|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
Lord Blease: My Lords, within the provisions of the 1921 Act, does the noble Lord the Lord Privy Seal consider that it might be helpful to the scope and purpose of the proposed tribunal to seek to include a suitably qualified citizen of South Africa or of another country outside the European Community?
Lord Richard: My Lords, the Government announced on Thursday that the tribunal would have three members. The name of one of the members has been announced; the other two are to be announced. We have said that they will come from Commonwealth countries with knowledge and experience of similar legal systems to our own.
Clauses 1 to 4, Clauses 18 to 21, Clauses 5 to 7, Clause 16, Clauses 8 to 15, Clause 17, Clauses 22 to 25, Clause 68, Clause 26, Clause 79, Clauses 27 to 32, Schedule 1, Clauses 33 to 43, Schedule 2, Clauses 44 to 47, Clauses 70 and 71, Clauses 48 to 51, Schedule 3, Clauses 72 to 77, Schedule 5, Clause 78, Clauses 52 to 55, Schedule 4, Clauses 56 to 65, Clause 91, Clauses 66 and 67, Clause 69, Clauses 80 to 87, Schedule 6, Clauses 88 to 90, Clauses 92 to 94, Schedule 7, Clause 95, Schedules 8 and 9, Clause 96.--(Lord Williams of Mostyn.)
Lord Renton: My Lords, although this is the Crime and Disorder Bill, I have never seen the order in which we are to consider a Bill put forward in such a disorderly way. We occasionally take a clause or schedule out of order, but, within my recollection, such a chaotic plan has never been put before us.
I do not want to take up too much of the time of the House on the detail, but the proposed order of consideration means that Schedule 4 is being taken after Schedule 5--for no apparent reason, so far as I can see. If we now look at Clauses 27 to 32 and later at Clauses 33 to 44, we find that Clause 33 is grouped in the list with Clauses 27 to 32, and not with Clauses 33 to 44. Strangely, Clause 68 and Clauses 70 and 71 have been promoted while Clauses 52 to 55, Clauses 56 to 65, Clauses 66 and 67, and Clause 69 have been demoted.
I have always admired the manner in which the noble Lord, Lord Williams of Mostyn, presents matters to the House. He normally does us a great service. I cannot believe that he was the inventor of this chaos.
Lord Williams of Mostyn: My Lords, I did not do it all on my own, as the noble Lord, Lord Strathclyde, is about to leap to his feet to confirm. It was done through the usual channels with the absolute support and affirmation of the Opposition Front Bench. What we have tried to do is helpfully--I stress the adverb--group related clauses.
On the Scottish question, the noble Earl, Lord Mar and Kellie, approached me to see how the Scottish matters might be dealt with. We thought carefully and concluded that the appropriate Scottish clauses should be grouped together to follow their English brethren. I am sure that that is a convenient way of proceeding. As I said, it was all done by agreement with the usual channels and in the usual way. Your Lordships will agree that it must therefore be 100 per cent. right in every respect.
Lord Strathclyde: My Lords, having been dragged to my feet by those words of the noble Lord, Lord Williams of Mostyn, I voice my support for what my noble friend Lord Renton said. Although it is true that the usual channels agreed to this Motion, it was not without some discussion as to its merits because, as my noble friend pointed out, it is extremely unusual. However, the Government are the Government and if they have decided in their wisdom that this is the best and most appropriate way to proceed, who are we to disagree? It was not until I heard my noble friend that I realised the seriousness of the flaws in the Government's argument. I am sure that the Government will want to reflect on what my noble friend said, but we shall not oppose the Motion.
Lord Renton: My Lords, with the leave of the House perhaps I may say a few more words. I thank the noble Lord, Lord Williams of Mostyn, for his attempt to answer the case that I put forward. I thank also my noble friend Lord Strathclyde for destroying that attempt.
I should have thought that between now and tomorrow the Government should be given the opportunity to think again, certainly about some of the earlier clauses. This would be a bad precedent to set. If we have a Bill with a carefully considered order of presentation--this Bill undoubtedly has, because the order of the clauses as set out in the Bill is readily understandable--it seems unacceptable that we should then have to consider the clauses in a different order.
