§ Order for Second Reading read3.36 pm
§ The Secretary of State for the Home Department (Mr. William Whitelaw)
I beg to move, That the Bill be now read a Second time.
Wherever we look, the information technology revolution is having its effect—in the banks and the building societies, in the retail trade and mail order business, throughout commerce and industry, and increasingly in Government. Thanks to computers the use, transmission and communication of information is becoming daily both more complex and more proficient. The developments have been considerable even in the short time since Sir Norman Lindop's committee published its report on data protection in 1978; still more is this true of the period since the subject of privacy was last fully debated in this House, back in 1973, following the report of the committee under Sir Kenneth Younger in the previous year.
These developments have undoubtedly brought substantial benefits, more effecient business transactions and the rapid movement of information needed, for example, for proper decision-taking in matters of health, social welfare, and so on. The great majority of computer systems are, as they say in the trade, "subject friendly"—that is, they benefit those about whom information is stored.
If we are to continue to improve efficiency and productivity, maintain our trading competitiveness, and keep up the service that Governments supply to the citizen, we must ensure that the information technology industry flourishes. And that is the purpose of the Bill. To achieve that purpose the Bill must do two things: reassure the public that the holding of personal information on computers is properly controlled, so dispelling any lingering unease that might otherwise inhibit their use; and, secondly, protect our international trading position by bringing us into step with the increasing number of European countries which already have protection legislation in force. Companies operating on a multinational basis—and thousands of jobs are involved—depend increasingly on the international interchange of computerised data, including personal data. If the flow of data to this country were interrupted, the operations of many of those companies here would be threatened.
Last April's White Paper on data protection said that there had been few reported instances in this country of the misuse of information held on computers. That remains the position, but that does not mean that there is no potential for abuse. Nor should it blind us to the real concern that that potential could become reality if suitable controls are not introduced. In view of some of the criticisms of this Bill that I have read and listened to during the last few days, let me make one thing absolutely clear from the outset. The Bill provides the individual for the first time with a general right of access to data held about him and it requires the registration of the holding and use of data. It gives no new powers to the police or to any public authority other than the data protection registrar.
554 Before I turn to the details of the scheme, there are two further points that I would make. The first relates to the committee under Sir Norman Lindop, to which I referred in passing earlier. I want to pay tribute, as my right hon. and learned Friend the Lord Chancellor did in another place, to the substantial and painstaking report which that committee produced, and from which the Government have greatly benefited in the formulation of the present proposals. We have not followed the committee in all its recommendations, but I hope that the members of the committee will note the various points at which their recommendations and ours do coincide. I hope also that, where we have diverged, they will come to appreciate why we have gone in the direction that we have.
Secondly, I draw attention to the European dimension. In January 1981, the Council of Europe convention on data protection was opened for signature. Together with the guidelines on privacy protection of the OECD, the convention offers an international standard for data protection. This has provided us with a yardstick against which to measure our own proposals. Our intention is to ratify the Council of Europe convention, and we have kept its provisions firmly in mind in drafting the Bill.
With the convention now widely accepted as setting a necessary standard, we shall find increasingly a division between those countries with data protection, and those without. The latter will be more and more at risk of action from countries determined to prevent the undermining of their own data protection laws by the export of personal data to countries without protection. We must not allow any excuse for sanctions against the United Kingdom. That is what makes it imperative that we legislate without delay. Even if we were not already convinced of the rightness of legislation in this field, we should be compelled by this consideration to bring ourselves into line with European practice.
In designing the scheme contained in the Bill we have paid particular attention to other countries' direct experience of data protection legislation. My right hon. Friend the then Minister of State, Home Office, visited four European countries last September. The following month the fourth international conference of data protection commissioners was held in London. For some years the Council of Europe interest in this field has encouraged a continuing international interchange of views in which the United Kingdom has played an active part.
We have found that the constitutional, administrative, and judicial background against which legislation has been framed is very different in each country. Each national statute is therefore quite different and designed to meet particular national needs. The Bill likewise steers its own course. The experience of other countries has been invaluable to us, but the Government have concentrated above all on designing an answer to the problem as it exists in the United Kingdom.
A few moments ago I referred to the Government's belief that the fundamental problem is the fear of the capabilities of computers. We, of course, fully recognise that damage can be caused by the misuse of information, regardless of whether it has come from a computer or an ordinary manual file, but what we are discussing today is not a measure for the general protection of personal information; it is a measure designed to meet the particular threats, actual or perceived, which derive from the use of computers—by which I mean their capacity to store a mass 555 of information, and their ability to locate specific items of information, virtually instantaneously, and then link it no less rapidly with other information about the person in question. That is the threat with which we are attempting to deal, not the much broader concern about the use made of information about one person by another.
For these reasons, the Government have restricted their Bill to automatically processed data. To do otherwise would require a monstrous bureaucracy and place intolerable burdens on users—and even then there would be grave doubts about whether it would be enforceable. It would certainly require a scheme totally different from that contained in this Bill. Let us not overreach ourselves unnecessarily, and, in the process, lose the benefits of what is at this time within our grasp.
§ Mr. Andrew F. Bennett (Stockport, North)
One of the Government's major tasks is to encourage people to use new computer technology. By insisting on registration in one area and not in another, is there not a danger that many local authorities will continue to keep information on manual records rather than on computers because one will be registered and the other will not?
§ Mr. Whitelaw
I do not think so. I am proceeding on the basis of the Lindop committee and of the Labour Government's White Paper and on which the Council of Europe convention was opened.
The Bill takes from the convention eight general principles which are set our in schedule 1—principles which owe their origins to the work of the Younger committee in this country more than a decade ago. The principles relate to the use which is made of data—the way in which data are collected, held and disseminated. They require data to be used only in accordance with the purpose specified for them and they provide for the quality of the data in question—accuracy, relevance and so on. The principles establish a right of access for data subjects to the data held about them, and provide for the correction or erasure of the data where appropriate. They require adequate security measures to be taken to protect the data.
We have made compliance with these principles enforceable through the medium of the registrar, so establishing a single authority on the subject who can consult, advise and negotiate before taking action. A vital feature of the scheme is his capacity to use his discretionary powers to tailor his response to the circumstances in each case. This flexibility of approach, we believe, is much preferable to any scheme in which, say, a user collecting data unfairly or holding inaccurate data is directly liable to criminal prosecution.
We have gone for a single registrar rather than a multimember authority for positive reasons. We see it as by far and away the most economic use of resources. Since the scheme will be funded by data users themselves, that is of particular importance to them. We believe that an individual registrar will be able to act more rapidly, authoritatively and consistently in this complex and infinitely varied field than could a committee. His interpretation of the principles, and determination of what in particular circumstances constitutes contravention of the principles, will place a premium on consistency and the kind of build-up of understanding and expertise that an individual can best achieve. Because of the variety of cases that will arise, we think that a registrar who is able to look for and accept advice from wherever he sees fit in 556 the special circumstances that he faces will be better equipped than a committee representing an inevitably incomplete range of interests.
At the heart of the scheme is the requirement on data users to register. The process of registration will not be onerous. It is important to make that clear. Registration will entail no more than answering half a dozen questions and paying a small fee, and acceptance on to the register will in most cases be automatic. Thereafter, the vast majority of users will not be bothered again by the registrar. We have deliberately kept the requirements of registration to a minimum to ensure that users do not face unreasonable burdens. The registration process will require data users to specify the purposes for which they hold data, thereby satisfying the second of the data protection principles, and bring into the open the processing of personal data, thereby meeting the fear of unknown activities taking place in secret. The establishment of a register to which anyone can go to discover the uses being made of automatically processed information is a key feature of the scheme.
The register will serve a further purpose. It will provide the registrar with an up-to-date account of the uses being made of computerised personal information and the purpose for which data users claim to be engaging in that activity. The register will give the registrar a snapshot of the whole field and it will be the starting point from which he will be able to decide whether a particular user is sticking to his declared intentions and whether there is any cause to investigate a possible breach of the principles.
In providing for a registrar with a supervisory function of this kind we have had to strike a delicate balance. On the one hand, there is the risk of setting up a cumbersome bureaucracy, continuously at the heels of legitimate business activity and impeding technological developments. On the other hand, we must guard against the registrar being ineffective, lacking the powers and resources to give any teeth to the legislation. The Government do not want some vast new quango that will jeopardise efficiency in every area of national life: thus we have gone for a compact organisation which will not interfere unnecessarily. The burdens on law-abiding data users will be kept to a minimum. On the other hand, it is nonsense to suggest that the registrar will be ineffective when the need for action arises. We have said that his staff will be quite small, but it will be adequate to deal with abuses when they occur. Experience from Europe shows that a large staff is not needed for this purpose. What matters is the role to be performed and the powers available to carry it out.
§ Sir Dudley Smith (Warwick and Leamington)
As a United Kingdom parliamentary delegate to the Council of Europe, I assure my right hon. Friend that everyone is most grateful that he has brought forward this legislation. In talking about the registrar, however, will he bear in mind the possibility of considering, perhaps at a later stage, a more flexible system in relation to registration details, especially in view of the representations made by the Consumers Association about the key role of the registrar which my right hon. Friend has just emphasised?
§ Mr. Whitelaw
I am grateful for my hon. Friend's remarks, especially his comment that we are right to bring forward the legislation at this time. As for the details, it is clear from much that has been said that there will be 557 opportunities to examine the Bill in Committee. No doubt some hon. Members will seek to amend it in Committee and it will be right for the Government to approach the Committee in an appropriately positive sense, as has been done in other cases.
The powers which we have given the registrar under the Bill, and which I shall describe in a moment, add up to a substantial armoury for him to use when necessary. In the majority of cases the registrar will proceed by means of negotiation and agreement, but if ever the process of negotiation breaks down he will have effective means of ensuring that the data protection principles are complied with.
I shall now attempt to guide the House through the detailed provisions of what I am aware is a technical and complex measure. The Bill has five parts. Part I contains definitions of the basic terms used throughout the Bill and, with schedule 1, introduces the general principles of data protection. Part II is concerned with the registration and supervision of data users. Part III deals with the rights of data subjects. Part IV provides for exemptions. Part V contains some general provisions and further definitions.
Clause 1 sets out a series of definitions which are crucial to the scope of the Bill. In the definitions we have concentrated on what I described earlier as the main perceived threat to personal privacy posed by computers—their ability very rapidly to extract information about a specific individual and then to link it equally rapidly with other information about the same person.
§ Mr. Gwilym Roberts (Cannock)
Is the right hon. Gentleman aware that these days one must ask what is a computer and when is a computer not a computer? Once the Bill becomes law, other means of retrieving information far more rapidly from more conventional methods of storage may come more and more into use. That would not be covered by the legislation.
§ Mr. Whitelaw
I think that we had better move one step at a time. As for when a computer is not a computer, there must be many people far more qualified than I to answer that question.
Clause 2 introduces the data protection principles, Clause 2(3) reflects article 6 of the Council of Europe convention which demands that sensitive data be given "appropriate safeguards". The convention does not necessarily require special provisions over and above those offered by the Bill in general, but the clause provides a power to lay an order amending the principles in regard to those sensitive areas if experience suggests that this is necessary. Clause 3 provides for the establishment of the data protection tribunal, to which data users will be entitled to appeal against the decisions of the registrar.
Clause 4 deals with registration and the provision of particulars to the registrar. Clause 5 makes it an offence to hold personal data without having thus been registered or to use data in a way incompatible with the registered details. Clauses 6 to 9 then set out the procedure for renewing a registered entry and the limited circumstances in which an application for registration may be refused.
Clause 10 contains the first of the powers to which the Bill invests the registrar in carrying out his supervisory function. It empowers him to serve a notice requiring some specific form of remedial action, while the following clause enables him to remove all or part of a user's entry 558 from the register—the difference between them being that the latter power must be kept for those circumstances in which the former is inadequate to deal with the mischief in question. In both cases the registrar must be satisfied that one or more principles have been breached. In deciding whether to take either form of action, he must consider whether the contravention in question has caused, or is likely to cause, damage or distress. Failure to observe an enforcement notice will be a criminal offence.
Clause 12 contains a further notice power, but applicable in respect only of proposed transfers of data outside the United Kingdom. The aim here is to ensure that the transfer of data abroad does not circumvent the domestic provisions, while at the same time maintaining respect for international obligations to transmit data and acknowledging the general importance of data flowing freely between the United Kingdom and abroad.
Clauses 13 and 14 reflect our consciousness that potentially considerable powers are being vested in the registrar, and provide for an appeal to a specially constituted tribunal, empowered to amend the registrar's decision in any way in which he himself would have been able to act. The final schedule to the Bill provides for the making of rules governing the conduct of the tribunal's proceedings.
Of the remaining clauses in part II, I would draw attention to clause 16, which provides a power of entry for the registrar, but only after he has obtained a warrant from a circuit judge by satisfying him that there is reason to believe that evidence will be found of a data protection offence or a contravention of the data protection principles.
Part II, then, provides the means by which the registrar can ensure general compliance with the principles. Part III provides the rights directly available to data subjects, enforceable where necessary through the civil courts. Clause 21 establishes the right of access to data, and the circumstances in which that right may be exercised. Clauses 22 to 24 establish a right to compensation for damage done by reason of inaccurate data, or, in certain circumstances, where data have been lost or disclosed without authority. Where appropriate, when damage has thus been caused, the courts will be able to order the rectification or the erasure of the data concerned.
Part IV, dealing with exemptions, is of course the aspect which has generated much interest and by which, in many people's minds, the rest of the scheme will be judged. I want to emphasise, therefore, that these clauses have been constructed from the starting point spelt out in the Government's White Paper, that exemptions from the scheme would be kept to a minimum. Apart from data held for domestic and other limited purposes, the only data wholly outside the provisions of the scheme are those concerned with national security. It has been generally recognised, as a fact of the world in which we live, that special provisions need to be made for national security, and clause 27 provides accordingly. All other data, including data held by the police for the purposes of crime prevention, will be registered and accessible by the registrar.
Access cannot be given to all police records if the prevention and detection of crime is not to be put at risk. Obviously, to provide a data subject with access to his file, where the file relates to police suspicions about his criminal activities, would be nonsense, and the Council of 559 Europe convention recognises that. Article 9 specifically provides for derogation from most of the data protection principles, where this is necessary,for protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;andfor protecting the data subjects or the rights and freedoms of others".Clause 28 accordingly deals with data used for particular purposes—the prevention or detection of crime, the apprehension or prosecution of offenders, the assessment or collection of any tax or duty, or the control of immigration. Data held for those purposes are exempt from the Bill's provisions in regard to subject access if—but only if—the granting of access would prejudice any of the specific purposes.
Clause 28(2) allows data to continue to be disclosed for those particular purposes without falling foul of the new prohibitions on disclosure introduced by earlier provisions of the Bill. At present there are no statutory prohibitions on disclosure, and it is the holder of information—manual or computerised—who decides whether or not to disclose it to somebody else. Generally, where computerised personal data are concerned, the Bill will prohibit disclosures except in accordance with the holder's registered particulars. Where crime prevention and the other matters are at stake, the holder must clearly not be prevented from disclosing where he himself judges it to be in the public interest to do so. Finally, clause 28 provides for exemption from the first data protection principle—fair and lawful collection of data—where it is necessary to avoid prejudice to those specified purposes. With these exceptions, the remaining principles will all be applicable in these areas. Our intention has been to keep exemptions to the minimum consistent with the efficient operation of law enforcement agencies and I would point out—especially to those who have suggested that the Bill provides only the bare minimum that is consistent with the convention—that we have stopped substantially short of the exemptions which the convention would allow us to make in these areas.
Continuing with part IV of the Bill, clause 29 empowers the Secretary of State to make an exemption from the subject access provisions in regard to data held in respect of health and social work. Clause 30 exempts from subject access data held by a Government Department relevant to the making of judicial appointments. Certain other exemptions from certain provisions, in specific areas, are included in clause 32.
The one other area of total exemption from the Bill, to which I referred briefly a few moments ago, is clause 31, which relates to data held for personal and domestic purposes—the annual Christmas card list is an example—and where data is held for the purposes of a club, or distributing articles—although only where the data subjects have signified that they do not object to the data being held by the user and, in the latter case, where the information consists solely of names and addresses.
I shall, in conclusion, draw the attention of the House to just two of the provisions of part V. The first is clause 35, which applies the provisions to Government Departments and the police. There are difficult constitutional problems about applying any provision of this kind to Government Departments which, by convention, cannot be prosecuted for criminal offences. We have endeavoured, by the provisions of this clause, to 560 ensure that Government Departments will be placed under the same legal obligation in regard to data protection as any other users.
The other provision to which I would refer is clause 38, which deals with the transitional arrangements for bringing the scheme into force. This provides for an appointed day to begin the transitional arrangements, which will themselves fall into two parts: an initial six months period, during which applications for registration can be made, but in which none of the criminal sanctions will apply; and a further 18 months in which the offence provisions will apply but in which the registrar will not be able to insist upon observance of the data protection principles. We have adopted this approach because it may take some time for data users to bring their systems into line with the requirements of the legislation. I believe that the House will recognise in these transitional arrangements a further indication of the Government's determination to provide an effective data protection scheme but one with which data users can comply without unnecessary inconvenience and expense.
These, then, are the Government's proposals on data protection. As I have emphasised from the start, they have been constructed with the aim of meeting people's fears in the face of advancing technology and of keeping this country in step with overseas data protection practice. The balance between the demands of data protection and the legitimate objectives of data users is delicate. Let us not forget the other crucial role of the Bill. It will enable us to ratify the Council of Europe convention, and ensure that there is no risk of sanctions to inhibit the transfer of personal data to the United Kingdom. We shall thereby safeguard the increasing number of concerns that depend on the free international interchange of computerised data, and so safeguard the many jobs in that area.
This is a Bill to meet public concern, to bring us into step with Europe, and to protect our international commercial and trading interests. It sets out to achieve those objectives in a way that places no more burdens on users than are necessary. It is an important Bill. It is also a sensible, realistic and pragmatic one.
§ Mr. Roy Hattersley (Birmingham, Sparkbrook)
During the final moments of the debate on the Bill in another place, one noble Lord complained that his colleagues had made the fatal error of assuming that only experts on information technology could debate data protection. I promise the House that at least I shall not make that mistake. Indeed, by rising to speak, I have acknowledged that it is necessary for some of us who do not claim expertise on specific subjects to make comments about the general principles that ought to govern the use of such data.
I speak in the debate as that most lowly of all persons, the data subject, one of the 50 million people for whom the Bill ought to provide protection. I believe in one particular. The Bill makes an important and vital contribution to the protection that we, the data subjects, need. For all its inadequacies, the Bill establishes the principle that the private citizen has the right to know what information about him or her is being held by private companies or public agencies, the right to inspect that information, the right to correct any errors of fact that that 561 information contains and the right to the assurance that those data, which have been necessarily and properly obtained, will not be subsequently misused.
It is because of the legal recognition of those principles that is belatedly given by the Bill that I shall not vote against its Second Reading, nor do I invite my right hon. and hon. Friends to do so. We have in a sense, through the schedules and through the recognition of the principles in them, made some progress towards the objects of the Younger committee's report and the European embodiment of those objects in Council of Europe legislation. While those principles are properly enshrined in the proposed legislation, I do not believe—and more people outside the House do not—that the Bill is anything like a perfect instrument for providing the protection that society needs. Indeed, the Bill contains major flaws.
In some areas the Bill makes sensible progress towards putting the principles to which it subscribes into practice, but it is increasingly recognised by the press and especially by the professions most closely associated with personal data that the Bill contains exclusions that are too sweeping and exemptions that are too easily manipulated by those who wish to frustrate the purpose of a Data Protection Bill. The Opposition hope to make improvements to the Bill in those particulars in Committee and on Report. We hope to amend the Bill in a way that limits, if not prevents, the opportunities for abuse by either private companies or public agencies. I shall refer to some of the specific criticisms that will be made in more detail in Committee, particularly on clauses 27 and 28.
Before I do so, I shall say one thing about the principle embodied in the Bill and its glaring, major omission. The Opposition believe that a Data Protection Bill essentially should be part of a general policy to preserve and protect the right of the individual to keep his affairs private and secret if he or she wishes to do so. The protection of data is only one part of the concept of the right to privacy. Until the majority of the House is prepared to give its support to that general principle, the privacy that we seek will not be obtained. It will not be obtained by a measure as limited as this. There has been a great deal of dispute about it before today. The House has heard the Home Secretary, with his customary candour, make it clear beyond doubt that the Bill is limited to the protection of data that are obtained, stored and distributed in one way. In truth, the title of the Bill is a misnomer. It implies, wrongly, that if passed into law, it will offer protection for data of every sort. I repeat that the Home Secretary has made undoubtedly clear and absolutely plain the fact that the effect of its provisions is more accurately represented by its long title, which makes it clear that it concerns onlythe use of automatically processed information.Manually processed data and hard copy files are wholly excluded. Their exclusion seems to many people and to me to confirm the suspicion that was aroused when the Government published their White Paper, that the Bill is less an extension of civil liberties than an enabling Act to make possible the Government's information technology programme. Without an Act of some sort providing minimum protection of computer-stored data, the Government would be unable to ratify the European Convention for the protection of individuals with regard to automatic processing of personal data. Until that 562 ratification is possible, British computer companies, data-processing and data-holding companies will be denied access to the information held by their European collaborators. Therefore, without ratification, the whole British information technology programme might be put at risk and the operations of many companies that depend on it might be put in jeopardy.
I do not minimise for a moment the importance of protecting the growing industry of computer and information technology. I do not minimise the necessity to protect companies that operate in Britain, but could not operate successfully because in the total absence of data protection here, they would, be prevented from sharing information with their European collaborators. This is a necessary protection and an aim that the Government are right to pursue. My only complaint is that since that seems to be—on the evidence it can be demonstrated as being—the main and principal purpose of the Bill, the Government would have done well to be frank about their intentions rather than dress up what is a limited measure as if it were a genuine attempt to protect the individual and the data that might be used to the individual's detriment.
I should like to ask another question about the European convention, which will have to be pursued in Committee and which it is absolutely necessary for the Government to make totally clear. There is a good deal of opinion, some in Britain and more in Europe, that the exclusions and exemptions under the Bill, not only in clauses 27 and 28, but in some of the clauses that follow, may yet mean that we would not be in compliance with the European convention even if the Bill were passed into law. I am sure that the Government will insist that that is not so, but the Government have got their European obligations badly wrong before. Two years ago, when we were saying that the Government were not in compliance with the regulations that required the admission of the husbands of women who were British by registration, we were told that the Government wanted conformity with the declaration. That was proved not to be so. We need absolute evidence and assurances that the Bill will meet the European need, not simply from the Home Secretary but, I hope, in Committee from one of the Law Officers, who can make the position absolutely clear. While obtaining the right for our agencies and companies to work with their European collaborators is not in itself a justification for, or the proper content of, a Data Protection Bill, it is an important object, and as it is the main object of the Bill I hope that we can be assured that the Government have got it right.
