) so provides.

  15.    Clause 21(3), (4) and (5) set out certain time periods within which the Commissioner has to give notice to the relevant person as to whether the processing being proposed is likely to comply with the provisions of the Bill. A power has been provided in clause 21(7) for the Secretary of State to amend these time periods in subordinate legislation. As the ability to alter these time periods may have significant effects on both data controllers and data subjects, any order made under this provision is subject to the negative resolution procedure (see clause 60(5)(a)).

Clause 22

  16.    Clause 22 makes provision for the future introduction in respect of certain data controllers, of modifications of the provisions of Part III of the Bill where that data controller has appointed a "data protection supervisor". The system of having in-house independent data protection supervisors has never been in operation in the UK before, and in the consultation exercised carried out before the preparation of this Bill there was no clear commitment by those affected to use the facility even if available. However, the system is developing elsewhere in Europe, and has the potential for substituting self-regulation to some extent for the role of the regulatory authority. To enable the system to be devised in the future should it be so required, clause 22 enables the Secretary of State to provide by order for the appointment of data protection supervisors and for exemptions from, and modifications of, Part III where such an appointment has been made. Such an order is subject to the negative resolution procedure (clause 60(5)(a)).


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries

© Parliamentary copyright 1998