I recognise that data protection does not sound like a subject to attract obsessive interest; witness the general exodus from your Lordships' House as I start to introduce this Second Reading. Data protection is redolent in many ways of computers and electronic processing: necessary but essentially technical providers of services. In fact it affects our well-being in a much more general way. It shares common ground to that extent with the Human Rights Bill. That Bill will improve the position of citizens of this country by enabling them to rely on the wide range of civil and political rights contained in the European Convention on Human Rights. Those rights include the right to respect for private and family life. The Data Protection Bill also concerns privacy, albeit a specific form of privacy: personal information privacy. The subject matter of the Bill is, therefore, inherently important to our general social welfare.
The scope of the Bill is also a measure of its importance. We inhabit the information age. Information can be gathered, manipulated and disseminated more quickly now than ever in our history. Much of that information is information about individuals. I doubt whether there is a single individual in our country about whom some organisation or another does not have some personal details on record. This Bill is about those individuals and their secrets. It is also about those organisations. It affects virtually every organisation which holds personal information--organisations providing public services, meeting the needs of business customers, and carrying out charitable and other voluntary activities. The Bill seeks to regulate appropriately the way in which organisations collect and use information about individual people who in the jargon of our day are called "data subjects".
We have had data protection law in this country since 1984. The 1984 Act was based on the 1981 Council of Europe Convention on Data Protection. The 1984 Act enabled us to ratify that convention, which we did in 1987. The purpose of the convention was twofold: to protect individuals' privacy in relation to the processing of their data; and, in doing so, to allow personal data to flow freely among the ratifying states in the interests of trade promotion.
The directive was adopted on 24th October 1995. Member states were given three years from that date to bring it into national law. The pressing purpose of this Bill is to fulfil our obligations by October of this year.
Some organisations using personal data have expressed concerns about the consequences of the directive. They believe that there will be increased costs and therefore adverse effects on viability. Equally, those organisations which cherish and represent individuals' interests welcome the directive since its aim is to establish appropriate levels of protection for individuals' information. In drawing up the Bill we have to give effect and balanced consideration to those two aspects. We want to give proper effect to the directive while recognising the necessity for organisations to hold information about individuals and, equally, individuals' entitlement to have information about them--their information--handled properly. The Bill therefore includes additional protection for individuals. But we wish to ensure as far as humanly possible that the methods of regulation are truly proportionate to the appropriate circumstances and attend to real protection rather than procedure for its own sake.
It is probably asking too much to expect a Bill of this size to be wholly uncontroversial. To a large extent this is a technical measure, but that is our work. The subject matter is particularly intricate. We may not always have got things absolutely right. Within the constraints imposed by the directive and the general approach that we suggest, we wish to be as open-minded as we can to any suggestions to improve the Bill. The brief discussions that I have had with the noble Viscount, Lord Astor, indicate that he also intends to follow that course. There are difficult technical intricacies and a co-operative effort is likely to produce a better-finished Bill in your Lordships' House.
Like the Data Protection Act 1984, the principles of data protection comprise a central element of the regime that we suggest. They provide a kind of statutory code of practice relating to good data protection handling with which all personal information users--known in the Bill as data controllers--will have to comply. They are to be found in Schedule 1. The Bill contains eight principles relating to matters such as the need to process personal data fairly and lawfully; for data to be processed for specified purposes; for them to be accurate; and for there to be proper security arrangements. All of the 1984 Act principles are broadly reproduced, although not in precisely the same phraseology, and we have added a further one to deal with the transfer of data to third countries.
There are two other key concepts. The Bill is built around the concept of processing personal data. Essentially, "personal data" means information from which a living person can be identified and "processing" means doing anything at all with such data, from collecting them, right through to destroying them, including merely the holding of the data whether or not anything active is done with them. I single out these expressions from the list of definitions in Clause 1 because they are fundamental to the working of the Bill. One further relevant definition is "relevant filing system". Unlike the 1984 Act, the directive requires the application of data protection law to certain categories of manual record, not simply computer, and this is the definition of the records covered.
This is a difficult area. Some take the strong view, which I recognise and respect, that the Bill should spell out clearly which categories of record are caught. We are presently unable to find a satisfactory way of doing that. It would have been possible had we been able to limit it to manual records in highly structured systems such as card indexes, but that would not have properly met the requirements of the directive. At the other end of the scale, we could have extended the scope to cover all paper records. I do not believe that that would have been generally welcomed or that it would necessarily have achieved a proper balance between the protection of the individual and the imposition of burdens on information users. In the event, we have followed the approach adopted by the directive. The criteria are: that the records must be in a structured set; that the structure must be by reference to individuals; and that particular data relating to particular individuals must be easy of access. We believe that this brings in highly structured sets such as card index systems and excludes collections of papers which only incidentally contain information about individuals. Whether or not other collections are caught will depend upon whether they meet the criteria, and in the first instance it will be for data controllers themselves to decide.