The major objection to the exclusions in the Bill relates to the Government's decision not to include anything about manually processed data. The Government have offered two excuses for making no provision for such material. The first is that such a comprehensive coverage of all data is impracticable and the second, which the Home Secretary repeated twice, is that the ease with which electronically gathered and stored information can be misused causes most public disquiet. The Home Secretary described that as "the main perceived threat"—a description which seems to have come out of a computer itself.
I accept that the "main perceived threat" is the dramatic possibility of information being quickly gathered and distributed by electronic means, but if we take data protection seriously, that possibility is not the only danger. The nightmare about which newspapers talk is material that is easily retrieved and quickly transmitted. Computer 563 data excite the most apprehension, but some of the most sensitive information about individuals and their private matters is still stored manually. The obvious example is medical records, only 5 per cent. of which are stored on computers.
There is a great fear, which I express today and which many organisations have expressed in recent weeks, that when the Bill becomes law, increasing amounts of sensitive information will be moved from electronic systems to manual systems.
Let us put the potential problem at its lowest. It will be possible for a disreputable company to register under clause 4 and subsequently, by transferring some of its data to manual records, to go on using manually stored information without check or regulation. I hope that the House and the Home Secretary will accept that we ought not to dismiss the problem of manual records as if it were a trivial point.
§ Mr. Nicholas Baker (Dorset, North)
The right hon. Gentleman has raised an important point. There is little evidence of abuse of computer-stored information and sensitive information has been recorded manually for many years. Does the right hon. Gentleman claim that there is much evidence of such sensitive information being abused in manual systems?
§ Mr. Hattersley
Of course I do, and so do some of the reports on these matters and all the organisations representing the medical profession, which have led the outcry against the exclusion of manually stored information.
As I said, we base our belief in the need for an extension of the principles in the Bill not only on the Lindop report, which dealt exclusively with computer data, but on the Younger report, which made wider and more fundamental recommendations about the right of individual privacy. That right ought to include the right not to have private information manually stored and misused. It is a serious issue.
Over the past 15 years, Labour Governments have set up committees in the hope that improvements could be made. The committees have reported on how it might be possible to improve matters, but the Governments that set them up have been defeated before the recommendations could be put into operation.
All the organisations concerned with sensitive information, and particularly the medical profession, which, for some perverse reason, the Home Secretary seemed determined to offend and alienate, regard the exclusion of provisions relating to manually stored information as a major omission from the Bill. A disreputable company can behave in the way that I described. It will be able to register and appear legitimate and subsequently remove records from its computer system and continue its disreputable practices through its manual records.
I accept that the Government could not implement their present concept of data control for every company that stores manual records. If we are to go down the route of registration and a registrar, it will be impossible to require every company with manually stored personal records to register in the way suggested by part II of the Bill. But that is the Government's chosen route. They could have chosen a different route to enable a more comprehensive coverage of wider areas of information.
564 For example, the Government could have chosen to implement the Lindop proposal for a code of practice for data users. If that code had been made enforceable in law and individuals whose information had been misused had recourse to the courts, it would have been possible to include small companies that process information manually.
The Government chose to reject the concept of legally enforceable codes of practice. The Home Secretary eloquently asked the Lindop committee, and asked the House, in passing, to understand why he had not been able to accept all the committee's recommendations. I assure him that we understand why he has been unable to do that. The Lindop committee wanted a comprehensive system of data protection and the right hon. Gentleman does not. There cannot be such a comprehensive system without the codes of practice that the committee recommended, but which the Home Secretary has rejected.
The Government have chosen to implement the minimum proposals that, in their view, will bring us into line with the rest of Europe and which they can attribute to the two major reports submitted since 1971. Those reports were both initiated by Labour Government and both committees reported at times when new Governments had been elected or were about to be elected who did not have the same enthusiasm for the freedom and protection of the individual as had the Government who set up the committees.
Indeed, the Government who inherited the Younger and Lindop reports have been frank in saying that they wanted the minimum restriction and regulation. In the much-quoted speech of the then Minister of State, Home office, the right hon. Member for Aylesbury (Mr. Raison) on 8 June 1981, the right hon. Gentleman said that the Goverment's proposals, which we are debating, represented a fairly limited level of enforcement. In fact, in the absence of the codes recommended by the Lindop committee, there is virtually no enforcement of good practice.
Companies must register, must open their data to inquiry, must correct errors and must, in general, conform with the principles in the schedules, but there is virtually no way in which a user can be sure that he has proper redress if information is improperly used. Most often, a user will not even know about the information and if he or she does know about it, there will often be no opportunity to put matters right.
If the House doubts that, the Bill is weighted in favour of the operators, as distinct from the users, I ask hon. Members to consider what the Home Secretary said about the tribunals. As I read the Bill and the notes on clauses, I believed what the right hon. Gentleman said about the tribunals to be right but I could not bring myself to believe that that was the Goverment's intention until the Home Secreary confirmed it.
The tribunals will be set up exclusively to protect computer companies. If a company is prevented from registering, it can appeal to a tribunal. However, if users believe that a compancy is inappropriate for registration because of its behaviour or conduct, they cannot appeal to the tribunal of exclude the company from the register. The tribunals are part of the computer company protection process.
The Opposition would like to see something more comprehensive, positive and better. We should like to see 565 the inclusion of legally enforceable codes of practice, the omission of which is the major departure from the Lindop recommendations.
The second major departure from Lindop is the substitution of a registrar—a single individual—for the committee's recommendation of an independent data protection agency. We should all be fascinated to hear from the Minister of State who is to reply what sort of individual the Government have in mind to appoint as registrar. I do not expect names to be named or even precise categories to be described, but we should like to know whether the registrar is to be someone who knows about the law, and can deal with the legal aspects, someone who knows about computer technology, and who will understand that if rubbish goes in, rubbish comes out, or someone of a different sort who will have supreme authority over these matters.
In our view, it is a deterioration of the proposals that there should be an individual rather than a tribunal. An individual rather than a protecting agency has one crucial defect—that the individual appointed by the Government will not be able to stand up to the Government in the way that a data protection agency should, would and must if the Bill is to become effective. The Government should realise, although they seem incapable of realising, that a proper Data Protection Act must provide protection for the individual against the Government.
The Home Secretary's record on private information, as shown in the proposals in the Bill and in his continued support for some of the provisions in the Police and Criminal Evidence Bill, displays a reckless disregard for the privacy of other people's confidential information, matched with a determination to keep Government data just as secret as he or the Government choose at any one time. The Labour party believes that the balance should be struck differently and that it is the individual who needs protection in two ways. First, private information relevant to him or her should be protected against the state, and secondly, information possessed by the state that might result in detriment to the individual should be made available to that individual.
Saying that and attempting to lay down those principles leads me to clauses 27 and 28 of part IV. Clause 27 blandly asserts that personal data held by a Government Department is exempt from the provisions of part II and III of the Bill if the Minister of the Crown certifies that exemption is required for purposes of safeguarding national security. I am sure, as the debate goes on, that we shall hear time after time from the Conservative Benches the view that we should all believe in the protection of national security. We do, but we do not all believe that a Minister has only to say "national security" to justify practices over which there is no check, for which there is no redress and for which no democratic House should give blanket approval. The Bill gives the Minister stipulated in clause 27 no guidance as to how national security is to be safeguarded or defined. Therefore, there is no limit placed on the Minister's personal judgment when he is exercising his powers in these matters.
Let us hypothesise an example. If the Home Secretary or his putative successor, the Secretary of State for Employment, announces that national security requires the abandonment of the protection that the Bill provides, he has only to say so and that protection is abandoned. There 566 is no check, no appeal and no redress. His action can be, and in many cases would be, arbitrary in the literal sense of that word.
Clause 21 allows a raid on Government records if a Minister announces that a raid is justified for purposes that he does not have to describe or explain. Clause 21 and 23 allow raids on private records if a Minister similarly announces. I make no claim that the Bill promotes or initiates such raids. However, it removes the records that I have described from the protection of the Bill if the Minister announces that the removal of protection is necessary for national security. This is an arbitrary power that should not be in a Data Protection Bill and disqualifies this Bill from enjoying that title.
It is no good for the Government to say, as they said in various press briefings over the past couple of weeks, that we have to rely on ministerial good intention in these matters. The object of the House of Commons is to avoid the necessity of relying on individual good intentions, and to pass legislation that is distinct and precise in itself. In a free society, there should be legal checks on the possibility of the arbitrary and capricious behaviour of Ministers, and there is no such check in the power described under clause 27.
In the opinion of many people the contents of clause 28 are even more unacceptable, because while clause 27 allows exemptions after ministerial fiat is provided, clause 28 provides general exclusions from protection in stipulated circumstances. It means that information supplied in good faith to the Government for a specific purpose may be used for quite different objectives to those for which it is provided. Sometimes, the information will be given to the Government because of a legal obligation on the part of the person supplying it. It may then be used for a different purpose to the detriment of the individual who has provided it.
The doctors of Great Britain have complained with most determination, most loudly and in a sustained and convincing way about this aspect. It is their fear, as it is mine, that this clause, which removes some information from the protection of today's Bill, combined with the objectionable clauses that cover such matters in the Police and Criminal Evidence Bill, will deeply undermine the relationship between doctor and patient. It is impossible not to relate the two things in the professional mind of doctors. It would be wrong were the clauses not related in the legislative mind of the House. Everyone who has examined the proposals that information provided for the Government in confidence for one purpose might be used by one Government Department or another for a different purpose has found that concept unacceptable.
The Lindop committee in its entirety, giving evidence to the Home Office about the Bill, described this provision as a culpable fraud on the public, because it is obtaining information for one purpose and using it for another. I know that the Government will say, and certainly the Minister of State if he follows his normal practice will tell us several times, and loudly, that they are removing the protection for admirable purposes, for the protection of crime, the prosecution of offenders, the assessment of collection of taxes and the control of immigration. I accept, as the Minister will again tell us, that the Bill does not compel such information to be passed from one Government Department to another. The compulsion will be applied by the provisions of the Police and Criminal Evidence Bill. Clause 28 allows information to be passed 567 from hand to hand in Government, and I suspect that because that concept of information supplied for one purpose being used for another is to be embodied in law, it will encourage such information to be passed from hand to hand and from one Department to another in Government.
Confidential tax records, or tax records that until today have been regarded as confidential, will be used for different purposes and every contrivance will be used in the pursuit of the Government's unhealthy obsession with illegal immigration. If the House doubts the intention to use these clauses for that unhealthy preoccupation, I ask hon. Members to read the House of Lords Hansard of 22 February and the views of the noble Lord Elton on the possible use of this Bill to avoid immigration regulations. His example concerned persons who, in his words:do not follow our rigid Christian/surname formula".—[Official Report, House of Lords, 22 February 1983; Vol. 439, c. 703.]I suspect that he did not notice that some people do not do that because they are not Christians. He went on to say that the Bill would enable the Government to catch people who, by not following that rigid formula, operate under two names and are therefore given the opportunity of avoiding our immigration regulations. It is deplorable that an Act of Parliament that is supposed to protect the liberties arid freedom of the subject should be proclaimed in a House of this Parliament as having that object and purpose.
§ Mr. Timothy Smith (Beaconsfield)
If the individual illegal immigrants to whom the right hon. Gentleman is referring are not subjects of the United Kingdom his point is irrelevant.
§ Mr. Hattersley
The hon. Gentleman makes my case, for he is assuming, as most of his party assumes, that people who might be illegal are illegal. I do not have the right to examine the possible pseudonyms under which he operates in case he is an illegal immigrant. I do not believe that that right should be imposed against people who happen to be called Khan rather than Smith—two equally common names in the two societies in which those names are found. It is intolerable that the assumption of illegality should be brought into our consideration of this Bill. The hon. Member for Beaconsfield (Mr. Smith) makes my point far more eloquently than I could have made it.
The point is so strong that some of the most distinguished legal authorities fear that clause 28, far from protecting public data, makes misuse of public data easier than it is now, before the Bill passes into law. I do not make that charge. I simply make the charge that clause 28 removes the proper protection which should be in a protection Bill and therefore disqualifies the Bill from the title which it claims.
As you will have seen, Mr. Speaker, my criticisms of the Bill are characteristically moderate. I denounce it not in the language of the Financial Times and even less so in the violent terms used by the Society of Conservative Lawyers. I simply believe it to be inadequate.
I hope that the Bill can be improved in Committee. If that is not the case, the Opposition will be forced to change their mind and our abstention of tonight will be changed into opposition on Third Reading.
§ Sir Edward Gardner (South Fylde)
Like the right hon. Member for Birmingham, Sparkbrook (Mr. 568 Hattersley), I must confess that I do not pretend to be an expert on data protection, but I suppose that I, too, must allow myself to be called a data subject.
There is no doubt that no one who values his reputation and good name can be indifferent to the Bill and the consequences which may flow from it by way of advantage or disadvantage once it becomes law.
Inevitably, with legislation of this kind which touches so sensitive a subject as the individual's right to privacy, there is criticism. Some of that criticism suggests that it is not so much what the Bill does as the way that it does it. Others, including doctors and lawyers who have their own professional fears, suggest that the Bill may disturb the confidential relationship between themselves and their patients or clients. There are some who say that the Bill does not do what it should do or does not do enough.
As the right hon. Member for Sparkbrook said, recently a report was published by a sub-committee of the Society of Conservative Lawyers chaired by a distinguished member of the legal profession, Mr. Rodney Hylton-Potts. I understand that my right hon. Friend the Home Secretary has a copy of the report, and I feel sure that he will give it attention and consider the matters raised in it, although I expect that he will not necessarily agree with all of them.
My concern is with the ability of the legislation to protect the rights of an individual to privacy without imposing unnecessary and unreasonable bureaucratic burdens on business and industry. The Government have made no attempt to conceal—they have gone to great pains to make clear—that the legislation is needed to bring our law into line with that which at present governs the use of computers in other European Community countries. The law is necessary so that we may ratify the Council of Europe convention and, in addition, to avoid our computer industry being put at a disadvantage compared with its European competitors. All those seem to be the most valid and powerful reasons why we need legislation of this kind.
But there is another purpose for the Bill, and in the 'view of most people it is the paramount argument for the Bill in the sense that it has the purpose of protecting the right of the individual to privacy.
The title of the European convention sums up very adequately what ought to be and what I believe are the aims of the Bill in terms of individual privacy. The title of the convention describes it as beingfor the protection of the individual with regard to the automatic processing of personal data.In other words, the intention of the convention, arid one of the intentions of the Bill to match it, is to protect the individual against the use or misuse of the computer.
Those of us who prize the right to privacy arid want it extended rather than narrowed see in the Bill a means of extending the right to privacy at least in terms of computers. Anyone who has had the experience of writing to a mail order firm only to discover that from that moment his letter box is overwhelmed with a stream of letters, pamphlets and forms from other mail order firms will realise just what it means to have his name and address on a computerised list.
It is elementary that computers do what they are instructed to do, provided that they are working efficiently. They are indifferent to the accuracy of the information with which they are fed. We have all had experience from time to time—some would say all too frequently—of the mistakes that bank computers can make. We see our statements and we can correct the 569 errors, but there are documents stored by computers about which many of us have no knowledge. That information can be of the utmost relevance to our futures. It can damage our reputations. It can injure our employment prospects. It can touch upon our credit ratings. We know nothing about it. It can be wholly inaccurate, and we can be the victims of a computer mistake or the mistake of a computer processor. The Bill will at least do something to repair, or help to repair, damage of that nature.
There is no doubt that legislation of this kind inevitably raises formidable problems. I raise some of them now so that they may be dealt with; and in the hope that the anxiety that is felt about them may be dissipated by the explanation that we shall be given by my hon. and learned Friend the Minister of State when he replies to the debate.
I am concerned, as is the right hon. Member for Sparkbrook, about the distinction between manual and computerised information, but to suggest that the Bill should contain provisions to deal with manual storing is to close one's eyes to the prodigious problems that that raises. It is not without interest that in 1975 the Labour Government produced a White Paper on data protection and privacy. If my memory serves me aright, there was no suggestion in that White Paper that manually stored information should be included with the provisions dealing with computerised information.
The hon. Member for Cannock (Mr. Roberts), who asked my right hon. Friend the Home Secretary, "What is a computer?", asked a question that is difficult to answer, and I am not sure that this Bill makes it any easier to reach a solution in that regard. I have in mind the Philips Megadoc which by some miraculous means that I do not understand can store the equivalent of 4 million sheets of foolscap, which would fill a corridor 100 yds long and 6 ft high, in a compact optical record mode. What sort of a machine is that? Is it a computer? Does it come within this Bill? I do not dare to suggest an answer, but some day someone will have to answer that question.
The other matter to which I wish to draw attention concerns the functions of the registrar. I am very anxious, as I am sure are all right hon. and hon. Members, that members of the public—the data subjects, as they are called—who want to find out what is contained in the information that is being stored by a computer and who are refused access to that information shold have a proper remedy and should have someone to look after and follow up their complaints to see that they get the information that they seek. I wonder—I put it no higher than that, and with no more emphasis than that—whether it is right to leave all these functions in the hands of a single registrar.
§ Sir Dudley Smith
I thank my hon. and learned Friend for giving way, and perhaps I should declare an interest, in that I am connected with a banking organisation which has a great interest in transfers of information, although this point is much more relevant to the individual. Does my hon. and learned Friend agree that the very wide powers of the registrar may be assisted by the introduction of a data protection advisory committee? I am against quangos, but in this instance a quango might be of help to the individual.
§ Sir Edward Gardner
My hon. Friend and I are very nearly on the same line; either he or I am on a branch line. I was about to suggest that it might be wise to consider 570 introducing another figure into the picture, in the form of an ombudsman, who could deal with complaints, hiving off that responsibility from the registrar.
§ Mr. Barry Henderson (Fife, East)
I am particularly interested in my hon. and learned Friend's views because of his legal experience. I take it from what he says that he does not feel that the tribunal proposed in the Bill would meet the situation.
§ Sir Edward Gardner
I think that it would help to have this to augment such provisions as are contained in the Bill. If there is a complaint, there should be someone who could concentrate on that function. We should not leave it to the registrar, or the tribunal, because ultimately the tribunal may be the forum that will have to decide an appeal on facts which the ombudsman, if he were appointed, would have to consider.
In one sense, this is a forbidding Bill because it seems so technical. In another sense, it is a fascinating Bill. Certainly, as my right hon. Friend the Home Secretary said, it is a most important Bill, and I wish it well.
§ Mr. Gwilym Roberts (Cannock)
Like my right hon. Friend the Member for Birmingham, Sparkbrook (Mr. Hattersley) and the hon. and learned Member for South Fylde (Sir E. Gardner), I give a somewhat guarded welcome to the Bill. I welcome it in the main because it at least does something for the data user, and—of even greater importance—it does something for the data subject as well.
As the Home Secretary suggested, there is a long history of activity in this area. Something needs to be done, otherwise the United Kingdom will be in considerable difficulties because many other countries have preceded us with legislation in this connection. Sweden legislated as long ago as 1973, and since then many countries, including Luxembourg and even Iceland, have introduced various forms of legislation. Clearly, if nothing is done, British data users may find it difficult to get their data accepted by other countries which have already provided a legislative basis.
As my right hon. Friend said, there has also been a long history in British terms, in that we have had two major reports, several private Members' Bills going back as far as 1966, and even two White Papers. There may be some truth in my right hon. Friend's suggestion—indeed, I am sure that there is—that perhaps Labour Governments go down when legislation is pending. Nevertheless, irrespective of politics and Governments, the matter has been in the air for a long time, and it is high time that something was done.
I have real doubts, some of which were expressed by my right hon. Friend the Member for Sparkbrook, about whether the Bill does anything effective about the problem. Whatever Conservative Members may think about quangos, there is an argument that there should be an effective body in this important area. Clearly a data protection agency would be much more able to operate that a single registrar with a small staff of about 20. Irrespective of the Home Secretary's assurance about what has happened in some European countries, many hon. Members have serious doubts whether a registrar with a staff of 20 would be able to cope with the incredible size of his task. Even in the hard computerised data sector, 571 there is an enormous area that could be covered in that way. I have great doubts whether a registrar with a staff of 20 could make an impact on controlling and carrying out the necessary inquiries in that area.
I have received a letter from the Computing Services Association which makes an important suggestion. It says that there should be an exemption in the registration of what it calls common files—files common to every business such as sales and the normal payroll ledgers without which no individual in a firm can be paid. Clearly the work that is involved in such day-to-day common data registers is enormous and would form the great bulk of a registrar's work. In its letter, the Computing Services Association says:These functions comprise the day-to-day activities of many data processing departments and it seems unnecessarily cubersome and bureaucratic to require their registration. It is estimated that well over half"—I should go much further than that—of the administrative workload of the Registrar could be eliminated if the registration of these 'common applications' …was not required.If, as the Government apparently at this stage intend, the mechanics of the system are confined to a registrar with a staff of 20, there is a strong argument for eliminating such files about which there are few problems.
The real arguments against the Bill are mainly on the other side in the sense that it does not too much, but too little. My right hon. Friend has dealt far more adequately than I can with some of the exemption problems that arise. Many of the exemption areas, whether covered by the global word "security"—we all accept the need for that—police and medical files, are the very areas that people become worried about and that is perhaps the basic weakness of the legislation. Some of the areas that are exempted or which border on exemption are those about which there is general concern and on which representations to hon. Members are made.
My main concern, upon which I touched previously, is that computerised data deal only with a small part of the data pool. As has been suggested, one of the peculiarities of the legislation is that it might turn back the clock. People who have been moving data into computers may suddenly start to switch it back into manual and semi-manual operations. Some of those mysterious things which appear in the police computer may go back into police files. The danger is that the legislation may turn back the clock.
There is the real difficulty, which I put to the Home Secretary and which was followed up by the hon. and learned Member for South Fylde, of defining in hard terms an automated operation. As many hon. Members will know, more and more semi-manual systems with highly complex retrieval systems are coming into being. Such retrieval systems can effectively retrieve data where necessary in much the same way as what is formally described as a computer.