I have seen the Data Protection Registrar's briefing note on manual records. As I understand it, she believes that the Bill catches a very wide range of manual records. This is not the place to enter into a detailed debate about the construction of words in the Bill, but it is not our intention that the Bill should have the wide effect that she suggests. We do not intend that it should catch files about named individuals where a variety of different kinds of documents is stored by date order. We want to focus on much more highly structured files.
I welcome the registrar's note however. The Government are not wedded to the approach that I have outlined. We are perfectly open to all reasonable proposals to improve the Bill. If the view of the House is that the Bill does not go far enough that is a matter that the Government will consider. But such an extension of the coverage of the Bill would not be without cost and that cost could be quite considerable.
Clause 2 defines "sensitive personal data". These relate to such matters as race, ethnic origin, political or religious views, health and so forth. Schedule 3 contains restrictions on the circumstances in which such data may be processed. I mention this because special restrictions
Clause 4 introduces the data protection principles in Schedule 1 and the associated provisions in Schedules 2 and 3. It places on data controllers the duty to comply with them. The purpose of the directive is to provide a common level of data protection within the Union and other member states of the European Economic Area which will also be bound by it. The directive contains rules which determine which members state's law applies to particular processing. The purpose of Clause 5 is to do precisely that. Its principal effect is that United Kingdom law applies to any processing done in the context of the establishment of an organisation in the United Kingdom. That applies whether or not the processing is actually done in the United Kingdom, another EU member state or elsewhere. Other member states' laws should be making similar provision.
Finally in Part I, Clause 6 introduces two data protection institutions: the data protection commissioner, which is the new name for the Data Protection Registrar, and the Data Protection Tribunal, which is also preserved from the 1984 Act. I should like to pay tribute to the previous Data Protection Registrar, Mr. Eric Howe, the present registrar, Mrs. Elizabeth France, and her staff, and the chairman and members of the Data Protection Tribunal for the invaluable public work that they have done under the 1984 Act.
I have spent a moment or two longer than I would have wished on the early stages of the Bill because they are critical to its structure. I shall try to traverse the remaining ground a little more quickly. Part II deals with individuals' rights, which are strengthened by the Bill. Clauses 7 and 8 replicate with some amendments the existing right of subject access. They deal with our obligation following the judgment of the ECHR in Gaskin to provide an independent review mechanism for refusal of subject access in certain cases. There is nothing in the Bill yet to meet our undertaking to outlaw the practice of enforced subject access, but we certainly intend to deal with it in the context of the Bill.
Clause 10 provides an express new power for individuals to object to their personal data being used for direct marketing. That is something which will find general approval not just in your Lordships' House but with an increasingly irritated section of the general public. The expression of the right in the body of the statute is new and broadly similar to that already achieved by the application of the data protection principles.
Clause 11 broadens the existing right for individuals to seek compensation. Under the 1984 Act, the right is available only where individuals have suffered damage because of the inaccuracy, loss or unauthorised
Clause 13 is new. It relates to decision-making which is carried out solely by automatic means, as, for example, the practice of credit-scoring. Where such decision-taking significantly affects an individual, if the decision goes against the individual, the clause requires there to be safeguards for his or her interests. This might be provision for review of the decision by an individual person. That is again something that causes great public concern to individuals who feel that their cases in respect of credit provision have been inappropriately or thoughtlessly considered. Clause 14 is a procedural provision relating to courts' jurisdiction.
Part III of the Bill deals with the requirement for data controllers to notify the commissioner of the processing which they do. Registration is linked closely to the enforcement of the data protection principles. Notification under the Bill has been wholly decoupled from enforcement. It is solely about transparency and I believe that it represents a significant step forward.
Under the 1984 Act, the obligation to comply with the data protection principles applies only when a data user has registered. Those who do not register may only be prosecuted for non-registration; the registrar has no power to compel compliance with the principles. Under the Bill compliance with the principles will be an obligation on all data controllers, whether or not they have complied with the notification requirements.
Subject to some exemptions, we provide for all data controllers to notify the commissioner before processing personal data. An exemption on the face of the Bill is for manual records. Others can be provided by notification regulations. Such regulations may also make other provision relating to notification, including the form in which notifications must be made. Having consulted considerably with the Data Protection Registrar we hope to make the notification arrangements as simple and little burdensome as possible.