A critical question that may arise from the legislation and which will become more and more of a problem is: when is a computer not a computer? The definition that we have is not enough to enable the registrar and his staff to cope with that problem. The Standing Committee will have to consider closely a much more effective method of defining precisely what is covered by the legislation.
As I have said, on the whole I offer a welcome to the Bill because something must be done if we are to ratify the convention of the Council of Europe on data protection. 572 It is important that we should do so. My only doubt about the Bill is whether it is adequate to satisfy the convention's requirements. The Home Secretary should consider that carefully because serious doubts have been raised not only by my right hon. Friend the Member for Sparkbrook, but by many people in industry. It is vital that we should have a Bill that will enable us to ratify the convention of the Council of Europe because that is the only way in which our data will be acceptable to other countries.
Even more important than that, I welcome the Bill because whatever its failings it removes a few—not all—of the many uncertainties which face data users and, more importantly, it removes a few of the uncertainties that face data subjects. For that reason, I hope that we shall proceed with the Bill.
§ 5.9 pm
§ Mr. Patrick McNair-Wilson (New Forest)
I welcome the Bill even though, inevitably, it will be but a first step along a long road. The House must be careful not to panic or to panic those outside into believing that every citizen is in grave danger. I do not believe that. If we wish to live in a world in which we can go into a shop and buy goods without money in our pockets, someone must have a record of our creditworthiness. That information will have to be quickly accessible if people wish to walk out of a shop having bought goods.
The way in which data are described in the Bill will become part and parcel of everyday life. I wish to declare a personal interest. I should like to take up the remarks made by the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) and also to ask the Minister whether he can clear up a problem of definition. A great deal has been said during this debate about what the Bill does and what data are as stated in the Bill.
Clause 1(2) states:'Data' means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.Clause 37 states:'data material' means any document or other material used in connection with data equipment;That could lead to a significant difference in interpretation. It could meet head on the point made by the right hon. Member for Sparkbrook about hard copy. Data can be stored in several ways. Tape is the simplest form but more usually it is on disc. The print-out from a computer, known as "hard copy", is little more than a straightforward file. The impression has been given by the Opposition today that the Bill deals only with those data, that can be used through a machine. Perhaps the Minister will at some point clarify the distinction between the interpretation in clause 1 and clause 37, because that is a material point.
§ Mr. Henderson
I have been following the remarks made by my hon. Friend very closely. I have a suspicion that a computer print-out as not data protected under the terms of the Bill. Does my hon. Friend have a view about machine-readable print-outs, such as are frequently used for cheques?
§ Mr. McNair-Wilson
My hon. Friend the Member for Fife, East (Mr. Henderson) has raised an important area of doubt. I understood from my right hon. Friend the Secretary of State that the House was dealing exclusively with material that could be machine read in the terms of 573 a computer. Comments were made about the manual handling of data but clause 37 shows that the net is wider. Perhaps my hon. Friend the Member for Fife, East and I will have to wait until later in the Bill's passage to find out which of those two views is correct.
The background to this Bill has received some comment in the debate. The genesis was the Lindop committee, which was set up in 1976. That may not be a long time to many people, but in this area of technology seven years is a long period. Are the contents of the Bill truly relevant if they were drawn up in the light of the Lindop committee's recommendations, which were published in 1978? As technology has taken giant steps since then, should the Government make it clear that the procedures that have been established in this Bill will be subject to daily review to take account of technological changes which may occur?
§ Mr. Deputy Speaker (Mr. Ernest Armstrong)
The hon. Gentleman said he has a personal interest. I am reluctant to intervene, but will he tell the House what it is?
§ Mr. McNair-Wilson
I am associated with companies in the manufacture of computers, but not in the storing of information.
The interesting factor about the computer of today is that it can communicate with machines of different makes. It is possible, as was shown the other day, for the computer at the Swansea registration centre, which deals with vehicle registration numbers, to communicate directly with the Hendon police cental computer. Abuse of the system can lead to grave breaches in the law. Recently a doorman at a gaming club was able, through a contact in the police force, to pass on information that someone had made a large sum of money, identify the car that that person drove away in, discover quickly through the contact to whom the car belonged and subsequently there was a major robbery which removed from that gentleman all of his lovely winnings. That speed of contact through different systems will be come more widespread.
I appreciate that the private home computer operator is left out of the terms in the Bill. With the correct mode it is possible for an individual to go in through Post Office lines to a wider network of other users. With the establishment of the local area networks and subsequently the national area network, the House must be careful to keep a watch on the group that is presently exempted because of its ability to communicate on an almost national basis with computers. This is an area where the problems of coercion, bribery, the ability to break security networks and to know passwords, which will let a person into another computer terminal, must be carefully monitored.
The Bill could be seen in two totally distinct lights. First, I do not, as an individual, wish anybody to hold any information about me on a computer without my permission. That could be a perfectly logical way of examining the question of computer data storage.
The second position is that everybody should have access to as much information as possible. The Bill is and will be the subject of a great deal of interest outside the House. Hon. Members will be lobbied on those two distinct attitudes. Either my privacy is not to be invaded at all or there should be the freest exchange of information possible. To draw up a Bill which will satisfy those two 574 extremes of opinion is virtually impossible. The Government must proceed slowly and ask what the various terms in the Bill mean. It is suggested in clause 2 that the information should be held for one or more specified and lawful purposes. Would that included having creditworthiness established for a person to hold a credit card and to allow that person to enter a shop and buy goods or would that also enable a mortgage company to have access to that information for the purchase of a house? We need some clarification.
I am also concerned about how an individual data subject—as it is termed in the Bill—will know that he or she has the right to all the information promised in the legislation. According to the legislation, information shall not be withheld from data subjects if they require it. I should like to know how the Government intend to make that more widely known. Will there be an advertising campaign telling people who are concerned about what is held on computers how they can find out about it? Without something like that, this legislation may well be of interest merely to a very small group of individuals, who are probably in companies dealing with the information anyway. I am concerned that the legislation should become not just a register of the good but should also take account of trapping those who are not so good.
I shall be corrected if I am wrong, but I should think it unlikely that the ombudsman would be able to do anything about the registrar. Presumably, the Office of Fair Trading would be able to do something. Again, it would help the data subject to know whether there is a fallback position should the Bill's provisions not provide the answer that he seeks. There is a danger that Parliament may try to legislate for everything. Governments of all colours tell the electorate that legislation will be simplified. Many of us have always hoped that legislation would be limited, but it never is. When the Bill is enacted, it will be a useful guide, but I suspect that many of its provisions will be subject to interpretation in the courts. Therefore, we must make it clear that we are not crossing every "t" and dotting every "i". Information will inevitably exist, but the point at issue is its abuse. I very much hope that the Bill will not merely endorse the good behaviour of those who are already doing a first-class job, but will also ensure that neither the doorman at the gaming club nor anyone else is allowed access to information that is detrimental to society in general.
§ Mr. Andrew F. Bennett (Stockport, North)
I give this Bill a rather mixed reception. On the whole, the Government have missed a good opportunity to introduce a major piece of legislation. When they look back at the Bill over the next few years, they will realise that they failed to take that opportunity. I have a suspicion that the Government have not even met the requirements of the European convention and, if so, that is tragic. Equally, the Government have failed to reassure the public and to increase their confidence in the information that is held, particularly on computers. If the Government have missed those opportunities, it is very sad. It will no doubt mean increasing demands for more effective legislation in the next few years.
Almost everyone is afraid of being held on some list. When I was in primary school, one of the teachers had a system for controlling the whole class that seemed to work admirably. When there was a little too much noise in the 575 classroom, the teacher simply announced that unless we were careful, our names would be put on a list. At that age, we never stopped to inquire what list, but the threat of being put on a list quelled the noise. On rare occasions on a Friday afternoon—usually a wet Friday afternoon when games had been cancelled—the teacher had to go a little further and would threaten to get the book out in which the list was kept. I do not suppose that there was a list, but it certainly kept us youngsters in good order.
Most people fear that they could be on a list and know nothing about it. In addition, they feel that they have a basic right to know whether they are included on someone's list and what information has been put down against their name. They want to know, partly out of curiosity and partly out of concern, that the list is accurate. All hon. Members have met constituents who have been concerned because they have found difficulty in obtaining credit. It has been found that they were on someone's credit rating list and have either been inaccurately included, or have had inaccurate information put against their names. Some of my constituents have clearly been on an employer's blacklist. Again, that causes them great concern.
About five years ago, one of my constituents applied for four or five engineering jobs in Stockport and each time he was turned down. Eventually, I spoke to one of the personnel officers, who rather indiscreetly told me that so-and-so must have worked at that factory and led a dispute there, and that is why he could not get a job. When I checked, I found that the man had never worked at that factory and that the reference was to someone else with the same name. It was clear that there was a blacklist that applied and that my constituent had been identified on it quite wrongly. I could cite many other instances.
All hon. Members will have come across constituents who have received demands—usually printed by a computer—for various sums of money. They have then either paid the money or have got in touch with the firm and have corrected the information. However, some months later they have received further demands, because the correcting of that information never found its way on to the computer. That is another instance that justifies the fears about the way in which lists are kept.
I am particularly concerned about school records. As an ex-teacher, I am well aware that many of the school records kept on children are inaccurate, out of date, badly dated and often include opinion rather than fact. Indeed, the opinion is also often out of date. I have frequently described the school record of a child who was going from junior to secondary school. It simply had on it "Suspected thief." That was written against his name and was almost bound to colour the attitude of any teacher that saw his record on his arrival at secondary school. Did it mean that he had been caught in the cloakroom from which money had disappeared and that it was almost definitely him, although some teacher had been squeamish about saying so, or that the whole class had been present when some money had disappeared and that a teacher had carefully noted it on the records of all of the children? That information should not have been passed on to a secondary school unless there was hard evidence to show that such theft had happened not just once, but repeatedly.
I have seen other comments on school records about the relationship between a child and one of his parents, about the fact that his parents were splitting up and so on. Such information should not he included in school records. In 576 addition, parents should be able to check the accuracy of those records. Once children have reached 15 or 16, they should have the right to look at their school records. Often a precis of the school record is sent to an employer and can effect an individual's job opportunities. I am frequently told that, if parents are allowed to check on the records, lots of things will not be recorded. That would be good. From time to time, pieces of information about a child—such as difficulties at home—may be relevant for a week, or for a month or two. If that information is in a teacher's mind, or is passed on to other teachers, it will be remembered as long as it is relevant. However, once it has become history, it will no longer be relevant, will be forgotten and there will be no need for any continuing record of it.
For many years I pressed first the Labour Government and then this Government to do something about school records. I was always told that that would have to be included in a major piece of legislation covering the whole issue of data protection. I admit that during the passage of the Education Act 1980 the Government reluctantly agreed to bring forward regulations dealing with school records, but to date they have not given the right of access to parents. However, some local authorities have gone some way towards achieving that.
It is unfortunate that this legislation does not deal with school records. Indeed, in many ways it makes the position worse because if a school keeps its records on children on a computer at the school, that will be covered by the legislation, but if a school uses manual records, that will not be covered. The Government have made a great drive to encourage the introduction of computers into schools. It is therefore crazy to teach children to use computers when their teachers are still recording information manually, especially factual information about children's attainments. It will be logical for children to ask why that information is not kept on the school computer. If the school uses a computer it will be covered by the legislation, whereas manual records mean that there is no right of access to information for parents or children.
If the Government introduce legislation that covers computer systems, but not manual systems, that will discourage people from transferring from manual systems to computer systems. Therefore, it is important that the Government ensure that the legislation is comprehensive and covers information held under all systems. We have already been told of the difficulty of defining a computer and the types of equipment covered by the legislation.
The British Medical Association and others have put forward a fundamental point about medical confidentiality. We must ensure that information collected for one purpose is not passed on to other groups of people. There must be no exceptions. I fully agree with my right hon. Friend the Member for Birmingham, Sparkbrook (Mr. Hattersley) that this legislation, when coupled with the Police and Criminal Evidence Bill, provides major areas for concern.
Several local authorities and local authority associations have expressed concern that the legislation will create considerable additional costs for them. I do not have a great deal of sympathy with the argument that local authorities should be exempt. It is important that they are included. However, some local authorities such as Stockport have been trying to pioneer the use of computers for maintaining many of their records and information. The legislation should not put such local authorities at a 577 disadvantage. Stockport keeps all its information on housing benefit for individuals on a computer, and will be subject to the provisions of the Bill—yet the supplementary benefit offices that keep almost identical information will not be subject to the legislation and there will be no way in which an individual can check the accuracy of the information. We should deal with them in the same way.
Stockport allocates its houses on the basis of points given for certain reasons. I hope that the Government will confirm that the legislation will cover not only the right of an individual applicant on the computer to be told the basis on which the points have been accumulated, but also provide the right for him to see the manual records from which the information is fed into the computer. It would be nonsense if an applicant could see only the computer print-out and not the manual information on which the number of points were originally allocated.
I hope that the Government will make it quite clear that they will deal with those anomalies, which appear to discourage local authorities and others from moving from manual systems to computer systems. It is important to ensure that everyone registers and that we do not discourage people from moving to the newer technological records for keeping information.
The unsolicited post that people receive has already been mentioned in the debate. It causes me a great deal of annoyance. Can the legislation be used to check on the practical problems caused by people being able to sell mailing lists that have been acquired in many different ways? I am on a list as A. C. Bennett, and I receive a large number of unsolicited letters addressed to that name. If I could check on who sold the original list, I could ensure that my name was changed. However, I do not think I could have my name taken off the list. I see little point in having my name corrected, when what I want is that my name is taken off the list altogether so that I do not receive so much rubbish that fills up my dustbin. A previous owner of my home still has his name on a list and I receive a great deal of post addressed to him. Could I stop that post by letting the person who sold the list know that the address was now out of date?
I am concerned about how long information can be kept on computer records. After a period of seven years, minor criminal offences are no longer recorded. How long will information about people's creditworthiness be maintained on records? There is concern that if someone is given a low rating for creditworthiness it will be extremely difficult to have that corrected. Although that information may be factually correct, it may have been a bad debt when a person was only 19 or 20, and he may how have reached 30. If criminal records can disappear after seven years, surely tardiness in paying a debt, or even court action to obtain payment of a debt, should be treated in the same way. I understand that the legislation covers only those inaccurately placed on a list, and does not impose a time limit.
I agree with the comments made about the advantages of the use of plastic cards to pay debts. There has been a great deal of fuss in Greater Manchester about the attitude of the chief constable to the arming of police. I very much regret the way that he obtained publicity for what he was doing. He did not concentrate on one of the major problems, which is the need to reduce the amount of cash that is moved about in such areas as Greater Manchester 578 and which makes a target for crime, especially violent crime. He would have better served the community if he had stressed the advantages of money being moved not in cash, but as cheques and plastic money. That would reduce the opportunity for criminal activity. I fully accept that that means that we must have credit ratings for individuals but a move towards a cashless society would greatly reduce the opportunities for crimes of violence involving cash, although it might provide more opportunities for forgery.
I hope that we shall see systems of creditworthiness which encourage the development of a cashless society that are fair and do not provide one system for the rich and another for the poor. If one already has a bank account or plastic money, it is surprising how much credit one can get without any questions. People on low incomes who do not have those opportunities are severely disadvantaged.
I therefore give the Bill a doubtful welcome. We need a much more effective Bill. I hope that it can be improved in Committee but, if not, I am sure that the House will return to it on many occasions until we have an effective measure that meets the requirements of the European convention and the basic requirement of people in this country that they should not be on someone's list without knowing about it.
§ Mr. David Atkinson (Bournemouth, East)
I share some of the reservations of the hon. Member for Stockport, North (Mr. Bennett) and some of the other reservations that have been expressed today. Apart from that, I broadly welcome the Bill but regret the length of time that it has taken to bring it before the House.
As the computer revolution has been under way for at least 20 years—I received in my post this morning a press notice about a new book entitled "Towards Fifth Generation Computers"—the Bill can be regarded as somewhat overdue. The Younger report on privacy was published 11 years ago, and the White Paper was published eight years ago, so I accept that it is not the Government's fault that legislation has not been introduced before now. I also accept that there appeared to be little tangible evidence in last year's White Paper that information held on computers in this country was being used to threaten personal privacy, but that is certainly not the case in the United States where the computer revolution is much more advanced than in Britain.
It is difficult not to gain the impression that the Bill would not be before the House now but for the fact that we are required to ratify the European convention. Even though I am one of this country's representatives on the Council of Europe, I do not always agree with the conventions that come out of the Council of Europe, but I accept that, as a member state, we should abide by them.
The delay in introducing the legislation should have enabled us to benefit from the considerable debate in the Council of Europe, which gave rise to the convention. I hope that that has been the case. It should also have enabled us to anticipate any consequences of the rapid development of equipment and the use of computers in schools and colleges. The Government's policy has been to introduce computers into secondary schools, primary schools and colleges of advanced education. I hope that that has been the case, although there is no reference in the Bill to show that the Government have taken that into 579 account. I hope that no reference will prove to be necessary in the future, or we shall have missed an opportunity.
One of the opportunities that has been missed, to which reference has already been made, is that we are not also legislating to protect against manual records and against, as I understand it, computer print-outs. The Dorset branch of NALGO has written to me to point out that half the complaints received by the European Data Protection Commission are the result of manually recorded records. That is, of course, obvious as it takes time to put manual records on to computers. School reports, which have already been mentioned, employees' references and doctors' files on patients are held manually until they go on to computer. Political records are also held on manual records. I do not know whether any political party has it in mind in due course to place the records of its membership on computers, but the House should know that, for some time now—indeed, ever since it was formed—I have been a member of the SDP. Ever since the party was formed—I will not use the word "established" because it has not yet been proved that the SDP has been established—I have received a wealth of information through my door—I moved house two years ago but I assume it is still coming through that door—because my name had been included in its membership files. I think that I am honoured—I do not know. Perhaps I am not. However, I must stress, Mr. Deputy Speaker, that, although I received a membership card saying "Membership subscription paid"—the annual subscription to that party is £9—the party missed out on that score. The SDP said, about a year ago, that it was Britain's fastest growing political party but, clearly, if it is sending out membership cards saying "Thank you for your subscription" and including my name and many others on its list, there are a lot of bogus names on the list of Britain's fastest growing political party. I do not know whether the Bill protects me from the SDP or the SDP from me, as my name is on its list of members. I believe that clause 31 protects the party from me, because it applies to members of clubs and I assume that the SDP is probably still small enough to be described as a club.
§ Mr. Henderson
This is an extremely interesting point. I would not say that the SDP is a club, although there are those who say that it is a very cosy club indeed. But my hon. Friend is not a member of the club. Despite that, his name is on its list. Therefore, it is not holding records only about members of the club and it would have to register.
§ Mr. Atkinson
It is a difficult problem. While the number of Members of Parliament under the SDP banner is now sufficient to fill more than one taxi or telephone box, whether that will apply to members of the party outside the House I cannot say.
Manual records will be with us for a long time to come. For example, it is estimated that about 95 per cent. of personal medical information in this country will be held on manual records for the foreseeable future. Excluding them from the Bill may encourage data banks to revert to manual systems for their more personal, sensitive data—a fear that has already been expressed in the debate. I regret that we are not using the Bill to protect the individual against the unauthorised disclosure of information held on manual recording systems. The principle is the same. My 580 right hon. Friend the Home Secretary said earlier that that would require an expensive bureaucracy. Nevertheless, there is evidence of abuse and mistakes, not least by Government Departments.
Last month a constituent came to see me to express concern that a decision that had been made by a review body on his claim for an attendance allowance had been turned down because of inaccurate information about his wife who, he pointed out, had not had a hip replacement operation as was stated on the records. That was not the reason why, according to him, she required an attendance allowance. He was even more concerned because the decision on the claim for attendance allowance which was returned to him—the decisions are apparently returned with a copy of the original appeal—referred not to his case but to a claim for attendance allowance on behalf of someone else. The confidential information to back up someone else's claim for an attendance allowance was sent to him by the Department of Health and Social Security in Norcross near Blackpool. That was disgraceful. If the person whose information had been sent knew about it, he would clearly be concerned. I am sorry that the Bill excludes from protection the information held on manual records.
Many of uŚ have had our attention drawn to the initial concern expressed by the British Medical Association before the Bill received a Second Reading in another place. I have not checked the Official Report to discover how the Government allayed the fears that were expressed, if, indeed, they have, and so I shall repeat some of them now.
Part IV deals with exemptions from access by individuals and the non-disclosure by certain categories of user. If, in exceptional cases, a transfer of information is made to a computer system which is classified as exempt, the BMA believes that each transfer of personal medical information should be recorded, together with a description of the type of information that has been released. The BMA believes also that adequate safeguards must be incorporated for the destruction of medical information that is transferred to exempt systems when the purpose for which the transfer was made is no longer relevant.
Representations have been made by the Guild of Catholic Doctors to the effect that if a doctor seeks clinical information about one of his patients it should not normally be necessary to obtain the patient's consent, or that of his nearest relative if he is detained or incompetant to give consent. If information were sought by a third party, including a doctor not treating the patient, information could be given only with the patient's consent or, if he were detained and incompetent to give consent, with the consent of his nearest relative, if available and able to give consent. If the patient were incompetent to give consent, the certificate of consent should be provided by a responsible medical officer.
I recall an interesting and important debate that took place when we were considering the Mental Health (Amendment) Bill in Special Standing Committee last year. The debate turned on the definition or substitution of the term "nearest relative". In today's society it is a description that is no longer quite so easy to define. Clause 29 provides the Secretary of State with powers to order exemption or modification of the provisions of access. Will this be relevant to health records?
581 I shall be glad to have my hon. and learned Friend's advice on social service records. For example, what will be the rights of a foster child to apply for information—computerised information and records—on his birth and his real parentage? Will he or she be able to gain access to that information only after reaching a certain age—for example, 18 years? Will it then be considered sensible for that information to be available to him or her?
On Second Reading in another place, it was suggested that an amendment should be made to ensure that the right of subject access should be excluded when it related to medical information that had been disclosed in confidence. Safeguards in respect of releasing medical information to the police were also called for. These calls are already familiar to us. They have come from doctors, priests and the press, which is concerned about the Police and Criminal Evidence Bill. The powers that are offered to the police in that Bill will allow the inspection of non-computerised records of the professional advisers of suspects and potential witnesses. They appear to me to nullify the protection that this Bill offers in respect of computer records.
This suggests that a bill of rights defining the powers of Government and the rights of citizens to appeal against them is long overdue. I recall the commitment that appeared on page 21 of our manifesto to discuss the possibility of a bill of rights with all parties. I understand that that has yet to happen. I look forward to learning from my hon. and learned Friend what plans the Government have within the context of the Bill for a bill of rights to protect individual freedom.
§ Mr. Ian Wrigglesworth (Thornaby)
The hon. Member for Bournemouth East (Mr. Atkinson) referred to the time that has been taken to introduce this proposed legislation. I heartily agree with the criticism that he levelled at previous Administrations, but I appreciate that we are not dealing with an easy subject and that that may be a reason for the delay. However, the first attempt to place legislation on the statute book was made as long ago as 1961 in another place. On that occasion, Lord Mancroft sought to introduce a Bill. That was followed in 1967 by the attempt of the hon. Member for York (Mr. Lyon) to introduce a Bill on privacy. The Minister for Industry and Information Technology also sought to introduce a Bill in 1969. There is a long history of attempts by individual Members and Administrations to take action on this issue.
Some of the objections to the Bill could be covered more adequately if we had introduced the recommendations in the Younger committee's report on privacy. There is within the range of those recommendations enough material to construct a Bill to protect citizens' rights of privacy. I regret that it has not been possible to place the recommendations of the Younger committee on the statute book.
It has been suggested that manually-kept records have been excluded because the Lindop committee did not recommend in 1978 that they should be covered by the measures contained in the Bill. However, the Lindop committee's report followed two White Papers on this subject which were published by my right hon. Friend the Member for Glasgow, Hillhead (Mr. Jenkins). Its terms of reference were restricted to computers, and therefore, it 582 cannot be said that the recommendations of that report form a justification for the Bill's lack of coverage of manual records.
Although the Bill will be given a fair passage on Second Reading, it has been criticised because it has considerable deficiencies. Like others, I see it as a missed opportunity by the Government to introduce a more comprehensive measure that would protect individuals' rights to privacy.
The Government have sought to demonstrate that the Bill will ensure the protection of those rights, but it is my impression that the Government are promoting a Bill to bring our domestic legislation into harmony with the European convention so as to facilitate our commercial links with Europe. They are doing so with the minimum possible change to existing practices of Government Departments that handle the data that will be covered by the Bill's provisions. It is unfortunate that the thrust of the Government's action has been an attempt to introduce a Bill that will comply with the European convention instead of taking the opportunity to protect more fully the rights of the individual.
One of the major criticisms of the Bill is that the right of individuals to have access to personal data held about them in computer files may be denied on the ground that such access would be prejudicial to national security, the prevention of crime, the detection of criminals, the collection of taxes and duties, or the control of immigration.
In my view, and in the view of many of my hon. Friends, the exemptions are drawn too broadly. I hope that, as the Bill proceeds through the House, the exemptions will be tightened considerably to ensure that those who are not presently to be given access to information will be able to do so. For instance, the test for exemption might be strengthened to require serious prejudice to be demonstrated in relation to criminal offences rather than to provide for only prejudicing the outcome of a case.
I understand doctors' anxieties about the confidentiality of their records. The Government should take note of those anxieties and try to meet them in Committee. Patients should also have access to some of their files. Doctors sometimes unnecessarily restrict access to information, although a more enlightened view is often taken today. A restriction might rightly be placed on information because it could damage a patient's health. Such a restriction and limitation is fair and reasonable and would not upset the doctor in carrying out his work, but it would give the patient adequate access to records. Reference has been made to how damaging some records can be to an individual's future.
Several other aspects of the Bill which have not been referred to also worry me. Clause 22 provides a major loophole in relation to liability to pay compensation. It excuses a data user who holds inaccurate data if the data are supplied by a third party. A data user will not be liable to damages when he fails to check the accuracy of information supplied by a third party. A data user should be required to take reasonable steps to ensure the accuracy of the information supplied.
Some people argue that data users should be liable for the accuracy of their data as they create the risk of harm by activities from which they profit. It is clear that the loophole is unacceptable since many data are supplied by third parties rather than by the data user's researchers. 583 That major loophole should be closed to ensure that third party information is not used unless the holder of the information is liable for any inaccuracies.
The Bill contains another serious defect. It does not require separate register entries for personal data information obtained, held or used for different purposes by the same user, although it permits such separate registration. That could be dangerous. The Bill requires the registration of data users rather than data banks or data systems held by the users, but it makes no provision for control of linkage, correlation or transfer of data between systems held by one user—for example, an enormous Department such as the Home Office. Each system or data bank should be required to be separately registered and connections between such data banks or systems should be regarded as disclosures subject to the data processing principles in the Bill. Otherwise, major computer systems with numerous different data banks—some have a substantial number—will be able freely to exchange data between banks created for separate and distinct purposes without any supervision, regulation or control. I hope that the Minister will respond to that and that, if he cannot explain it today, we can discuss it in Committee.
A right of appeal for data users is contained in the Bill. The House should also consider the data subject's position. The person whose information is contained in the data bank cannot appeal against a decision to register a data user or a decision not to issue any of the notices which the registrar can issue. A data user's interests are protected by appeal, but the subject's interests are not so protected. Since the basic purpose of the legislation should be to protect the data subject's interests, a right of appeal for subjects detrimentally affected by a registrar's decision is appropriate. I hope that the Government will consider including such a right in the Bill.
Reference was made in another place, in the press and elsewhere to the broad provisions for exemption relating to national security. Clause 17 refers to a provision to which I have long objected—section 2 of the Official Secrets Act. That clause allows the registrar access to information. He, his staff and tribunal members, or their servants or agents, are covered by section 2 of the Official Secrets Act. That is too broad a provision. I am opposed in principle to section 2. We need a narrower definition, but I do not believe that the Bill should provide that the registrar, tribunal members and their staff are covered by it.
A major defect in the Bill was referred to by the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) when he spoke about the Lindop committee and the establishment of a registrar's office rather than a data protection authority. Lindop recommended that a data protection authority should be established and that legislation should enshrine the principles contained in the Bill. The committee also recommended that the data protection authority should have maximum independence consistent with public accountability. It said that it should be a full regulatory authority, not merely an investigative and advisory body.
The registrar established under the Bill is not of the type envisaged by Lindop. Partly for the reasons mentioned by the right hon. Member for Sparkbrook, I do not think that the registrar will retain respect and confidence. I hope that the Government will reconsider. I know that the Government are worried about the attitude of some of their Back Benchers towards quangos, but if they want the Bill 584 to be effective they should reconsider. Some of the registrar's duties set out by Lindop are not contained in the Bill.
One of the duties recommended by Lindop was to issue legally enforceable codes of practice applicable to the various types of data held, the purposes for which they are held, and the various data user/data subject relationships. Each code must specify the data handling to which it applies and the measures to be taken by users to achieve the level of compliance with the statutory principles considered necessary in each category. The committee sets out detailed codes of practice for data users. It is unfortunate that that proposal by the Lindop committee has been dropped. I hope that the Government will consider codes of practice to help users to operate within guide lines of the kind envisaged by Lindop.
The Bill is a missed opportunity, but it is a move in the right direction in that it will establish a form of authority to monitor these matters. It therefore deserves a Second Reading, but I hope that, by the time it returns for Third Reading, it will have been modified to give greater powers to the data subject and to strengthen his rights in a way that the Bill, as drafted, does not provide.
§ Mr. Nicholas Baker (Dorset, North)
I wish to make a number of points, but I shall do my best to compress them into a short speech.
I welcome the Government's introduction of legislation in this area. The House spends a good deal of time legislating about nationalised industries, crime, local authorities and education, but we are always behind in producing legislation made necessary by advances in technology. That certainly applies to computer storage of information, and the European convention that we have signed makes the legislation even more urgent. Incidentally, I am also concerned about the danger to our copyright business. I believe that that parallels the danger to our computer industries, which the Bill is designed to protect just as it is designed to protect the data subjects.
The Bill is not a bill of rights. I know that my neighbour, my hon. Friend the Member for Bournemouth, East (Mr. Atkinson), favours a bill of rights in this area. Perhaps we should debate the need for such legislation, although I should probably find myself on the opposite side from my hon. Friend but the Bill before us is not a bill of rights and should not be regarded as such.
I do not share the views on individual privacy expressed by many hon. Members on both sides. I see nothing sinister in other people holding information about us. In general, I favour an open society with more open government. I welcome any move towards that and I see openness in individual matters and in Government matters as going hand in hand. To me, therefore, there is a major inconsistency on the part of those who argue for more open government but regard any third party obtaining information about individual citizens as sinister and a development against which the individual should be protected.
Unlike my hon. and learned Friend the Member for South Fylde (Sir E. Gardner), I am not unduly frightened at the amount of unsolicited offers and correspondence that comes through my letter box. One of the easiest tasks of my day is directing all the free offers and information about free cars and other prizes into the waste paper 585 basket, although I have some sympathy with those who receive large numbers of unsolicited letters from their Members of Parliament.
I am concerned about the misuse or abuse of information held about individuals, but I do not believe that the Bill will seriously check that. That is why I asked the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley), about the misuse of manually stored information. Such information has certainly been abused over the years and people's positions have been prejudiced in various ways as a result, but I do not believe that that problem would be solved by setting up a large register or even by giving people the right to know what information is held about them. In my view, that is not the whole and is possibly only a very small part of the answer. People need to be protected in terms of their employment, their race or their criminality, by safeguards in those specific areas.
The development of mechanical processing of information makes it more important to guard against abuse in the future and brings a new dimension to the problem. Nevertheless, as others have said, in three years of work the Lindop committee apparently found no one who claimed to have suffered as a result of the practices against which we are so concerned to protect the data subject. Moreover, the right of access for the data subject under clause 21 and the strength of that protection have not been adequately brought out in the debate.
My worries about the Bill relate principally to businesses, especially small businesses. First, there is a very wide definition of "personal data". The European convention, too, gives a wide and uncertain definition. According to the Bill,'Personal data' means data consisting of information which relates to a living individual who can be identified from the information.and'Data' means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.That is extremely wide. It seems to me beyond doubt that the Bill will cover information held on a computer of any kind as well as word processors, microfilm equipment and the wide variety of electronic machines on which information is now held. The number of businesses that have information on word processors, for example, must run to many thousands. Any information or documentation held on such machines could be the kind of personal data that are subject to the registration requirements.
The registration requirements are very strict. It will be a criminal offence to hold personal data unless the holder is registered as a data user and to use it other than for the purpose for which the user has been registered. A considerable amount of information will be required by the registrar. He will require a description of the personal data to be held and the purposes for which it is to be held. The purposes are bound to change from time to time, so the suggestion that registration would be a once-for-all matter is pretty far off the mark. The registrar must also be informed of the persons to whom the information is to be disclosed. That class of persons, too, will probably change from time to time. He also requires to know the countries to which information is to be transferred.
The implications of all that are very far-reaching, affecting small and larger businesses and creating a 586 massive amount of extra work. My right hon. Friend the Home Secretary referred to the need to avoid cumbersome bureaucracy, but my first impression of the Bill suggests that it may come close to creating just such a bureaucracy. Most information that is stored will fall within the definition set out in the Bill.
§ Mr. Timothy Smith
I share my hon. Friend's anxiety about the bureaucratic burden on small businesses, but is he right in saying that the Bill extends to word processors and microfilming? If so, that would worry me. Processing is defined in clause 1(7) asamending, augmenting, deleting or re-arranging the data".I wonder whether either of those two machines is capable of doing that. Word processors process words, not data, and microfilming involves merely a reduction in the size of the information.
§ Mr. Baker
Words contain data. My understanding of the Bill, which is supported by a number of professional lawyers in London who have read the Bill, is that word processors are included. One example is that people keep standard forms of documents on word processors, and one only has to have individuals' names, or anything that could be defined as personal data, in such standard documentation to be well within the definition of the information about which we are talking. I hope that the Government will consider this and assuage our anxiety. I am worried about this matter.
I believe that the Bill will cover small tradesmen keeping information about customers. It will apply to the press who store information on such machines, printing trades and journalists. If that does not worry my right hon. Friend the Home Secretary, it will worry the press.
The registrar has the power to enforce compliance with the rules and the power to remove users from the register. Both powers are severe. I am a little worried about the power of deregistration. It could halt a business and prevent someone from carrying on his business. I believe that the powers given to the registrar in that respect are not flexible enough.
I believe that the cost of the registration system, for the reasons I have outlined, is likely to exceed the £650,000 mentioned in the preamble to the Bill. I cannot believe that an initial requirement of 20 staff is likely to last long. I share the worry that has been expressed by others about the cost to local authorities, and I agree with the hon. Member for Stockport, North (Mr. Bennett) that it would be wrong to exclude local authorities from registration.
The Home Secretary should reconsider the registration system because I believe that virtually every business—I declare an interest as a partner in a business of 150 people which has word processors and a small computer which is clearly within the definition—will hold a mass of trivial and unimportant material as will the register. I do not believe that the convention required registration. I suggest that we should have a registrar but not require the automatic registration of everyone who falls within this wide definition. Legal, criminal sanctions on those who misuse information, as that is defined, should protect data subjects.
I believe that the Bill should give the Secretary of State power to require registration of certain topics. The registrar also should perhaps have the power to require registration on certain grounds. Those that I have in mind 587 are the ones set out in clause 2(3)—politics, health, race, criminal activity and other matters. We all agree that they are of great interest and sensitivity to individuals.
I have some minor worries about the Bill that I wish to mention briefly so that they can be considered in Committee if they are not answered at the end of the debate. I believe that the registrar should be required to give preliminary notice of an infringing practice rather than to take immediate steps to enforce an order which would, in effect, put a data user out of business before he has had the chance to correct the infringement.
I believe that the individual's right to rectification of any inaccurate personal data is not strong enough. I refer the Minister to the rights of individuals under the Consumer Credit Act 1974 which are much stronger and offer a good model.
There are difficulties for businesses transmitting information to branch offices overseas which, when professional and other businesses are expanding overseas, should not be dismissed lightly. I hope that the Minister will look at this matter.
Although I have a number of worries about the Bill, I support its intention to protect our computer industry. I welcome the protection for data subjects, but I hope that the Minister will consider the anxiety expressed on both sides of the House on the points that have been put forward.
§ Mr. Michael Meacher (Oldham, West)
As most other hon. Members have said, I believe that this is a potentially useful Bill and one for which I have called strongly in the past. However, I believe that it has been ruined by the small print of the Home Office's seemingly ineradicable passion for secrecy and obstructiveness. It is not a civil liberties Bill, and that is the basis of so many objections to parts of it. If it were, the Government would not have stamped so ruthlessly two years ago on the Freedom of Information Bill 1981, which was the opposite side of the data protection coin.
Like others, I believe that the Bill is more an attempt, under pressure from a number of multinational companies such as Lucas, to block the loss of exports to the United Kingdom arising from the current lack of safeguards for transborder data flows. That bias is in the motivation behind the Bill is all too apparent and has allowed Home Office officialdom, compatible with the crucial commercial objective, to reduce or even negate the civil libertarian aspects of the Bill. It does this most obviously by excluding manually-held data.
My right hon. Friend the Member for Birmingham, Sparkbrok (Mr. Hattersley), in what I think was a singularly learned and effective speech for an ignorant data user, made the point extremely forcefully and well. Most complaints are about manually-held data. That is hardly surprising because the overwhelming amount of data, including sensitive data, is held manually.
I believe I am right in saying that all west European data commissions, with the possible exception of Denmark, have manual data within their purview. This exclusion restricts the relevance and usefulness of the Bill as a great deal of sensitive data is held manually. As my right hon. Friend the Member for Sparkbrook said, 95 per cent. of medical records—from what the BMA tells us—personnel records in small companies, detailed files on social security claimants, child abuse registers and so on is held 588 manually. That overwhelmingly important change must be made in Committee or before Third Reading before the Bill can make any claim to respectability.
First, the exemptions go far too wide. I follow in the footsteps of many of my right hon. and hon. Friends, and, I am glad to say, some of the criticisms by Conservative Members, in saying that. It is not a party point. No one suggests that genuine national security records should be revealed. No one is so stupid as to suggest that. However, where it is known that the security services are assembling a computer capability—I refer to the Ministry of De fence X computer in Mount row, Mayfair—to hold a comprehensive filing system on every individual in the country, the argument for at least supervision of such a system by an independent registration framework, is surely all too clear.
When it is also clear, as it is from the Bill, that a transfer of data could be made from a registered user to a non-registered user—for example, by the security services and the Special Branch—without that transfer being known to the individual, being made public in any way, or registered, surely that is deeply disturbing to all hon. Members. When information can be given in good faith by an individual to one authority for one purpose, and then it is transferred without his knowledge or consent to another authority—for example, the security services—surely 1984 is with us with a vengeance. That serious aspect of the Bill would worry most people.
It is also essential on this issue of exemptions, which I am sure will dominate the Committee, particularly in respect of the security services, that Special Branch files, while not being revealed—no one will ask for that—should be independently supervised. We all know that police information—after all, the police are fallible, like us all—can often be irrelevant, out of date, incomplete or inaccurate and that the unchecked circulation of such material can often be extremely damaging. The notorious case of Mrs. Jan Martin illustrates that point well. About two years ago she was deprived of a job because while holidaying on the continent her husband had been falsely identified as a member of the Baader-Meinhof gang by someone who told the Dutch police, who then told Scotland Yard.
I say all that in the light of the known fact that when chief constable Alderson, to his credit, ordered that Special Branch files in Cornwall and Devon should be investigated, they were found to contain dossiers on certain persons on no other grounds than that they were anti-nuclear, anti-apartheid or gay. There is no reason why we should not adopt the Swedish precedent of having a duly-appointed security-cleared officer who would at least inspect such files and ensure that the material on them was appropriate.
My second criticism is that the right of access for an individual to see the files on himself or herself is by no means automatic under the Bill. It is shot through with huge gaps. It is wrong that records of criminal convictions will not be disclosed under the Bill as it stands, since information that is wrongly distributed can be extremely damaging to the individual. It is not right that medical records should be exempted from disclosure when the British Medical Association has no objection to disclosure. It is anomalous that social work records should be shown to teachers, educational psychologists, doctors, other 589 medical workers or the police and not to the client. I sometimes think that confidentiality is observed only in respect of the individual.
This is a most important point. The right that is accorded under the Bill to the Home Secretary to restrict access where the dataappears to him to be of such a nature that its confidentiality ought to be preservedrepresents a monstrous loophole with regard to the individual's right to access, when intervention by the Home Office is entirely uncircumscribed. I hope that we shall pay close attention to that in Committee.
Above all, it is contrary to natural justice that, when the individual finds out that a record held on himself or herself is incorrect, he has no automatic right under the Bill to have it corrected. The procedure envisaged under the Bill is that the individual must go to court, which we know to be expensive and difficult for many people to do. He also has to prove that he has suffered damage as a result of that. That is contrary to the European convention, which states:The data subject shall be entitled where appropriate to have personal data corrected or erased".That is another important facet of the Bill that must be changed.
§ Mr. Geoffrey Dickens (Huddersfield, West)
Schedule 1 to the Bill states:An individual shall be entitled—It states further:
- (a) at reasonable intervals and without undue delay or expense—
- (i) to be informed by any data user whether he holds personal data of which that individual is the subject; and
- (ii) to access to any such data held by a data user; and
- (b) where appropriate, to have such data corrected or erased."Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.Therefore, I am not sure whether the hon. Gentleman was right in his remarks.
§ Mr. Meacher
The hon. Gentleman should realise that the operative word is "may" and that there is no automatic right. The registrar has no automatic powers to secure erasure or change. That is what is wanted. Although the Bill makes a nod in the right direction, it does not provide the guarantee that the Opposition want.
Thirdly, the provisions on specially sensitive data are unsatisfactory. As the House will know, when data concern political or religious opinions, criminal convictions, sex life, physical or mental health and racial origins, the European convention requires additional safeguards. The Bill says that the Home Secretary may make additional regulations in such cases. That is unacceptable on two grounds. First, there is no requirement for additional safeguards in such cases. It is left open. There may or may not be safeguards. Secondly, an independent registrar or registration system should do that and not the Home Office, for the good reason that the Home Office keeps many of the most sensitive files and records.
The whole system of supervision and registration under the Bill is defective. The Home Office has never provided any good, satisfactory or plausible reason why it rejected the Lindop recommendation of a data protection authority. There has been talk about the Conservatives' dislike of 590 quangos. However, that is not a satisfactory explanation. The Government have substituted an independent registrar. No doubt he will be an extremely distinguished representative from the list of the good and the great, but he will be one person, aided by only 20 civil servants. Whatever else the proposed framework represents, it will not have the resources to provide a proper inspection system. That will be necessary if the system is to work. The registrar may be dynamic and effective, though there is no guarantee of that in the Bill, but he will have no duty even to investigate complaints, and he will have no power to order the rectification or erasure of incorrect data.
The codes of practice proposed in the Bill lack adequate sanctions. The Home Office has rejected the Lindop recommendation that statutory codes should be drawn up by an independent data protection authority. The Bill proposes that the codes should be a voluntary effort by professional bodies and trade associations. That is unsatisfactory for two reasons: it is contrary to the concept of the independent supervision of data; and, because the principle will not be backed by effective sanctions, it will be unenforceable and consequently ignored.
I believe that the general judgment of the House is that the Bill is deeply disappointing. Proper data protection for individuals is desperately needed, but the Bill does not provide it. It is concerned far more with commercial interests than with civil liberties and it is in line with the ethos of a Government who three years ago promulgated the iniquitous protection of official information measure and a year later stamped on the Freedom of Information Bill.
Unless the Bill is radically transformed in Committee, the Opposition should seriously consider whether its defects outweigh its merits and whether we should support it on Third Reading.
§ Mr. Timothy Smith (Beaconsfield)
Having listened to the debate and, in particular, the speech of the hon. Member for Oldham, West (Mr. Meacher), I conclude that in many ways the Bill is aimed at the wrong data user.
Before the debate, I was unenthusiastic about the Bill, and I remain so, because I think that its target is the wrong data user. As my hon. Friend the Member for Dorset, North (Mr. Baker) said, it will cover many small businesses and could even embrace individuals who use computers. It will impose substantial bureaucratic burdens on them, while the exemptions to which the hon. Member for Oldham, West referred will mean that the Bill will be ineffective in some important areas.
Schedule 1 sets out the eight data protection principles, and the object of the Bill is to ensure that they are observed in practice. Like all hon. Members, I support those principles, but it is difficult to be enthusiastic about the Bill because of the way in which it tries to implement those principles. There will be a data protection registrar with whom all personal data users will have to register.