A novelty in the Bill is Clause 21 which provides that processing prescribed by order shall be checked by the commissioner before it shall begin. The normal rule is that processing may begin as soon as it is notified. But certain particularly sensitive processing must be checked in advance. The Government believe that the amount of processing needing "prior checking" is likely to be very small. I should also make clear that this is not a requirement for each individual processing operation to be checked on a case-by-case basis. The prior check is carried out at the time of notification and applies to all processing covered by the notification.
Another new provision is the power in Clause 22 for the Secretary of State to set arrangements for organisations to appoint their own data protection supervisors, following the German model. Such appointees monitor the controller's compliance with the law, thereby removing some of the burden from the supervisory authority. Setting up arrangements under
Part IV and Schedule 7 deal with exemptions. Many of these are familiar from the 1984 Act, but there are some changes. Clause 27 provides an exemption from, in effect, the whole of the Bill where the exemption is required for the purpose of safeguarding national security. This is broadly familiar from the 1984 provision, but it contains two important changes. First, it allows a certificate confirming the need for the exemption to be expressed in general terms and to be prospective; and, secondly, it allows a limited right of appeal to the Data Protection Tribunal for individuals who are directly affected by such a certificate.
Clause 28(4) has been the subject of some media speculation and critical comment. It allows the making of orders exempting from the subject access and non-disclosure provisions in the Bill information which would assist in the fight against crime and the prevention of tax evasion and fraud. On tax, there are serious Inland Revenue concerns to be addressed: first, protecting the disclosure to the Inland Revenue of bulk, potentially tax relevant, information provided by third parties, which may be used to help identify people cheating on their taxes, and therefore robbing the general body of citizens whose taxes go to pay for essential services; and, secondly, maintaining the confidentiality of systems designed to identify incorrect tax declarations. I know that the Data Protection Registrar has concerns about this clause. I have discussed this with her. We have made no firm decisions about its use. But I believe that there will be general public support for the principle that we need to safeguard existing initiatives to act against the small minority who, alas, cause significant loss to the public purse through tax evasion and tax fraud. We are interested to see what your Lordships may have to say about the principle and detail as the Bill travels through this House.
I pause on one exemption which is of great importance. It is to be found in Clause 31, to which I promised to return. It relates to processing for the special purposes; namely, journalistic, literary and artistic purposes. The media have been concerned about the implications for their work of the EC Data Protection Directive. I am happy to repeat again publicly that the Government recognise the central importance of the work of a free press in a free society. With its broad definition of "processing", not to mention the inclusion of manual records and the range of rights for individuals, the directive, and therefore the Bill, goes considerably further in protecting individuals' personal information than does the present Act of 1984. It therefore inevitably has greater potential to put at risk the media's legitimate use of such personal information.
I am happy to see the noble Lord, Lord Wakeham, in his place. He and I and others from the BBC, Channel 4 and the independent television companies, as well as newspapers and newspaper lawyers generally, had discussions throughout the summer and autumn of last year. We have provided for exemptions for the media. We have done that as deliberate policy, not by way of Christmas accident, where they are necessary to reconcile privacy with freedom of expression.
Following the meetings to which I referred, we have included in the Bill an exemption which I believe meets the legitimate expectations and requirements of those engaged in journalism, artistic and literary activity. The key provision is Clause 31. This ensures that provided that certain criteria are met, before publication--I stress "before"--there can be no challenge on data protection grounds to the processing of personal data for the special purposes. The criteria are broadly that the processing is done solely for the special purposes; and that it is done with a view to the publication of unpublished material. Thereafter, there is provision for exemption from the key provisions where the media can show that publication was intended; and that they reasonably believe both that publication would be in the public interest and that compliance with the Bill would have been incompatible with the special purposes.
We have specifically written into the Bill reference to compliance with a code of conduct which is capable of being approved by the Secretary of State. We have deliberately placed upon the face of the Bill, I believe for the first time in an Act of Parliament in this country, that the public interest is not the narrow question of whether this is a public interest story in itself but that it relates to the wider public interest, which is an infinitely subtle and more complicated concept. That is expressed elegantly in Article 10 of the European Convention on Human Rights as regards the transmission of views and opinions by the press and the necessary co-related right on behalf of the public to receive those expressions of views and opinions.
As a safeguard for individuals, the commission has a special power in Clause 42 to seek information from the data controller, pre-publication, to check whether the key criteria are satisfied. There is provision in Clause 43 for her to make a determination where she believes they are not; and Clause 44 provides a limited power for her to take enforcement action against the media where she has made a determination--before or after publication.
The Bill puts the onus for taking enforcement action on the individuals concerned rather than the commissioner; but in Clause 50, it gives the commissioner a power to assist individuals in going to court, but only in cases involving matters of substantial public importance. I hope that your Lordships will feel that we have achieved the right balance in that regard.
We do not wish, and would not want, to inhibit the freedom of expression which is a fundamental and continuing part of the British way of life and which British broadcasters have enjoyed up to now in making programmes in a generally responsible way. It is clearly part of that tradition of information, the dissemination
Equally, it is part of the British tradition of freedom of expression that entertainment programmes, such as arts programmes, comedy, satire or dramas, can refer to real events and people. It is not the intention of the Government for the directive to be used to inhibit programme-makers from making programmes as they have up to now. The Government believe that both privacy and freedom of expression are important rights and that the directive is not intended to alter the balance, which is a fine one and always should be, that currently exists between these rights and responsibilities. I believe that the Bill does strike the right note in that respect. It was not until after a good deal of consultation and discussion, and perhaps cross-fertilisation of ideas, that we came to our conclusion. However, I repeat that if there is reasonable room for improvement, our minds are not closed.
Part V of the Bill deals with enforcement. First, the Bill creates a twin-track approach for individuals seeking a remedy for alleged breaches of the law. In the same way as they may now go to the registrar, under Clause 40 they will be able to seek the help of the commissioner. They will also be able to go direct to court where they believe that any of their rights under the Bill have been contravened. This is an important strengthening of individuals' rights. The 1984 Act provides only a very limited right to go direct to court: where subject access has been refused or to seek the correction of inaccurate data.
The enforcement notice, which is the main instrument for enforcing the data protection principles under the 1984 Act, is retained in Clause 38. But because of the restructuring of the data protection principles, it has wider scope under this Bill.
Clause 41 entitles the commissioner to issue information notices seeking the information she may need to carry out her functions. The commissioner takes the view that, in its present draft form, the power is not as useful as it might be. I have discussed it with her, and I will consider whether there is any way in which it could be improved fairly to meet her concerns.
Part VI deals with miscellaneous matters. Clause 49 gives the commissioner a broader duty than now to promote good practice. It includes a strengthened role in relation to the issuing and consideration of codes of practice; and a new power to make assessments of individual data controllers' personal data handling practices, with their consent.
In the context of Clause 49 I might also explain briefly the arrangements for dealing with transfers of data to third countries. The eighth data protection principle in the schedule prohibits the transfer of
There is concern on the part of some of the EU's major trading partners, particularly the USA, about the implications for trade of these arrangements. I believe that the arrangements made in the Bill provide the maximum flexibility for data controllers, consistent with ensuring proper data protection and meeting the requirements of the directive. I know that this is a matter which is being treated very seriously by colleagues in Brussels and I am confident that a satisfactory way forward can be found.
Clause 52 creates an offence of unlawful obtaining, disclosure and subsequent sale of personal data without the consent of the data controller. The intention is to re-create and replicate the similar offence in the 1984 Act.
Clause 54 puts a duty of confidentiality, subject to a criminal sanction, on the data protection commissioner and her staff. I know that the registrar is uneasy about attaching a criminal sanction to the duty of confidentiality. Again, this is a matter which I have discussed with her and I have told her that it is a matter on which I am prepared to consider suggestions for alternative approaches.
Finally, I must mention one omission from the Bill. The Bill does not yet make any provision for the transition from the existing data protection regime under the 1984 Act to the new one under the Bill. I recognise, and I am happy to say it now, that those affected by the Bill will need to know as soon as possible what are the Government's intentions. We shall certainly bring forward necessary amendments as soon as we can.
This has been a rather brief overview of what is a long and complex piece of legislation. I have deliberately omitted what I might have covered. I know that noble Lords have particular interests in some of the areas which I have omitted. My noble and learned friend the Solicitor-General will deal with the points which noble Lords raise in the debate.
I am pleased that we have agreement through the usual channels for the Bill to be considered by a Grand Committee in the Moses Room. This seems to be, almost quintessentially, the sort of legislation which needs that calm, informed scrutiny. I repeat that we want the best possible assistance by way of scrutiny by your Lordships who are informed about those matters. I commend the Bill to the House.
|Next Section||Back to Table of Contents||Lords Hansard Home Page|