I understand that the Government attach considerable importance to the concept of universal registration, though I am not clear why that is so. I should like to know what estimate the Government have made of how many users will have to register. There was an estimate of 80,000 in today's Financial Times. but I think that the figure will be much higher, and that hundreds of thousands of users will have to register. Even if that is not the case immediately, 591 it will be so in future, because of the rate of growth of the computer industry and the fact that there will be many users of smaller computers.
Many small businesses and even some users of home computers will be affected by the Bill. I was worried by what my hon. Friend the Member for Dorset, North said about the possibility of word processors and microfilming machines being included in the ambit of the Bill. My hon. Friend is a lawyer and I, as an accountant, accept what he says. If the Bill covers such machines, it will embrace even more users of mechanical equipment than I had thought.
The European convention was drafted some time ago, before the use of computers had become so widespread. It was clearly designed to deal with personal data of a sensitive nature, such as criminal records. That should be the target of the Bill. Its range is too wide.
The convention does not require registration—it does not even refer to registration—and even if users of personal data do not register under the Bill, they will still be bound by the data protection principles. That demonstrates that we could live without registration.
If the registrar is to have a staff of only 20, they will be hard pressed even to monitor registration satisfactorily, let alone deal with complaints and so on. Perhaps their time would be better spent in dealing with complaints rather than in the more mechanical process of registering an endless number of data users.
If we are to have registration, perhaps we could look at the possibility of exempting small businesses and organisations—it would be unfair to add a further burden on them—or take up the suggestion of the hon. Member for Cannock (Mr. Roberts) who told us that the Computing Services Association had said in a letter to him that many day-to-day applications could be left out altogether. After all, many users have computers only for payroll, sales ledger or purchase ledger purposes, and no one outside would be interested in those.
I am the parliamentary consultant to the accountancy profession, which wrote to me to say that the Bill, as drafted, will not achieve its objectives and could be widely disregarded. The letter says:Our primary concern is with the scope of registration which will impose an onerous burden on small businesses and individuals who wish to operate in a modern and efficient manner. We also believe that the Government has seriously underestimated the numbers of staff which the Registrar will need to operate the register and enforce the principles of the Bill.The balance of interests between the data user and the data subject is a matter of fine judgment, and views could be expressed either way, but in some circumstances placing additional burdens on data users could operate to the disadvantage of data subjects. For example, I do not know whether the Government have given much consideration to the effect of the Bill on the operation of examination boards, but it seems to me that the proposals could prejudice their work.
There is a period between an examination and the announcement of results when a certain amount of judgment is involved in arriving at those results. If examinees are to have the right in that interim period to information held on computers, that could affect the approach of examiners.
The Institute of Chartered Accountants in England and Wales wrote to me: 592the processing of examination marks and the determination of results … are normally conducted on a confidential basis, not for the sake of secrecy, nor for any sinister reasons, but for the sake of the good and orderly conduct of examination work, and in the best interests of the candidates.I should stress that that is the reason for the manner in which this is done. It is in the best interests of the candidates who, in these circumstances, would be data subjects. The letter continues:Most examining bodies have some subjective element in the determination of their results, some degree of 'fine tuning' … If the disclosure requirements of the Bill were to apply to examination marks and the determination of results, the likely effect would be for this flexibility to be dropped, to be replaced by a more rigid system which could be justified in absolute terms in correspondence with enquirers or complainants, so avoiding arguments about the application of any subjective element.As a result, the Bill would operate to the detriment of the data subject—the examinee.
Another example that was discussed in the other place relates to information given in confidence for references. This is one example of confidential information that could be prejudiced by the Bill. For example, most referees for job applications give a frank and candid account of their opinion of an individual on the basis that that information will not be released to the individual. Referees might be inhibited if the Bill were implemented as it is, and this would not be in the public interest. Clause 30 makes an exemption in this respect for judicial appointments. I do not understand the justification for this. If there is a case for exemption for judicial appointments, there is a case for exemption for almost any other appointment.
I agree with my hon. Friend the Member for Dorset, North about rectification. The provision on rectification needs to be strengthened and perhaps the Consumer Credit Act would provide a good model.
Clause 16 deals with powers of entry. A useful provision would be to require the registrar, if he were to take computer information away, to ensure that the data user was allowed to keep a copy, because his business could be disrupted if he were not allowed to keep a copy and the information was removed from his premises without any notification.
Having expressed those individual worries, I return to my opinion that the balance of the Bill is wrong. I believe that it should be aimed at dealing with aspects of a sensitive nature—often information held by large organisations or Government Departments. There is no need for registration in the universal sense in which the Bill seeks to apply it. I do not go as far as the hon. Member for Oldham, West, who said that we should reject the Bill. The Bill constitutes a useful step forward, but I have reservations about it.
§ Mr. Simon Hughes (Bermondsey)
The Bill has already been subjected to various criticisms with which I and my colleagues agree. It was an admission by the Secretary of State that gave away the game as to the reasons for which the Bill has been introduced. He said that it was to ensure that the industry of information technology could flourish, that our industrial trading position should be protected and because the Government were afraid of sanctions being applied against us by our partners in the European trading network.
Belatedly, reluctantly, and, it is clear, inappropriately, the Government are trying to comply with expectations that others have of us. As the explanatory and financial 593 memorandum says, the Bill's purpose is to implement last year's White Paper and to ratify the European convention of 1981. The purpose of the Bill should be entirely otherwise. A Bill with this subject should ensure that before we reached 1984 individuals were protected against the traffic of information that was against the interests of their liberty.
I was pleased to hear both from the hon. Member for Bournemouth, East (Mr. Atkinson) and from the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) that the defects that the Bill seeks to remedy are attributed to the fact that we do not have a bill of rights. If we had enshrined in our law, as we should have had long ago, a right for an individual to know what records were kept about him or her, we should not have the problems with which we are trying to deal in the Bill.
The commercial lobby has rightly been pressing for a Bill to deal with some of the problems with which this Bill seeks to grapple. However, the Government are doing what is either the minimum or slightly less than the minimum, depending on whether the Bill complies with the convention—something that we may later discover. The Bill does very little to protect the individual and many things to endanger him. It is apparent now that, as one of today's daily papers said, our problem is thathaving offered a glimpse of this promised land of a more accessible information system, the Bill brings down shutters, not only in the exemptions but because … it will remain simple and quite legal for anyone to sift sensitive informationinto a manual system instead of into an information and computer based one. There is no warning to the individual about where those records are kept.
The debate in the other House ended with a contribution from my noble Friend Lord Avebury. I was delighted to hear him quoted by the right hon. Member for Sparkbrook. Where better to look for inspiration than to a Liberal peer? My noble Friend prophesied on 24 March that the professions would wake up to the dangers that the Bill presents. It is clear that since then they have done so, and have written to hon. Members and to the national press. If a Government Bill receives eight pages of criticism from the Society of Conservative Lawyers, there must be something wrong.
The Liberal party will oppose the Bill not today but later unless there are, as the hon. Member for Oldham, West (Mr. Meacher) said, radical—I add fundamental and substantial—modifications in Committee. We are not against data protection. Indeed, we are passionately and wholeheartedly for it. However, we are against a pretence of data protection while the gathering of unchecked and uncheckable information in many important personal and private aspects of individuals' lives goes on apace.
The Liberal party has objections to the nature of the Bill. After the ridiculously long preparation in its conception, the Bill in haste applies the wrong principles and starts from the wrong end. That is nowhere more manifest than in the definition clauses which follow the pattern of inadequate and loose definition set in the Police and Criminal Evidence Bill. What is more, the Bill is not extensive or sophisticated enough.
We should want a Bill on this subject to achieve four things that this Bill does not achieve. They are all things that have been carefully rehearsed as arguments for a Bill of this nature since the Younger report in 1972 and the 594 Lindop report in 1978. First, as many hon. Members have said, we should remove the unnecessary expense and requirement for much of industry to register every species of system that would encumber businesses that already have enough difficulty in operating.
Secondly—and this is most important—we should need to make sure that the exemption provisions that are completely without definition and are wide beyond any acceptable limit are carefully restricted in a way that allows both the country and the individual to be satisfied that Big Brother is not having the opportunity wherever it counts to keep information that is unchecked by the individual.
Thirdly, we complain bitterly about the concept of the registrar. I share the view of those who have said today that a job of this nature and importance cannot be taken on by a registrar, however eminent, and 20 staff. He will not have the resources to investigate complaints, nor will he have the opportunity to do much of the work that the Bill requires from the time that it is enacted.
The fourth substantial criticism is that it is the Home Secretary—the member of the Government who runs the Government Department holding the most sensitive personal information, whether it be immigration, police or prison records, national security information and other matters—who is to be responsible for almost every major area of the Bill's development and of the monitoring of information. It is the Home Secretary who will appoint members of the tribunals which are to hear appeals from the registrar, and it is the Home Secretary who will be responsible for making regulations and for fixing the budget of the registrar.
Those are the four substantial objections and complaints about the Bill, and those are the four areas on which my right hon. and hon. Friends and I will seek to modify it in Committee.
I deal briefly with one or two specific clauses before I come finally to the major area of concern, which is clause 28 and the exemptions that it provides.
Clause 2 has already been much criticised. The sort of data to be protected is limited to what is at the moment a very small area of the data on individuals. It is those records kept manually or capable of being transferred to be kept manually which will fall outside the provisions of the Bill.
Under clause 3, I have already criticised the nature of the responsibility and accountability of the tribunal members and the nature and strength of the office of the registrar. A further substantial objection is that it is proposed that the registrar will only be able to start enforcing the powers given him within two years of the Bill coming into operation. Such a period will allow all sorts of alterations of the places where information is kept and allow all sorts of abuse, because two years, with the knowledge that the shutters are to come down, can be used very well by those with malicious or other unhelpful intent.
Under clause 4, there should be a requirement to record and register systems as well as users. We are aware of the problem of the Government Departments which have many different systems under which information about an individual might be recorded for all sorts of reasons. It is not sufficient for the user, when that user is as large as a substantial Government Department, to decide the way in which the record is made.
595 The access of an individual to the records is wholly inadequate. How is anyone to know who has records about him? The obligation should be in the other direction. The obligation should be upon those bodies who keep the records to tell the individual that they have the records, and the individual should be entitled to check their accuracy. That extends even to criminal records in respect of the individual who is recorded in that category—and even to security records within the criminal category. There is no reason why the individual in question should not be allowed to see the records about him. As the Home Office admits, the possibility otherwise is that the individual's option to investigate what records are kept about him will be hardly used, because the individual will not know that the records are there and, if he does know, he will have to pay on each occasion that he requires to discover what records are kept.
The principle set out clearly in the Lindop report has been turned round. A possible way of describing the Bill is to say that it is Lindop on its head. Lindop on its head is not satisfactory.
Other hon. Members have discussed the problems and inadequacies of the clauses in part III. How can individuals in many cases be expected to prove damage to them caused by inaccurately stored information? How will it be possible for them to correct the information when they do not know that it is there to be corrected?
I do not have to reiterate the arguments which have been advanced against part IV and clauses 27 and 28, which allow the exemptions of national security, the control of immigration, the assessment or collection of tax or duty and the apprehension or prosecution of offenders as well as the prevention and detection of crime to be continued and data to be transferred between the bodies which deal with those bulk amounts of information.
It is the experience of many of us that people have information about us which is inaccurate and the source of which we find it difficult to discover. My personal experience recently is a minor one. A reminder to renew a television licence was sent to an address three miles from my own to a person with the same surname. It happened to be my younger brother, who had moved from my address. He had never owned a television set, but the Bristol televison licence centre sent him a reminder to his new address, and inquiries by me failed to reveal how information had reached the licence centre that anyone with that surname had moved to that address from mine. That minor example shows the sort of instance when one should be entitled to obtain information.
We have heard instances of people being the subject of inaccurate information when applying for mortgages. Council tenants may be the subject of inaccurate information when they apply for transfers and can only know details of the points that they have instead of the reasons why they are given those points.
But perhaps the most important aspect which has not been dealt with in sufficient detail is that everyone in the country has records about himself or herself under one of the two major categories—those held by the Inland Revenue, and those held by the Department of Health and Social Security. There are some 45 million people on DHSS records, and the DHSS planners have set out their plans to reference and index their systems of information in a comprehensive computer network. A person's record will appear under his national insurance number. The key to it will be a very simple one allowing much of the 596 information to be retrieved: the national insurance number, the location of the records, and the name and address and date of birth of the individual concerned. Similar information is on the police national computer, and Inland Revenue officials tell us that within a few years they will have computerised in a similar way PAYE, tax and other records of theirs.
In a year or two it will be all too easy to have transfers between the great bodies of state which hold the bulk of the information. There is an open-ended risk and the frightening possibility of all sorts of information being transferred if the exemptions in clauses 27 and 28 are not reduced substantially, and soon.
Although in some respects the Bill is welcome, it is a way of building towards Big Brother if it is not amended substantially. It is too little and, as the Government themselves admit, it is nearly too late. The Secretary of State said that we ought not to overreach ourselves unnecessarily. It is not to do the unnecessary that we need to work hard to make sure that no legislation such as this gets through the House. It is to do the necessary that we should have done a long time ago to protect not only the industry of information technology but the individuals whose prosperity and progress information technology is intended to benefit.
§ 7.9 pm
§ Mr. Barry Henderson (Fife, East)
I listened with great interest to the speech of the hon. Member for Bermondsey (Mr. Hughes). Although my view of the Bill is inevitably coloured by the fact that I spent much of my working life in the computer industry, I see it as a positive merit that the Bill will help in further encouraging information technology in this country. I was disappointed to hear someone on the Opposition Benches decry the Bill apparently for that reason. I hope that Liberal Members will take a more open view of the matter on Third Reading, consider what is in the Bill at that time, and, if it is not positively bad, vote for it.
I could make many criticisms of the Bill. I wish that it were a better Bill, and I hope that, before we have finished with it, it will be a better Bill.
The Bill starts with a practical and useful objective. If it achieves that objective, it will have performed a useful service, and for that reason it should be supported. The fact that it does not do all hat one would wish it to do is surely not a reason for voting against it on Third Reading.
Another point that I wish to put to the hon. Member for Bermondsey is that in the four years following the 1975 White Paper, the Labour Government, despite the Lib-Lab pact, did absolutely nothing to bring in data protection regulation. Perhaps the hon. Gentleman should think about that.
§ Mr. Simon Hughes
It was not for lack of support from the smaller part of the partnership at the time, but, as we heard from the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley), the fact that time ran out, as with the previous Labour Administration, that that Bill did not become law in that period.
§ Mr. Henderson
Yes, but it is only four years since this Government came in, arid they have managed to bring forward this Bill. I was saying that the Labour Government, supported by the Liberal party, did not find four years sufficient time to bring in the appropriate legislation.
597 The right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) made rather a good speech this afternoon. I agree with much of what he said. If I thought that he really believed some of the words in the latter part of his speech, that might be a reason for voting against the Bill, but somehow I think that he did not wholly believe in the somewhat horrendous images that he conjured up.
Any Home Secretary who brought before the House a Bill of this character would be a sitting duck. No Home Secretary could introduce legislation of this character and believe that he would get an easy ride through the House. No doubt that is why the Lib-Lab pact failed to come up with the answer before. It did not have the courage to carry through a plan that could become legislation. At least my right hon. Friend has done that. I shall have certain things to say that he will not like, but I am glad that he has brought forward this legislation, not only for the specific and practical reason that it will help the information technology industry, but because it contains some good things, not least the principles that are set out in schedule 1. Opposition Members should bear in mind that the Bill will be a step forward if only because it puts on record the fact that these are the principles which are to guide personal data held by data users. Let us remind ourselves briefly of the principles.
The first principle is that the information shall be obtained and processed fairly and lawfully. That is an important principle. Public anxiety in this respect stems from the fact that data have not always been obtained and processed fairly and lawfully.
The second principle is that personal data shall be held only for specified and lawful purposes. I am paraphrasing, because I do not want to detain the House by quoting all the schedule.
The third principle is that personal data shall not be used or disclosed in a manner that is incompatible with these purposes. I hope that the hon. Member for Bermondsey will stop me if there is anything that he wants to vote against.
The fourth principle is that personal data shall berelevant and not excessive in relation to that purposefor which it is used.
Fifthly, data shall be accurate and kept up to date. The sixth principle is that personal data shall not be kept for longer than is necessary.
The seventh principle is perhaps the most important—that an individual shall be entitled to be informed when a data user holds information of which that individual is the subject. One of the most valuable parts of the Bill is that an individual shall be entitled to access to any such data and to have any such data "corrected or erased" in appropriate circumstances. In my opinion, those principles constitute a major advance on any legislation that we have at present, and I hope that Opposition Members will bear that in mind.
I am a little more sceptical about the eighth principle:Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.It is an admirable sentiment. I should have thought that any well-organised computer department would do all those things as a matter of routine. The situation is more problematical for smaller installations. My hon. Friend the Member for Beaconsfield (Mr. Smith) reminded us that 598 the Bill will reach some of the smallest computers in the country. I dare say that their problem will be to make sure that they do not lose the data altogether.
As far as I am aware—perhaps Opposition Members had not taken this fact fully into account—there is no enormous public demand for this legislation and for the even more advanced legislation that some hon. Members have advocated. In a pub, canteen or club, one does not hear intense discussions about the need for data protection legislation. Public concern is more about unsolicited direct mail or matters which are probably better dealt with in consumer credit legislation than in this legislation. What worries people most is the possibility that data used for a particular, legitimate and sensible purpose might be transmitted unlawfully to third parties.
Again, the Bill should be supported on Second Reading if only because it introduces part III, dealing with the rights of data subjects. In clauses 21 to 25 specific rights are available to data subjects—rights which have never been available before to people in this country on such a generalised basis. These are all important and useful steps.
We have heard quite a lot from the more strident elements in the civil rights lobby, but I think that their main targets are outside the scope of the Bill. The Bill is not necessarily the worse for that. If those people want a Bill that deals with some of the matters about which they have talked, by all means let them press for them, but this Bill is no worse for not having them. It might have been better with them, but that is a different matter. May I say to my hon. and learned Friend the Minister of State that the great black hole about transfers between the protected and unprotected areas in the Bill give that lobby something to latch on to. That matter will have to be dealt with in Committee.
There is some concern about the privacy of an individual who could be identified by the data subject. That aspect of the Bill does not seem to have been referred to. It may be that I have misunderstood the Bill. It is all very well to arrange that information about a person must be disclosed, but if in disclosing that information the reasonable privacy of some other person is breached, we should also consider the protection of that individual. I shall refer to that matter in a slightly different way when I come to examination results and so on.
I shall give an example of the kind of thing that I have in mind. Apparently, Germany introduced a splendid system for checking the speed of road vehicles, part of which included the ability to take a photograph of the front of the vehicle at the time that the vehicle's speed was registered. That was fine. It helped positively to identify who had committed an offence. However, it had unforeseen consequences. Several times when someone was up before the beak for a minor motoring offence, there were all sorts of unexpected and unfortunate consequences, such as divorce actions, because the picture revealed persons in the vehicle who were not expected to have been there. In that instance, the German authorities had so to organise their cameras that they photographed that part of the vehicle below the level of the windscreen in order to protect the individual privacy of the motorist. I hope that my hon. and learned Friend the Minister of State will consider whether some aspects that are otherwise good about requiring a data subject to have information that is held about him will also have regard to the privacy of anyone who legitimately might have provided that information.
599 Council house points systems have been referred to at least twice, once by the hon. Member for Stockport, North (Mr. Bennett) and once by the hon. Member for Bermondsey. They asked why people should not know not only the points system that they had been allocated and its basis but the reasons for those points. That raises a difficult question, for example, about medical opinions. Do we think that it is appropriate that medical practitioners' opinions of the degree of medical need of a potential tenant should be given by the local authority to that individual? I am not sure about the answer to that question. I suspect that we probably do not, because, if we did insist that such information should be given to the tenant, the source of useful information to a local authority in determining its proper allocations according to need might well dry up. We should end up with anodyne remarks from medical officers if they knew that those remarks would be made immediately available to the potential tenant.
I hope that my hon. and learned Friend can help us—we may need such help quickly—because I am puzzled as to whether canvassing records fall within the ambit of the Bill. As the Bill stands, it seems that if canvassing records are held in a computer, that would be data requiring the computer system to be registered, whereas, if canvassing records are held off line, it would not. That matter is distinct from membership of a club, which was raised earlier when we discussed whether the Social Democratic party was a club or a party.
We must give credit to the Government for taking the kind of stick that they knew they would get this afternoon. The hon. Member for Bermondsey said that it leapt out as an admission that the Government's real motivation was to assist the information technology industry. I have heard my right hon. Friend the Home Secretary, my hon. Friend the Minister for Industry and Information Technology and others frequently declare in many forums that among the Bill's objectives was the achievement of that end. It is not an admission; it is clearly one of the Bill's objectives. The Government knew that the Bill would have a difficult passage in many respects, and it is all credit to my right hon. Friends and hon. Friends that they have introduced it.
The Computing Services Association has particularly welcomed the Bill. I should have to take its view a little more enthusiastically if it had not turned out to be one of the few organisations whose spokesmen seem to think that there is something good in the Labour party's recent policy document. It rather makes me wonder whether the Computing Services Association's view is as valuable as I had previously thought. No doubt its members will sort out its spokesmen in due course.
Not least is the fact that the Bill will enable Britain to fulfil its obligations under the European convention. It is a pity that the European convention is becoming a little elderly. As has been said, it was drawn up a long time ago. If it were drawn up today, I think that it would be drawn up rather differently, and we should find it easier to draft a more sensible and better Bill.
I accept that the Bill has practical objectives, but I am not sure whether the means by which my right hon. Friend the Home Secretary intends to implement them are as practical as I should have liked. Let us look, first, at the major issue of the distinction between computer and other data. I say to my hon. Friend the Member for Beaconsfield, who mentioned word processors, that they are merely computers with particular software which 600 enables them to carry out word processing activities. I have no doubt that many hon. Members have been looking at the beauties of word processing systems for their own purposes. I am sure that they will find among the benefits not only that they can turn out letters to order with variants thereof, but that they allow an index of files to be kept and names and addresses of people in categories.
§ Mr. Nicholas Baker
I apologise for missing my hon. Friend's earlier remarks. but he is right about word processors. They are minicomputers—first-stage computers. I am sure that he will accept that they store personal data. It may not be very sensitive—I doubt whether in many cases it is—but surely the danger is that they are the recipients of large amounts of varied information which is thoroughly boring, uninteresting, not at all sensitive, not what the Bill ought to be concerned about or what the data subjects are concerned about, but which could give rise to an immense amount of work.
§ Mr. Henderson
I am grateful to my hon. Friend for his intervention, with which I agree. In many ways word processors came along after computers, not because they were different in hardware terms, but because clever software made a computer do easily and readily that which can be done by a typist.
The Bill says that sin is all right except when it is on a computer. That is why there is a weakness in the principles of the Bill. There is no distinction in nature between data held in a manual system and data held in a computer, especially when one considers that the security of data held in a computer is almost certainly infinitely superior to that of data held in a manual system. It is easy, relatively speaking, to break into a filing cabinet or to examine what is in a file on someone's desk and to understand the contents of that file. It takes a specialised nosey parker to break into a computer in an unauthorised way and extract the information he wants on a particular party. The House is considering the most secure aspect of data holding but measures must be taken to ensure that nothing goes wrong when a vast area of manual records exists containing personal data that are far less secure. I am concerned with the scope for cheating that arises from the terms of the Bill because of the distinction drawn between manual and computer records.
The hon. Member for Cannock (Mr. Roberts) in an interesting speech asked when is a computer not a computer. One clever answer to that question might have been: "When it is a telephone." Nowadays, a microprocessor is often embodied in a telephone to make it a little cleverer. Given that a microprocessor in the telephone can store addresses, telephone numbers and names, and can even dial numbers, that seems to be a computer system within the meaning of this Bill. It is holding personal data that can be accessed by another person. I hope that the Bill does not encompass that unless the scale of personal data so held is substantial. Most telephones hold only dozens of data. Perhaps the hon. Member for Newcastle-under-Lyme (Mr. Golding) might be able to give the House more information about that. There is no reason why a telephone cannot have held within it hundreds, or indeed thousands, of names and addresses, telephone numbers and other data. That is not the intention of the Bill, which is related to the processing and storing of records on data subjects. That is why it is slightly unfortunate that the European convention came 601 out as long ago as it did, because it is out of date in this respect. It must be clarified when the Committee examines the Bill in due course.
§ Mr. Henderson
Yes. That is why I said that the telephone apparatus that I was describing would be encompassed within the Bill and would be data to be protected accordingly. That is how I read the definition to which the hon. Member for Newcastle-under-Lyme (Mr. Golding) has referred:'Data' means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
§ Mr. Nicholas Baker
Does my hon. Friend agree that there is considerable flexibility under the convention? I think that he was suggesting that the Government were tied very strongly by the terms of the convention. That is not the case. The convention is pretty loose. It is a bit old. It is a pity that it was put forward so long ago. The Government's hands are not quite as tied as he might suggest.
§ Mr. Henderson
I am sure that my hon. Friend is right. He has a better understanding of the legal aspects of this matter than I. Back Benchers are not concerned with how the Bill will fit with the convention. We must take the word of the Front Bench, with all its expert advice, that the Bill will meet the requirements of the convention. I accept that as a sine qua non. If the Bill did not meet the requirements of the convention in spirit the House would not really be performing a useful operation in carrying it through.
A practical problem that arises from the distinction between manual and computer records is that it seems perfectly possible to have coded references on line pointing to off-line data and still not be caught by the data protection regulations, although that is one system of retaining information about persons. Until that loophole is closed, there is a weakness in the legislation. In case it might be thought that I am talking of hypothetical situations, I wish to refer to a paper that was produced by the Committee of Vice-Chancellors and Principals of the Universities of the United Kingdom on 25 January 1983. It said:There remains, however, the problem of computerised records held by individual universities containing information on students' examination results and assessment records.It refers to.
the view of universities that it would be unacceptable to allow students access to confidential information of this nature and that it would be a retrograde step if legislation forced universities to transfer these records to manual systems.The hon. Member for Stockport, North referred to a similar position in schools. He was arguing that children ought to have access to such details. The university vice-chancellors and principals are arguing that students ought not to have access. I do not think that it is for hon. Members to make a judgment at this stage on that subject. It is not something immediately before the House, although it may arise in Committee. The fact that records of personal data kept manually would not be available to the data subject, but, if they go on to a computer would have to be made available to the data subject will decide 602 the way in which data records are handled. There is the distinction in the Bill between computer records and any other records. That is one more reason why it is extremely unfortunate that there is this artificial distinction.
A real anxiety of people is whether they are getting a fair deal when accurate or inaccurate data are held about them, be it on a manual or on a computerised system. A much greater danger, about which nothing can be done, is what the old boy network says about them, perhaps based on entirely erroneous data. There is no way at present that one can prevent a bad word being passed on, perhaps over the telephone. There is no way that anyone can check what was said about a person, whether it was valid or whether they have any right to know what was said about them.
Registration has made the Government make the artificial distinction between manual and computer records. If I can persuade my right hon. and hon. Friends on the Front Bench that registration is not needed, perhaps manual record keeping can be embraced within the ambit of the legislation. That would be valuable and worth while.
Nothing that the Home Secretary said in opening this debate did anything to change the minds of several of my hon. Friends who felt that the nature of the Bill would result in virtually every commercial computer system in the country having to register. I have corresponded with my right hon. Friend the Member for Aylesbury (Mr. Raison), the then Minister of State, Home Office, asking whether routine pay rolls, purchase ledgers and sales ledger information would be within the ambit of the legislation. From what he said then, I understood that that was so. At that point, there was no end to the number of computer systems that the legislation would embrace. I think that it was the hon. Member for Cannock who suggested that we could make a distinction between perfectly normal routine commercial transactions and others. Originally, I pursued that line, but I do not now think that that is the right way to go about things. Nowadays, an automatic part of a sales ledger package is a payments history, which really gives the sort of personal data, including creditworthiness, that the Bill is concerned with.
Therefore, perhaps we should face the fact that, just as it is inappropriate to make a distinction between computer and manually held data on card indexes or whatever, it is probably wrong to distinguish between routine commercial transactions and others. I do not believe for one moment that 20 people will handle this vast registration process effectively or competently or with any guarantee that the Bill's intentions will be fulfilled by the registrar. We shall have something of a bureaurcratic monster, with a little minnow at the tail in the form of the directorate, which will try to give the impression that we have real data protection. Those involved will be unable to see the wood for the trees. Perhaps we could get away from the idea of registration and simply say that for all practical purposes every computer system and any manual system that is holding personal records should be required to fulfil certain obligations, such as the principles described in schedule 1 and in the Bill's very valuable part III.
If there were a duty on every computer operator and user to behave in the way set out in the Bill and if anyone caught behaving otherwise was clobbered, it might provide a more valuable approach than the massive registration process envisaged. If there is to be any 603 registration, it should involve those who professionally handle data on people with a view to selling it, albeit legitimately. It gives rise to legitimate anxiety if data on someone are held and stored with a view to selling them to a third party. It may well be worth registering that, but to register every computer system in the country would be ridiculous.
The goodies who are trying to do what they want to do, but who on occasion make an error, are likely to be hurt as things stand, whereas those who have clever lawyers and clever computer technology people at their beck and call could still do the sort of thing that we do not want to see. If improvements can be made in the distinction between computer and manual systems and in getting away from the concept of registration as being at the heart of the matter, the Bill could be vastly improved. However, I am grateful for the fact that we are at least legislating after all these years.
§ Mr. Ken Eastham (Manchester, Blackley)
Unlike numerous speakers with interests in computer firms or small or large businesses, I have no interest to declare. I decided to speak in the debate on behalf of ordinary folk, because they do not usually own computers although they are for the most part the subject matter of information held by them.
The Bill is long overdue, but it is still quite unsatisfactory. Numerous Opposition Members have said that we shall not object to the Bill this evening. However, in Committee we hope to see some logical and sensible changes. It is obvious that 1984 is with us and that "Big Brother is watching you".
There is a growing awareness about records and it is a regrettable fact that they instil great fear in ordinary people. The computer industry and information technology seem only to serve big business. They certainly do not serve ordinary people. There is growing anxiety and unease. Indeed, I am sure that, like me, other hon. Members have received many letters from constituents who are concerned about the number of channels directing computerised information at them. There are the regular debt collectors, and the book clubs which, through inefficiency, make demands on our constituents for debts that they do not owe. That is all part of the mish-mash and inefficiency that is often found in the computer industry.
Although we do not oppose the Bill, we must ask whether it is effective enough. Obviously, in the world of information technology there are many grave abuses. Fleeting reference has been made to human rights. We have fallen far short of the mark of achieving human rights for ordinary people. We lag seriously behind the rest of Europe. Ever since January 1981, we have been waiting for the convention to be ratified. Unlike some hon. Members, I do not believe that the Government were very enthusiastic about introducing the Bill. It is only a sop with which they hope to gain some respectability. We have been waiting for ratification for a long time yet the Bill, as many hon. Members have said, is inadequate.
I thought it might be useful to make some comparisons and to look at the recommendations of the 21-nation Council of Europe. The preamble to the Council of Europe's document is quite different from the Bill. It sets out the need for a convention, saying:Considering that the aim of the Council of Europe is to achieve greater unity between its members based in particular on 604 respect for the rule of law as well as human rights and fundamental freedoms; considering that it is desirable to expand the safeguards for everyone's rights and fundamental freedoms and in particular the right to the respect for privacy; taking into account the increasing flow across frontiers of personal data undergoing automatic processing and confirming at the same time their commitment to freedom of information regardless of frontiers; recognising that it is necessary to reconcile the fundamental values of respect for privacy and the free now of information between peoples".The convention has 27 articles, with which I basically agree. They include information that may not be recorded, such as religious beliefs, political opinions, racial origins, sexual life and so on. The Bill falls far short of the convention's recommendations.
I seriously question whether the penalties in the Bill are sufficiently heavy. A serious abuse of information could ruin a person for the remainder of his life. It is difficult to assess adequately the amount of compensation for the hurt and damage that may have been caused. Far more serious sanctions should be imposed on people who are negligent in keeping correct information.
The Bill refers only to computerisation of records and related types of equipment. As other speakers have said, there is no mention of other methods of record keeping. It is a pity that card files and films are not included. On occasions films are taken that could have serious implications for a person.
My hon. Friend the Member for Stockport, North (Mr. Bennett) referred to children's school records. There was a major uproar in Manchester when we decided to examine the types of files and records kept on children. We felt that there should be a radical rethink about the collection of information and the appropriate types of information that should be kept on school children. We also examined access. We found that teachers who had nothing to do with certain children from other classes had free access to their records. That practice has now ceased. We also gave serious thought to locked files. Many departments of local authorities, such as social services, housing and education, have locked information that can seriously concern people, especially those on whom the information is kept.
Before I entered the House I worked in the engineering industry. Any trade unionist in that industry knows of the consequences vindictive managements keeping unjustified records of their workers. We call them blacklists. Those lists can condemn workers—usually trade unionists—to unemployment. Craftsmen are often unable to find work with their skilled trades for the remainder of their working lives. The lists are compiled by prejudiced management, and no sanction can be used to stop that. Some sense must be introduced into the legislation to provide a controlling influence on those who unjustifiably keep such records. I have once or twice previously mentioned records kept by industry. We must wait no longer. The time has come to include a clause in the legislation to protect ordinary people.
The Opposition do not oppose the Bill, but they hope that it will be sharpened to make it more palatable to, and protective of, ordinary people—rather than big business, small business and the computer industry.
The Home Secretary said that the legislation would be controlled by a team of 20 people and a registrar. That is wholly inadequate. The proliferation of the ownership of computer systems and the hundreds and thousands of computers on the market pumping out all sorts of information—often intimate information about ordinary 605 people—makes it impossible for such a small team to have any real influence. The legislation must be monitored, and when it is found that the team is inadequate, the number must be greatly increased. There are more than 50 million people in this country and there are millions of files. It is simple to collect information—often unnecessary information—and store it on computers. Before we know it, computers will record colour of eyes and hair, whether a person wears glasses, whether he has one leg and so on. Guidelines must be issued showing what information is appropriate for recording on computer files.
A great deal of information is being collected that is wholly unnecessary to the operations of businesses and computer firms. Yet because of a whim and a feeling that the technology is great and can perform so many tricks, more information is pumped in. We must question the justification for keeping unnecessary information.
The Bill does not go far enough. If the Government have an open mind and a genuine intention to improve the lot of ordinary people, they must give an undertaking tonight that when the team of 20 and the registrar are found to be inadequate, the numbers will be reconsidered. I hope that the Government will also seriously examine the type of information that it is proper to record and issue guidelines to companies.
The Bill is wholly inadequate. I hope that the Government do not beat their chest and boast that it is a great Bill. It is a face-saving measure because Britain is part of the Council of Europe. The convention has lain on the table for two years, awaiting support from the United Kingdom. That is the only reason why this half-baked Bill is before the House. I hope that the Minister will recognise that there is a great deal of dissatisfaction on both sides of the House because of the Bill's inadequacies.
§ 8 pm
§ Mr. Geoffrey Dickens (Huddersfield, West)
I last addressed the House on this subject a year ago this month in an Adjournment debate which I had secured on a Friday afternoon. The House will not be surprised to know that at that time the subject interested the press. I was booked for radio and television and the national press was taking a tremendous interest in the subject, but then, on that very day—2 April—the Argentines invaded the Falkland Islands, and my Adjournment debate faded into insignificance. The Argentines had a total disregard for the people living on the Falkland Islands and, indeed, for my Adjournment debate. I am a little nervous because I have secured the Adjournment debate this Friday.
My hon. Friend the Member for Fife, East (Mr. Henderson) said that pubs and clubs were not discussing data protection. In my opinion, they should be because, whether they like it or not, they are data subjects. Everybody in the United Kingdom is affected in some way because information somewhere is being collected and stored about them.
Privacy and protection is a difficult subject to define. However, I shall consider three forms of rights to privacy. First, we have what can be regarded as general rights, usually specified as protection from intrusion in domestic affairs and from surveillance, harassment, exposure and embarrassment. Secondly, there are specific legal rights which touch on privacy, such as those protected by the laws on confidence, defamation, trespass or contract. 606 Thirdly, we have what are best described as procedural rights such as the rules governing the use of personal information, especially that required compulsorily by Government, banks, insurance companies, credit card agencies and bodies such as the Driver and Vehicle Licensing Centre at Swansea and the central police computer. This information includes school records, medical records and so on. Today the House concentrates on the third area—data protection—but before moving on to my central theme I should like to say a few words about other areas of privacy.
I am still deeply concerned about the spread of telephone tapping, surveillance of the Royal Mail, the bugging of premises and so on. It appals me how easily electronic devices can be purchased in the United Kingdom by individuals or private detectives to intrude illegally on people's privacy. I know that the Home Office is taking this matter very seriously and I applaud it for that. I hope that we shall have a debate on that subject on another occasion.
It should be understood that personal information, especially financial information, whether obtained improperly or legitimately for a specific purpose from the subject or a third party, with or without his knowledge or consent, gains a currency and value of its own. It is quite alarming how such information is traded without reference to the interests or wishes of the subject and can be, and indeed is, used as the basis of important decisions, such as the refusal of credit or employment, without the possibility of redress or, in most cases, the knowledge of what has caused the refusal. Data protection must place a great responsibility on those who gather and store information. How many overseas contracts are we losing because we are not paying enough attention to data protection? If international companies gain access to our computer data they will know our quotation price for, as an example, a power station worth £750 million. When prizes are big, people will do all sorts of things for information. To gain export guarantee facilities companies are required to reveal to the Export Credits Guarantee Department a breakdown of the price. When the sealed bids are opened overseas on the same day, is it any wonder that we lose major contracts because of commercial espionage? It is common knowledge that banks lose millions of pounds from computer fraud, but I do not expect confirmation of that because it might lead to a loss of depositor confidence in the banks.
Computers are wonderful tools of commerce, industry and Government but a memory bank is like a sieve. I believe that we need a data protection squad of computer experts reporting to an independent data protection authority who would act like ferrets, hunting and delving into any scent of infiltration or intrusion into privacy. I am not convinced that our friend, the registrar, with his 20-strong team, will be big enough for the job. I do not know whether we can broach that matter in Committee, but it must be considered seriously.
There are examples of negligent care and disposal of manual records which have convinced me that they should at least be subject to general data protection principles, even though, on practical grounds, registration would not be possible. It may not be possible to register and supervise manual records, but they must be subject to sanction for not adhering to the general principles. It was accepted in the debate in the other place that the long title 607 of the Bill will not permit the inclusion in it of manual records, but I shall continue to press vigorously for manual records to be covered in subsequent legislation.
When the Home Secretary announced that the United Kingdom would sign the new European convention at an early date, it was disappointing that he said at the same time that he would not set up an independent data protection authority. That is the condition for any credible data protection legislation and the basis for all the European data protection laws. I wonder whether the Home Secretary is in an impossible position. In all the hundreds of Government computer memory banks which hold personal information—health, social security, taxation and many other areas of the citizens' private life—there are only three with interests hostile to the people with whom they deal—police intelligence, national security and immigration. The Home Office is responsible for all three.
In a great effort to protect the work of the Department it is possible that any legislation to protect individuals' privacy will be diluted. I do not suggest that it would be done wilfully—I am not questioning the integrity of civil servants in the Home Office or of Ministers—but it is a great temptation for the Home Office. The Home Office may not be the right Department to present such legislation, but we have to press on and try to make a good Bill of it for the sake of individuals. We must monitor how the exemptions work and we must watch carefully how the registrar system works. We must give it a try.
The issue of statutory protection for automatically handled personal information was first assessed in the Younger report in 1972. It was established by the Conservative Government in 1970 as an examining body. It established a series of principles to apply to the handling of information. The Council of Europe analysed the issues at length throughout the following decade and in 1981 produced the European convention for the protection of individuals with regard to the automatic processing of personal data. The convention was signed by the United Kingdom in May 1981. Consequently, it became necessary to introduce legislation so that the convention could be ratified, and that is what we are doing now.
The Bill was drafted in the light of the report of the Lindop committee of 1978, which was set up by the Labour Government in 1976 to examine the issues and make proposals for possible legislation. The report was an extensive analysis of the problems of operating a satisfactory scheme of privacy safeguards. It contained a wide review of data protection matters. It proposed the establishment of legislation based upon the principles outlined by the Younger committee. However, it contained two sections which the Government felt that they could not accept. First, it proposed a multi-member data protection authority to enforce legislation. The Government rejected that proposal in favour of an individual registrar who would be independent of Government.
My right hon. Friend the Member for Aylesbury (Mr. Raison), who was then the Minister of State, Home Office, addressed a meeting of the Parliamentary Information and Technology Committee on 4 May 1982. He said:We believe that this will keep to a minimum the burden placed on resources; and will also encourage action to be taken rapidly and efficiently by a person with real authority. Our Registrar will not have representatives of various interest groups sitting alongside him; but he will have ample opportunity to 608 acquaint himself with their views in the course of his duty. The key point is that the independence of the overseeing body … must not be in doubt.Secondly, the report recommended codes of practice which would have created a host of new criminal offences. The Government did not consider that it was right constitutionally to confer responsibility for drafting criminal law on an independent authority which would not have the competence to undertake a task that is properly one for Government and Parliament.
My right hon. Friend addressed the BMA conference on data protection on 15 September 1981. He said:In our approach we … concentrated on putting the responsibilities where we believe they belong … Our concern will be to establish a sound basic framework capable of being built on and expanded progressively with more detailed provisions as we gain experience.Part I of the Bill establishes an independent data protection registrar. He is to be appointed by the Crown to enforce certain personal data principles with respect to the holding of information on computers. The principles are set out in clause 2 and schedule 1. Schedule 1 provides that personal datashall be obtained, and personal data shall be processed, fairly and lawfully … shall be held only for one or more specified and lawful purposes … shall be adequate, relevant and not excessive in relation to that purpose … shall be accurate and, where necessary, kept up to date and … shall not be used or disclosed in any manner incompatible with that purpose or … kept for longer than is necessary for that purpose or those purposes.That sounds an improvement to me, but I come to the part of the schedule which I like best, which is based on protection of the individual. Probably everybody in the United Kingdom will be entitledat reasonable intervals and without undue delay or expenseto have access to data of which he is the subject and "where appropriate" he may havesuch data corrected or erased".The provisions continue by statingunauthorised access to, or alteration, disclosure or destruction of, personal data and … accidental loss or destruction of … datashall be subject to appropriate security measures.
Part II of the schedule deals with theRegistration and Supervision of Data Usersand is largely in accord with the European convention. Much has been said about the registration duties of computer owners. The registrar and his small team of about 20 will face a mammoth task in ensuring that they carry out these duties. The owner of a computer must supply hisname and address … a description of the personal data to be held by him and of the purposes for which the data are to be held or used … a description of the source or sources of … detach … a description of any … persons (other than the data subjects in question) to whom he intends or may wish to disclose the data; the names … of any countries … outside the United Kingdom to which he intends or may wish to transfer the data; and one or more addresses of individuals who will be responsible for dealing with requests from data subjects for access to the data.The registrar will be required to maintain a register containing specified details of users, including personal details. The register will be open to public scrutiny and it will be an offence to operate in contravention of the registered detail. The latter provision is especially important.
The Bill will enable data protection arrangements in Britain to be consistent with standards that have been adopted in other European countries. It will ensure an 609 atmosphere in which there is confidence that individual citizens are not being put at risk by the spread of new technology.
In Committee I should like to see a move towards codes of practice. The Bill is proposed general legislation that covers at least 50 different categories of organisation that collect information about individuals. Many of the criticisms of the Bill arise from its general nature. Its application will vary according to which category of data user is involved. Codes will be needed to interpret how the general data protection principles apply to each category so that both data users and subjects will have clear guidance on how to proceed. The registrar must have the power to ensure that the spirit of the data protection principles is observed. The way in which data subjects proceed to obtain information and advise and complain is especially unclear as the Bill stands. Separate codes could more usefully spell out the steps that individuals should follow in the same way as, for example, consumer credit legislation specifies how individuals can obtain information about themselves and how to change that information if it is incorrect.
Having referred the devious ways in which personal details are used in response to applications for credit and employment, I shall provide other examples of misuse. A great deal of information is required if an individual is to qualify for certain credit cards. The information must be supported by evidence from the individual's bank, his accountant and his company. If the print-outs of the credit card company's clients are delivered into the hands of mailing companies, the result is that unsolicited material arrives through the post, which can be a great nuisance. Whether such lists are obtained unlawfully or legitimately, they provide a list of individuals whose earnings are above a certain salary. A mailing list of executives earning more than a certain salary would result in a better return than a list of lower earners. A list of higher salary earners in the wrong hands would surely be valuable to criminals who specialised in robbing domestic premises.
I am glad that there will be no Division on the Bill tonight. Both sides of the House believe in the Bill and think that it should proceed to Committee. Most speeches today have expressed nervousness about the Bill's provisions, but everyone agrees that we must have the Bill. I have called for such a Bill for many years, but it must be the right Bill. We must do a fair job in Committee. The Government and the Civil Service must accept sensible amendments. The Opposition must be a real Opposition. We do not want a guillotine because of lengthy speeches on the early clauses with the result that other clauses are not examined in detail. We want to be brisk and to make a good Bill.
We do not want radical changes, but the Bill will do—as a first step. I hope that the Government appreciate that, if the legislation is approved and tidied up, next time we shall expect more if, in the light of experience, we discover that the registrar system, for instance, does not work, or if the responsibilities involved are not understood properly. I hope that the Government will feel free to think again if the codes of practice are not accepted and the system does not work as we hope.
Much work is involved for Committee members, but we must make a go of it. Over many years Governments have put the issue to one side and have failed to get on with 610 the job. I hope that the Bill will not be used as a political football and that both sides will appreciate the desire for the legislation. I hope that we can work as a team and bring tidier legislation back to the Floor of the House.
§ Mr. John Golding (Newcastle-under-Lyme)
I congratulate the hon. Member for Huddersfield, West (Mr. Dickens) on his speech. If he had been in my class at school he would have been given a gold star for reading. In Committee, I am sure that he will be heard at length and Committee members will look forward to that.
The hon. Member for Huddersfield, West referred to the speech that he prepared 12 months ago, which did not receive the press that it deserved because—if I understand him correctly—it caused the Argentines to invade the Falklands Islands. I hope that he has more success this time. I was put off about the hon. Gentleman's expertise when he talked about putting ferrets into the computers. That is not to be recommended on technical or any other grounds.
I represent the Post Office Engineering Union, which has had a long interest in data protection and which supports the Bill's general principles but not its detail. One item has become important in the past few weeks. The Telecommunications Bill, which I opposed strongly, contains a safeguards for transmitted information. In the past few weeks it has been revealed that British Telecom may start to provide detailed information about customers' bills. How confidential will that information be? If personal telephone calls are open to scrutiny, that could cause a breach of privacy. I hope that the Minister can explain how the privacy of detailed billing can be safeguarded.
Other Members have referred to the rights of data subjects, which include the right of access to personal data and rights to compensation, rectification and erasure. I have been the victim of a false computer entry. On a visit to the national exhibition centre, I was shown Prestel. The gentleman showing me the system thought that he would please me by showing me my own entry, among the entries for Members of Parliament, retrieved through electronic means. Immediately the name "Golding, John" appeared on the screen and the entry "Sacked by Michael Foot." I have never been sacked by my right hon. Friend. I have never held an office to be sacked from. I immediately started to try to rectify the defect. The incident brought home to me the dangers involved in the holding of such information. I had to send a message to a faceless databank, informing it that its information was inaccurate. My right hon. Friend may have wished to sack me, but one cannot sack anyone who does not hold office. That information would have been transmitted to and used by Prestel users without my knowing what was on the computer.
What is wrong with the Bill is the great barrier created by the fact that one can do nothing to secure the right of access, get compensation of inaccuracy and secure rectification and erasure except through the court. The Minister looks at me sceptically, but as I read clause 21 the only access is through the court. I may be wrong—if the Minister wishes to tell me so, I shall be glad to let him—but it appears to me that the court is called in under clause 21(8).
§ The Minister of State, Home Office (Mr. David Waddington)
I intervene because I suspect that the hon. 611 Gentleman wishes me to do so. One does not necessarily have to go to court. The registrar might intervene because he felt that one of the data principles had been ignored. He could then use his power to issue an enforcement notice or begin the deregistration process. Not all the rights of the subject depend on the courts.
§ Mr. Golding
It is possible, however, that the principles might not cover a particular case, and one would have to resort to the court. That is unsatisfactory, because there are still great barriers facing ordinary people of limited means wishing to bring an action before the court. Every week we discover at our constituency advice bureaux that people do not get their rights if those rights depend on going to the courts. The courts may be fair and reasonable, but solicitors generally advise ordinary people at a very early stage not to go to court unless they have a substantial amount of money behind them. That is a grave defect of the Bill. The right of access to personal data is very important, but it may be too difficult for ordinary people to exercise that right. It should be made easier if not to obtain compensation at least to ensure the erasure of information that the individual claims is erroneous. It is wrong that information about an individual should be constantly flashed around the country when the individual has no immediate right to say that the information is wrong and must be withdrawn, and is seems wrong that the individual should have to go to court to enforce that right.
Clause 22 deals with compensation for inaccuracy. Again, it does not seem entirely watertight. Subsection (1) states:A data subject who suffers damage by reason of the inaccuracy of personal data held by a data user shall be entitled to compensation for that damage from the data user.Subsection (3), however, states:For the purposes of this section data are inaccurate if incorrect or misleading as to any matter of fact, but data accurately recording information received or obtained by the data user from the data subject or a third party and indicating that it consists of such information shall not be regarded as inaccurate because that information was itself incorrect or misleading.The get-out there is to use a third person who is a straw man. It should not be a defence to say that the information was obtained from somebody else. The Minister is an able lawyer. He may tell me that my intepretation of the clause is wrong, but, if it is not, he should reconsider the matter. Otherwise, there will be a gigantic loophole in the structure of the rights of data subjects.
The exemptions are also important. Clauses 26 to 32 are the copouts. This Data Protection Bill purports to defend data subjects, but there are sweeping exemptions. Clause 28 will certainly cause great controversy in Committee. It is the Home Office's self-protection clause. It provides that there shall be no rights if they impinge on the work of the Home Office. There are sweeping exemptions with regard to crime, taxation and immigration control. If the exemptions are not far more tightly worded, the legislation will not be worth the paper on which it is written.
I do not believe that there is any Opposition Member who would not wish to act with the Government in defence of national security or in opposing those who involve themselves in serious, especially violent, crime. At the same time, we must ensure that the exemptions do no make nonsense of the Bill. The hon. Member for Huddersfield, West was right when he pointed out the Bill's grave deficiencies.
The Bill will require and receive a great deal of scrutiny from both sides in Committee. It will be a worthy piece 612 of legislation if it is tightly worded. It is right that people should have privacy. The hon. Member for Huddersfield, West was right to attack industrial espionage and to mention the increasing use of commercial information to the detriment of British interests. However, considerations that affect the privacy of the individual are more important than commercial considerations.
The Post Office Engineering Union deals with the world of data transmission and new information technology and it is the first to realise how important it is to have control. Please let us have stricter control than the Government propose.
§ Mr. John H. Osborn (Sheffield, Hallam)
I apologise for not being here at the beginning of the debate. I wished to hear my right hon. Friend the Home Secretary define clearly what the Home Office and the Government hope to achieve by the Bill and what future legislation on this subject they propose. I was in Sheffield at the annual meeting of the chamber of commerce. Sheffield is worried about the decline of its traditional industries. At the meeting the outgoing and incoming presidents and many leaders of industry expressed their wish to use the new technologies. Information storage and retrieval, information technology and the microchip are new technologies that the city of Sheffield would welcome.
The hon. Member for Manchester, Blackley (Mr. Eastham) expressed the opinion, which has been expressed throughout the debate, that the Bill does not go far enough. That will be my theme. My hon. Friend the Member for Huddersfield, West (Mr. Dickens) listed many matters that have been excluded—credit rating, bugging of telephones and industrial espionage and its effect on exports and the pinching of information held on company computers The Bill deals with personal data and privacy and 1 wish to ask a series of questions. To what extent is a bank statement personal data? Access to bank statements can be obtained easily if there is a mistake in the computer locking. Does the Bill hit the nail on the head, and, if so, what nail? What nail does the House wish to hit by the legislation? I have been interested in the transmission of information, data communication and storage for some time, within the House as a member of the Parliamentary Information Technology Committee and the Parliamentary and Scientific Committee and also within the Council of Europe.
The Bill has been scrutinised by the House of Lords, which has done much useful work. I have read many of the debates in the other place. However, I have realised that what is desirable may amount to asking for the impossible. Perhaps the convention and the Council of Europe are asking too much. Perhaps those with the vested interest of looking after the individual are also asking too much.
I read schedule 1 with fascination. It made me think about personal data. Reference has been made to personal files other than on a omputer—medical files in a hospital, social security files and personal data files held everywhere. Looking through the debates and the wind-up speech in the House of Lords—I presume that this matter has been raised already in the debate—I thought that the intention was that the Bill should deal only with information on a computer and not with that on ales. However, much vital information need not be stored on a computer bank. I know that from experience in industry. 613 About 20 or 30 years ago, when I put in sales and statistical systems using the forerunners of the computer, I found that basic information was being prepared on a listing machine and tabulated quite easily. Therefore, when tackling the computer, is the House going far enough if it ignores the file? I should like guidance from my hon. and learned Friend the Minister of State when he winds up.
Files are only too readily accessible in Ministries, hospitals and Government offices. A person who knows his way around files can have access to them out of hours, put them through a duplicating or photocopying machine, and that personal data and information can get out. That is undesirable. Such activity must be related to the activity with which the House is trying to deal in the Bill.
I welcomed the White Paper that was published a year ago, and the European convention, which was brought to my attention when I entered the Council of Europe for the second time. It had been achieved as a result of a report of the Science and Technology Committee, of which I am now a vice-chairman. That committee is now monitoring with interest what national Governments do. The resolution fascinated me. Paragraph 1 stated:The Assembly,
- 1. Convinced that the pace of technological development in data processing and telecommunications should be matched by effective national and international legislation to protect the rights and interests of citizens, and in particular the right to privacy in accordance with Article 8 of the European Convention on Human Rights".The resolution went on:This measure meets that convention.
- "a. to invite the European Parliament to direct its attention to how action within the framework of the European Communities could most effectively strengthen the principles and provisions to be embodied in the convention on data protection of the Council of Europe;
- b. to call on national parliaments in those countries where such action may still be necessary".
I shall relate some interesting experiences. I followed data transmision many years ago in the services and as an industrialist, but I find keeping up to date a challenge. I am a subscriber to Prestel. I have an account number and a call number and access to some computers. I am worried about the confidentiality of Prestel and similar operations, particularly when individuals use their services in the wired city and in the home, and about whether such facilities are covered by the Bill.
A robber can always gain access to files and photostat them, and it will be possible for the more sophisticated robber in the wired city to gain access to a variety of files. A person wanting to gain access to files will need the correct code and key, but we have heard how easy it is to buy transmission lines.
It is important that files are kept up to date. I have recently received letters from two insurance companies telling me about the wonderful bonuses that I have earned from insurance policies that I took out 15 or 20 years ago. However, I cashed in those policies 10 years ago. Obviously, no notification was given to the computer and if I claimed the money on those policies I am sure that the computer will be corrected. I shall be trying that in the next few weeks. My experience shows that those who put information on computers must be careful to manage the installations correctly.
Clause 19 sets out the penalties. It seems from clause 20 that even if an individual is part of a corporate body he 614 will not be exempted from the penalties. The maximum penalty is a fine of £1,000 and, given that information can often be worth much more than that, I wonder whether the proposed fines might be regarded as trivial. I would welcome guidance from my hon. and learned Friend the Minister of State.
I have in mind the pressures of the European convention and I am anxious about enforcement. We have talked about the registrar, the tribunal, the registration and supervision of data users and those matters can be examined in Committee. But they all depend on enforcement.
Will anyone be aware that a third party has found the key to give him access to databanks? All Parliaments are seeking to ensure that if a criminal in the wired city is obtaining valuable information in that way he will be detected.
It is easy to say that the Bill does not go far enough, but it is right that the House should endeavour to take a first step on solid ground. I welcome the fact that the Bill is supported on both sides of the House.
§ Mr. Peter Lloyd (Fareham)
It is a pleasure to follow my hon. Friend the Member for Sheffield, Hallam (Mr. Osborn) as he has a great deal of specialist knowledge on computers and therefore on this subject. The Bill raises complex questions. However, they do not, as those of us who do not know one end of a computer from another feared, need technical knowhow to understand them. Our task is to determine how and in what way the law can pick its club-footed way between the various pressures, interests, and conflicting rights that go to make up the basic problem.
Individual privacy versus needs of state is the best-known and most argued conflict, but in some ways it is the most straightforward. Much more difficult is the individual's or private organisation's rights to make efficient use of the full range of information available to it against the right of another set of individuals to its own privacy. Moreover, it is often in an individual's interest to be known about—something that is forgotten. A mental handicap is a condition of which the details should generally remain private. However, it is often a great help to the patient and his family if his circumstances are known to other agencies and services. There tends to be too little co-operation within the National Health Service as it is, let alone with other bodies such as the local authority welfare organisations, and voluntary organisations outside. I fear that one of the demerits of the Bill is that it may make it more difficult for this co-operation to increase, or even to take place. I should be grateful if my hon. and learned Friend the Minister of State would reassure me on that point.
The Government have been criticised for delay in producing the Bill. I congratulate them for steering a way between the rocks and shoals of this difficult subject and putting legislation before the House. I also congratulate them particularly on rejecting the Lindop recommendations, which would have meant an unwieldy data protection authority and a multitude of codes of practice that I suspect would have ensured only one thing—neither the data processor nor the data subject would know where he stood.
I congratulate the Government also on not including in the Bill provisions on manual records. Had they done so, 615 we should still be waiting for the Bill. I can see no possible way of devising satisfactory legislation that would have brought this provision in, although I hope that it will be possible to do so in the future. We are legislating because the electronic means of storing, adding to, retrieving and reassembling data has infinitely extended the fears and concerns that apply to manual data. It would be physically impossible to achieve the same result with manual data.
If I understand the Bill correctly, the non-disclosure provisions do not operate for security, taxation, police and immigration, where the appropriate authorities are seeking information. What I am not clear about from the Bill—no doubt it is my careless reading of it—is what sanction the authorities have in insisting on disclosure where the hospital, bank or any other organisation in control of data feels that its first loyalty is to its patients or customers. I assume that the powers are not in the Bill, but are perhaps part of the Police and Criminal Evidence Bill. I should be grateful if my hon. and learned Friend would make that clear.
There is another side to the Bill that is worrying me and a number of other hon. Members. If all electronic methods of storing information have to be licensed and come within the ambit of the law, there is an incentive for organisations to eschew technical advances and avoid trouble. I fear that the effect of the Bill in this respect may be a negative one, though I am glad and relieved that where information is held purely for statistical purposes—which did not seem to be the idea when the Government produced their first thoughts—access will no longer apply, because that would have dealt a mortal blow to market research companies and some forms of academic research. It is clear from this that the Government are open to persuasion and representation, and I suspect that there will be other areas in Committee where the same qualities becomes apparent.
I am also worried that the Bill appears to apply to all computer data except that concerned with purely domestic matters. What worries me is perhaps best shown by an example. My hon. Friend the Minister for Industry and Information Technology is vigorously and with great gusto thrusting minicomputers into schools up and down the country. Under the Bill, I presume that if an enthusiastic football captain wrote into the school computer the qualities and attributes of his potential players for his private guidance, he would be committing a criminal offence if he was not registered or if he did not provide access to all on whom he was very frankly making his private comments. I hope that the Minister will deal with that possibility because I believe that the extensiveness of the Bill and the fact that it appears to apply to all computer systems, large and small, could make the law look ridiculous.
I am also concerned that the principle enunciated in schedule 1 may have the effect of making industry less flexible and responsible. What happens when information collected for a specified purpose—a purpose duly registered—is needed because of some other development for a different but in itself wholly legitimate purpose? What is the position of the data and the data processor there? Can the data processor go ahead and re-register himself under a new purpose, or will this be a matter for the registrar's discretion? This would be absurd, but it is the logic of the position: would we have to go back to all his sources of information and start again?
The Bill gives useful additional protection to the individual as a data subject without taking any existing 616 right away from him. We can be grateful for that. It takes some rights away from data processors. I hope that the price to be paid will not be the under-utilisation of computer systems which can do so much to benefit everyone.
I am certain that the Bill will not be the last legislation on the subject. That is why the Government are right to bring forward a relatively modest measure. The establishment of the registrar and especially the duty placed upon him to report annually will, I suspect, prove to be the most fruitful and significant part of the Bill. I hope that it will be the means whereby, in what is by general agreement a very complex area, the real problems and potential abuses are genuinely understood and the remedies canvassed can be examined not merely for their effectiveness in dealing with the problem in question but, just as important, for their side effects on the quality of services which rely on personal data to function to the benefit of the individual and society as a whole.
§ Mr. Neil Thorne (Ilford, South)
It is a great pleasure to follow the extremely well researched and thoughtful speech by my hon. Friend the Member for Fareham (Mr. Lloyd).
I gained the impression from the right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) that he and his colleagues on the Opposition Front Bench felt it important that, with the notable exceptions of himself and my right hon. Friend the Home Secretary, it was advisable to be an authority on computers to participate in this debate. I do not share that view. I believe that it is the principles not the technicalities, that are important in the debate.
It is not necessary to be well versed in the art of computer hardware and software, or even to know the difference between spools and floppy discs. We all know sufficient about computers to be aware that the information that they collect can be a great boon or a vile menace, depending on the hands in which the information is held.
I do not agree with Opposition Members about the desirability of a commission instead of a registrar. I share the concern of my hon. Friend the Member for Huddersfield, West (Mr. Dickens) about the number of staff required to perform the task, but I am sure that the power would be far weaker if the Parliamentary Commissioner for Administration were replaced by a commission with a chairman and members. If real action is required, there must be a single controller, although, of course, appeals will properly be dealt with by a tribunal.
It has been said that this legislation arises directly out of the requirements of the European Community. We have been told that the Government were ill advised previously on the subject. I do not agree. Many people in this country are reluctant to be dragged behind the European bandwagon, particularly on an issue of this nature. We are rightly considering the matter in our own way, and, as my right hon. Friend the Home Secretary said, it is right and proper that each should consider the matter as it affects that specific country.
It is true that mistakes in financial affairs can have serious repercussions, so information collected on computers can have a most serious effect. The irresponsibility of some people in money and other matters is well known, but we have all heard about the student at university who, with the help of hire purchase, buys a secondhand car which breaks down soon after delivery and 617 there is then a dispute with the vendor. There will be an indelible effect on his financial affairs for the rest of his life if the matter is recorded on a computer. I am sure that none of us wants such an event to be recorded and held against a person for the rest of his life.
However, it is important to know who the bad payers are, because ultimately the cost falls on the rest of society. Therefore, the computer should take its rightful place in establishing creditworthiness. We should take full advantage of the sophistication that is now available in this regard so that the costs of hire purchase or credit services are kept to a minimum in the interests of the vast majority of respectable and responsible citizens.
However, I have reservations about the Bill. There are considerable areas of doubt about limited liability and the people who operate through these bureaux. I hope that my hon. and learned Friend will assure me that it will not be possible for an individual to set up in business running a computer bureau, pay a fine—if a fine is assessed—and subsequently re-establish another business under another name. I hope that the penalties are personal and held against the individual. The penalty should have a lasting effect on the person, not on the limited liability company, because it is easy to hive off responsibility in that way.
The tribunal and appeals structure set out in the Bill seems to leave plenty of room for manoeuvre for the unscrupulous. I should have liked some limitation to be imposed in this connection, because the person or organisation concerned should not be able to postpone for considerable periods the real effect of being struck off by the registrar. It is important that one should be able to deal quickly and efficiently with the matter. I know that that is dealt with in the Bill, but I should be grateful if my hon. and learned Friend will confirm that such a measure can be effectively and efficiently introduced, even part of the way through a process, if it appears clear that legal formalities are being used purely and simply for the purpose of wrongly continuing in business.
There is an obvious need for the Bill, and I welcome it. I hope that the Bill will proceed through the House and that during its passage it will be considerably improved.
§ 9.5 pm
§ Dr. Shirley Summerskill (Halifax)
Today we have been debating what is in effect a computer data protection Bill. Its effects are that fundamental issues of civil liberty are still at stake. Its provisions lag behind those of other European countries by several years. As my hon. Friend the Member for Stockport, North (Mr. Bennett) said, an opportunity has been lost.
People can be exposed to serious risks from computerised and manual information systems but in Britain at the moment there is no legal right to privacy and the Government should have borne that in mind in drawing up the Bill. It should have been a privacy Bill as well as simply a Bill on computers. Several attempts to amend the Bill sensibly and constructively in another place completely failed in the Division Lobby. The Government were rightly accused of obduracy and of a determination that compliance with the convention should be minimal rather than generous.
The Lindop committee's two major recommendations, the result of a wide-ranging study of this subject which took two years, have been ignored in the Bill. The 618 committee proposed the setting up of a statutory data protection authority with powers to inspect computer systems. That is not in the Bill. The committee also asked for detailed codes of practice for computer users to be drafted by the authority, which would acquire the force of law. That is not in the Bill. The Home Secretary did not really explain why those important recommendations were excluded.
Legislation is long overdue after 15 years' research and debate. No doubt Conservative Members will say that the Labour Government should have brought in such a Bill but that does not detract from the fact that now that the Bill is being brought in it should be something far greater than this mouse of a piece of legislation. It would appear that it has been stimulated only by a necessity to comply with the convention.
The House agrees that privacy and accuracy of data are important in jobs, academic qualifications, health, politics, criminal records, race, religion and so on. However, the serious deficiency of the Bill that has been pointed out by so many hon. Members today is that it is concerned only with information on computers and not with information on manual records, cards, files or computer print-outs. At the moment most data are kept on such manual records. Several hon. Members have said that the Bill will create a positive incentive for industry to transfer data from computers to manual records or to prevent it from being transferred from manual records to computers. That would damage the development of the United Kingdom computer industry, which is vital to our economy and would not be a good contribution to information technology year, which the House is supposed to be supporting and celebrating. As my hon. Friend the Member for Cannock (Mr. Roberts) said, it turns back the clock on computer technology. The Society of Conservative Lawyers has made this point very strongly.
How much information is on manual records at present and what protection do those records have? The Bill gives them no protection at all. The experience of most western European data commissioners is that manual records provide the majority of data subjects' complaints and they are the main threat to individual privacy in this country. The information can be inaccurate, irrelevant, incomplete, out of date and liable to unauthorised access. The previous Minister of State visited four European countries but he did not see fit to visit America. Under USA privacy legislation no distinction is drawn between manual and computerised systems. It would have been useful if he had visited that country and tried to emulate that aspect of American legislation. That view is strongly held, not only by Opposition Members but by consumer organisations, the British Medical Association, many computer bodies and the Society of Conservative Lawyers.
The data protection principles leave much to be desired. I quote the Society of Conservative Lawyers to which the Home Secretary did not refer in his speech. The principles can be modified or supplemented by the Secretary of State. The lawyers have said that the provisions for making regulations do not amount to an appropriate safeguard. The result of the Bill will be, in effect, that the Home Office will draft the regulations even though it is that Department that keeps many of the records involved, such as criminal, security, immigration and prison records.
The Labour party welcomes the fact that the registrar will be appointed by the Crown, although it objects to the fact that a single person should hold this huge 619 responsibility and that an authority has not been appointed, as my right hon. Friend the Member for Birmingham, Sparkbrook (Mr. Hattersley) said, which could stand up to the Government. Unfortunately, the Home Secretary will appoint the registrar's staff and control his budget.
I come to the right of individuals to obtain details of personal data about themselves. This point was strongly felt by my hon. Friend the Member for Manchester, Blackley (Mr. Eastham). This part of the Bill is totally inadequate because it does not provide any effective right to challenge or to correct the contents of personal records. There is no point in granting a right to access and to inspection of a personal record unless that carries with it the right to challenge its contents. There should be an easily available and simple administrative remedy, as is provided by the Consumer Credit Act 1974. There is a precedent there.
Under the Bill a person can be informed that a data bank contains his or her personal data unless it is exempted. He can be provided with a written copy of the record. If it is inaccurate, there is no power for the individual to require the data user to correct the details, nor does the registrar have to deal with such complaints, as my hon. Friend the Member for Newcastle-under-Lyme (Mr. Golding) pointed out. If the registrar does not deal with the complaint, the only remedy is for the subject to bring legal proceedings, which are expensive, complex and lengthy. Even then, he has to prove that he has suffered damage through the use of inaccurate personal data before he is entitled to a court order that the data be corrected. That is another difficulty in his path. Why is there a refusal to secure correction of data? Schedule 1 makes it even more confusing. On the one hand it quotes the European convention thata data subject shall be entitled, where appropriate, to have personal data corrected or erased.On the other hand, schedule 1 also states thatThe correction or erasure of personal data is appropriate only where necessary for ensuring compliance with the other data protection principles.That makes the whole issue even more confusing. Perhaps the Minister would explain that discrepancy. We suggest that the registrar should be given the power and duty to investigate individual complaints and, where appropriate, order the rectification or erasure of data.
My hon. Friend the Member for Oldham, West (Mr. Meacher) and other hon. Friends have already referred to the vexed question of exemptions. Clause 28 is far too sweeping in its powers and is possibly the gravest fault in the Bill. The key principle of data protection is that information should be regarded as held for a specific purpose and not used without appropriate authorisation for other purposes. The four items that are exempt from the subject access and non-disclosure provisions are all very well taken on their own, but great concern has been expressed about the implications for the privacy of data.
As a result of clause 28, highly sensitive information could be secretly transferred between the police, the Inland Revenue, Customs and Excise and immigration authorities without any restrictions or safeguards. The Lindop committee called it a "fraud on the public" in a memorandum to the Home Office in June last year. Again, the Conservative lawyers and the BMA have objected strongly to the implications of clause 28. The clause refers to data held forthe prevention for detection of crime620 being exempt. Does that mean all crime; even the most minor seat belt and parking offences? Should not "crime" be defined and restricted to serious criminal activity?
The relevant article of the European convention refers toa necessary measure in a democratic society in the interests of protecting state security, public safety, the monetary interests of the state, or the suppression of criminal offences.As the provision is worded, it is far too sweeping to be acceptable.
In the past few months the Home Office has succeeded in politically antagonising doctors more successfully than at any time since the post-war Labour Government established the Health Service. Doctors are normally too busy and preoccupied to enter public political debate, but there has been a flurry of press statements, lobbying and letters to Members of Parliament from the BMA since the new year, both nationally and at local branch level. Even the disastrous reorganisation of the Health Service by the right hon. Member for Leeds, North-East (Sir K. Joseph), now Secretary of State for Education and Science, did not produce such activity from the BMA.
Three issues have generated the doctors' concern. The BMA has totally condemned the Government's assumptions about the possibility of the population's survival in the event of nuclear attack and about the ability of medical services to operate. On the Police and Criminal Evidence Bill the doctors have combined forces with both Anglican and Catholic bishops, the Law Society, the National Union of Journalists and many others in strongly opposing the important parts of that Bill that deals with the protection of the doctor-patient relationship and confidences between them. They want to protect that relationship from unjustified intrusion by the police or anybody else. Notes on patients are a vital part of any doctor's health care and fight against desease. A physician who taught me always used to say, "Listen to what the patient is saying, he is telling you the diagnosis." The patient tells a doctor not only about the physical complaints, but about his family and his most personal circumstances. There are more than 20,000 general practitioners in Britain today, 95 per cent. of whom write notes by hand and do not use computers. Hospital doctors do not use computers to any greater degree than general practitioners. None of those records is covered by the Bill, and no privacy is ensured.
The computers covered by the Bill pose a serious threat to the confidentiality of records. Patients want to feel free to disclose to a doctor—and only to a doctor—details about their personal lives. Doctors want to preserve that trust and do not wish information to be disclosed to a third party without the patient's knowledge. An inherent part of the Hippocratic oath states:Whatsoever things I see or hear concerning the life of men … which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets.I regret that the Home Secretary, when he opened the debate, did not even mention the strong representations made by the BMA. It was as though it had never written to him, spoken to him or voiced a view. It was wholly ignored in the right hon. Gentleman's justification of the Bill.
The proposals made in another place for a mechanism whereby exempt disclosures under clause 28(2) would have to be notified to the registrar and authorised by the responsible doctor or patient—the registrar would keep a record of them—were rejected by the Government Minister. He did, however, say that he would consider the 621 matter. I hope that in Committee the Government will see fit to come forward with the results of their consideration. As the clause stands, it permits a doctor to disclose personal data for certain purposes, without him being liable to penalty. Such blanket exemption may not require disclosure, but it will make it difficult for doctors not to do so when asked. Medical data should be disclosed only under the compulsion of law. Anybody in charge of medical data should have a statutory responsibility to keep the information safe, and should face criminal sanctions if the information is leaked.
The Home Secretary has received a letter from Sir Douglas Black, the president of the Royal College of Physicians, representing the views of the college, the BMA and the Royal Colleges of Nursing and Midwives. It was pointed out that the proposal in the Bill is wholly unacceptable. If patients believe that confidential information may be passed on without their knowledge, or sent to computer systems, or if doctors believe that people with access to their records can pass on the contents without their knowledge, patients and doctors will obviously limit the information given and received. Yet all attempts to improve the Bill were opposed by the Government in another place, and defeated in the Lobby.
The 1982 White Paper on data protection recommended that an advisory committee should be set up to advise the Government on possible changes to the legislation and to advise the registrar on his functions. Perhaps the Minister could tell the House why that recommendation has not been adopted. The advisory committee could advise the Government or advise the registrar, but no such committee is included in the Bill.
The registrar will have an enormous job in overseeing the registration of different data users. We do not know how many there are—different estimates have been given throughout the debate—but there are estimated to be many thousands, all dealing with different subjects. It would surely help if the registrar had access to a body of experts who could provide advice and be consulted, if necessary. Such a committee would be able to advise simply and without delay on a range of aspects of data protection.
Under clause 33(2) the registrar has a wide range of powers, but few statutory duties. There is a clear difference between powers and statutory duties. He is left with far too much discretion whether he does or does not do something. Again, in another place, attempts were made to remedy this. We recommend that an amendment should be introduced to stress to data users and data subjects not only the fact that advice can be sought from the registrar but the benefits of electronic data processing. As it stands, the Bill makes no provision to require the registrar to promote and facilitate compliance with the principles set out. He is not obliged to comply with them. It would help the registrar if he knew exactly what his duties and powers were. It would help the public and the registrar if these were clearly included in the Bill.
Clause 13 is too restrictive on appeals to the tribunal. It should be possible to appeal to the tribunal if one is a data subject complaining that the registrar has been too lax with the users of the data or to question a decision of the registrar. At present a data subject cannot appeal to the tribunal. As the Bill stands, only data users complaining that the registrar has been strict with them can appeal. The 622 Lindop committee has criticised that as a deficiency in the appeals system of the Bill. Clause 3 states that the tribunal will consist of barristers, solicitors and those withprofessional knowledge or experience of the use, design or manufacture of data equipment.Should it not also be laid down that the ordinary data subject should be represented on the tribunal? I know that my hon. Friend the Member for Manchester, Blackley agrees with that, because he said that he was speaking on behalf of ordinary folk, not on behalf of industry, lawyers, doctors or computer operators. He wants to have injected into the Bill the right for ordinary people to preserve their privacy and to have rights with regard to the powers of the registrar and appeals to the tribunal.
The hon. Member for Thornaby (Mr. Wrigglesworth), who is no longer present, made a good speech, and I am sure that in Committee he will be voting with the Opposition on all our amendments. As the hon. Gentleman said, a data user could wait up to two months for the registrar to inform him whether his application for registration or for the alteration of registered particulars had been accepted or refused. Representations have been made by several companies—British Airways, British Caledonian Airways, BP International, Unilever and the Bank of America—that this delay could unduly restrict business activity. This, again, was raised in another place, and the Government said that they would consider how to achieve more flexibility in the requirement. Perhaps the Minister will say what has been the result of his consideration. Has he considered allowing data users, whose original registration details have already been approved by the registrar, to implement the required change to their registered details while notifying the registrar at the same time? They would be aware that if they offended against the data protection principle they would be punished with deregistration. Surely that suggestion would cover the concern of the companies that I have mentioned.
It is regrettable that if the Bill, as it stands, becomes United Kingdom law, data protection and privacy law will lag behind the legislation of most other industrialised countries. The Bill is deficient and difficult to understand and operate, and merely pays lip service to the privacy of the individual. The most glaring deficiency is that it relates only to one type of record keeping—the minority type. The majority of record keeping is not covered by the Bill. If the most personal details of an individual's life are automatically processed, there is a chance that he will be able to see and possible correct them, but if they are handwritten he will have no rights whatsoever.
The Bill goes some way towards protecting the rights and interests of individuals, but it will need considerable amendment in Committee. If it is not amended, we shall have to vote against it on Third Reading.
§ The Minister of State, Home Office (Mr. David Waddington)
I am especially glad to see my right hon. Friend the Member for Aylesbury (Mr. Raison), the Minister for Overseas Development, on the Government Front Bench. When my right hon. Friend held my present office in the Home Office he did a great deal of work on data protection and consequently made my task that much easier.
I have no doubt that data protection is an issue of considerable concern. One thing is certain—we are all data 623 subjects. Everyone in the Chamber must figure on scores of computers. However, we also have an interest in the well-being of data users. The right hon. Member for Birmingham, Sparkbrook (Mr. Hattersley) said, "I am a data subject," but I hope that he did not forget at that moment that, like all of us, he is a beneficiary of the existence of data users. Government Departments can provide a better service to the public because of the use of computers. Industry and commerce can be more efficient and also provide a better service. Clubs, charities, trade unions and all data users are able to do a better job as a result of using computers to process information.
There have been many strands running through the debate, but there has been one constant theme. A general welcome has been given to the idea of legislation for data protection. I detect little feeling on either side of the House that the Government are wasting scarce parliamentary time on a measure of this sort. The principle of data protection is clearly accepted. Although the Bill's consideration in Committee will no doubt produce interesting suggestions for amendment, I think that few do not want legislation to reach the statute book this Session.
In answer to a question by my hon. Friend the Member for Sheffield, Hallam (Mr. Osborne), we hope to hit two separate nails on the head. Of course, people's reasons for wanting the Bill differ. Some see the Bill predominantly as a means of safeguarding the little man against "them"—the faceless, heartless ranks of databanks which they claim swallow, digest and regurgitate personal information with scant regard for the individuals who are the subjects of that information.
In opening, my right hon. Friend the Home Secretary emphasised that the Government do not subscribe to the view that there is abundant abuse or misuse of personal data that are held on computers. The Lindop committee reported that there is little evidence of abuse. That is a fact to which my hon. Friend the Member for Dorset, North (Mr. Baker) drew attention. We recognise the potential for mischief and the public's wish for controls to prevent mischief. We must put the matter in proportion and recognise that there is no evidence of great abuse.
It is legitimate for people to use the measure to safeguard British commercial and trading interests and jobs. The hon. Member for Cannock (Mr. Roberts) recognised that, as did my hon. Friend the Member for Fife, East (Mr. Henderson) and the right hon. Member for Sparkbrook. Many European countries have already legislated in this sphere. Having ensured the protection of personal data within their borders it is understandable that they do not want such data sent abroad if, in the process, domestic protection is lost.
International business increasingly depends on trans-border flows of information, much of which is personal. It is therefore vital that we take action to reassure others in Europe that personal data sent here will benefit from protection equivalent to that which applies on the continent. I make no bones about that.
Of course the Bill is important. It is very important for trade purposes. I was surprised when the Liberal party spokesman, the hon. Member for Bermondsey (Mr. Hughes), came close to saying that the Bill did not seem all that important. The Government have a foot in both camps. They recognise the force in the privacy and individual rights argument and in the commercial and trading interests argument.
624 It is not a partial Bill. We are seeking to help subjects and users alike. The delicate balance to be struck between subjects and users interests will be referred to repeatedly in our detailed consideration of the Bill. I hope that hon. Members will heed the advice of my hon. Friend the Member for Huddersfield, West (Mr. Dickens) who spoke of proceeding briskly.
There are two schools of thought. Some say that the Bill is too weak; others that it goes too far. Some say that manual data as well as computerised data should be covered. That was said by the right hon. Member for Sparkbrook, the hon. Member for Halifax (Dr. Summerskill) and my hon. Friends the Members for Bournemouth, East (Mr. Atkinson) and Huddersfield, West.
The Orwellian prospect of legislation aimed at every box file does not fill me with enthusiasm. As my hon. and learned Friend the Member for South Fylde (Sir E. Gardner) said, that would put an intolerable burden on users in industry and commerce which would be relieved only if the legislation were found to be unenforceable. After all, it was computerised information with which Lindop was concerned.
§ Dr. Summerskill
Can the hon. and learned Gentleman tell us about the American experience? In America, legislation on both computer and manual information is in force.
§ Mr. Waddington
I do not have first-hand experience of what happens in America. All I know is that those who have examined the problem here have come to the conclusion that such legislation would impose an appalling burden on British industry. I should not like that burden to be placed upon British industry at any time, let alone at the present time. Lindop dealt with computerised information. The public's concern is about computerised data, not manually-held information.
I do not believe that people will give up using computers for sensitive information as a result of the Bill, as was suggested by the hon. Member for Cannock. It would be commercial madness for anybody who now has the benefits of a computer to throw them away.
The hon. Member for Halifax said that the registrar should have clear statutory duties that would guarantee that he would take action in specific circumstances. She said that he ought to have to deal with specific complaints. But it would not be right to tie the registrar down in that way. He will be faced with an infinite variety of cases in which data of all kinds are used in a vast number of different ways, and he will need to exercise his discretion. If we did what the hon. Lady recommends, the registrar could be faced with a cascade of complaints, which would waste a great deal of his time. What we want is the appointment of a sensible independent-minded person who would concentrate his attention on the areas where it is really required. To impose specific duties on him would almost certainly mean action being taken which, while damaging to the user, would do nothing for the subject.
The right hon. Member for Sparkbrook, the hon. Member for Thornaby (Mr. Wrigglesworth) and others said that the exemptions in the Bill, particularly those in clause 28, were too wide. However, everyone would concede that there must be exemptions. That must be common ground. The European convention recognises the need for exemptions, and all European laws in this area contain exemptions of one sort or another.
625 The exemptions certainly do not give the police or any other body any new powers. The police are given no powers to compel data users to divulge information. This is a Data Protection Bill, not a data disclosure Bill. Clause 28(2) states only that, whereas normally the user must not disclose personal data for a purpose not specified on the register, he may so do if he has reasonable grounds for believing that failure to disclose the information will be likely to prejudice, for example, the prevention or detection of crime. It is his decision, and his decision alone.
There is no compulsion. Indeed, there are no implications that disclosures are desirable. There is simply a recognition that a user may himself judge it to be in the public interest that he should disclose information to, for instance, the police—although, as one would expect, disclosure for the prevention or the detection of crime is not one of the purposes specified in his registration particulars. It would be irresponsible of us, and would show a complete disregard for the needs of the community, if we did not provide for such an exemption and if we prevented the user from doing what he thought right when asked for assistance by the police.
There is nothing in the Bill to oblige anyone to disclose medical records. The Bill does not alter the law in any way against the interests of doctors. Doctors are in no way compelled to disclose information.
There are those who say that the Bill goes too far. They say that certain types of information should not be covered by it.
§ Mr. Golding
Will the Minister name the hon. Members who have claimed that the Bill goes too far? What arguments did they use?
§ Mr. Waddington
Some hon. Members have said that certain kinds of personal data should not be covered by the Bill. One hon. Member said that opinions about people should continue to be confidential and should not be revealed to the subjects. Others suggested that certain information was so harmless and well known that there was no need to bring it within the scope of the Bill. Indeed, the hon. Gentleman's hon. Friend the Member for Cannock referred to the fact that certain data might be so harmless that it would be unnecessary to include them in the Bill.
§ Mr. Gwilym Roberts
My point was that the limited facilities and staff available to the registrar would make it impossible for him to deal with the enormous problems in this area. Therefore, if the Government insisted on that arrangement, one area that would have to be excluded would be that of common files, payrolls and so on.
§ Mr. Waddington
I am sure that the hon. Gentleman would not have suggested that common files should be excluded if he believed that they ought to be included, so I was right to say that he suggested that in at least one respect the Bill went too far.
The right hon. Member for Sparkbrook said that the exclusions were so wide that we might not comply with the convention. I am sure that he is wrong. Certainly no European country that has legislated has suggested that our proposed legislation will not fulful our obligations under the convention or will present them with any problems as 626 to whether to allow computerised information to pass from that country to this. The scope for exemptions in article 9 of the convention forces one to conclude that we could have made our exemptions a great deal wider and still have complied with the convention.
§ Mr. Andrew F. Bennett
Is the Minister telling this Parliament that he has shown copies of the Bill to other European Governments? Is that correct? If that is the case, what observations have they made and what suggestions, if any, have they made for the improvement of the legislation?
§ Mr. Waddington
I said that so far as I knew no one had suggested that when the Bill reached the statute book we would not be in full compliance with the convention. Article 9 of the convention provides:Derogation from the provisions of Articles 5, 6 and 8 of this convention"—the access provisions relating to data principles, special protection for racial data, and so on—shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:One can hardly envisage greater scope for exemptions than that provided by the convention itself.
- (a) protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;
- (b) protecting the data subject or the rights and freedoms of others."
The right hon. Member for Sparkbrook said that Labour Governments were always defeated before they could legislate to provide a general right of privacy in these matters. I do not know whether it is unparliamentary to say "Ho, ho" to that, but it is certainly nonsense. The Labour Government had ample time to legislate for a general right of privacy if they had wished to do so, but they did not do so. I assume that that was because the Younger committee recommended against such a general right. I have enough respect for the common sense of those in positions of authority in the Labour party in those days to assume that that was the reason.
The right hon. Member for Sparkbrook said that he did not understand why we had not gone down the Lindop road and brought in a code of practice, but we should have needed not one but 50 codes of practice. I believe that we were right to reject the idea of so many codes of practice to deal with the almost infinite variety of circumstances that have to be dealt with in this area.
The right hon. Member for Birmingham, Sparkbrook said that under the legislation the tribunals would protect data users and not data subjects. Data users enjoy a right of appeal to the data protection tribunal against the decisions that the registrar is empowered to take in regard to them. He may, for example, refuse registration, serve notices requiring changes in user systems or deregister users. Those are potentially far-ranging powers. It is right that their exercise should be subject to appeal. The registrar will exercise no such decision-making powers in regard to data subjects. His role, in effect, is to ensure that the interests of data subjects are protected. He can take no decision to their detriment.
Data subjects who believe themselves harmed by data users can approach the registrar to use his powers on their behalf. Where the registrar is satisfied that there has been a contravention of any of the data protection principles he 627 can serve notice requiring correction of the fault. Part III of the Bill provides an avenue to the courts for data subjects seeking compensation.
§ Mr. Hattersley
The Minister has described the provisions of the Bill comparatively adequately, but he has not answered my question. Why is an appeal by one side—the data user—possible but appeal from the other side—those people who may suffer from the data user—not possible? Why does the tribunal act as a long stop for one side only in the dispute?
§ Mr. Waddington
I was courteous and spent a long time dealing with that issue. The registrar is there to protect the data subject. If he acts against the data user considerable financial loss can be caused. I spent a great deal of time meeting that point. I should have thought that it was obvious why there should be a right of appeal in one case and not in the other.
§ Mr. Waddington
I have explained it. I am not going to waste any more time.
The right hon. Gentleman then said that it would be better to have an agency or authority rather than a registrar. I submit respectfully that it depends upon the quality and status of the registrar. if one has a man of independence of mind and of the quality, for instance, of our Parliamentary Commissioner for Administration, there is no earthly reason to argue that the registrar will not be able to provide as great a protection for the data subject as would an authority.
My hon. and learned Friend the Member for South Fylde wondered whether there was a separate role for the Parliamentary Commissioner. I should not have thought so. If one has a registrar of the status that I have suggested, he is the person who ought to enforce observance of the data principles and carry out all necessary investigations.
The hon. Member for Cannock raised a point which was of interest to a number of hon. Members. He referred to word processors, semi-manual systems and the like. The Bill does not define what is or what is not a computer. It concentrates on activities undertaken by computers. That is the answer to the question about word processors. Word processors may be within or without the scope of the Bill. It depends entirely on whether they are being used for the purposes set out in clause 1(7) which defines processing and says:'Processing', in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to a particular data subject.If one uses a word processor for any of the functions described in clause 1(7) that word processor would be caught by the Bill. The essence of the matter is not to look at the definition of computer, because one will not find it, but to look at the purposes for which any device might be used.
My hon. Friend the Member for New Forest (Mr. McNair-Wilson) raised that point and also referred to the definition of data material. As far as I can remember, that definition is contained in schedule 3. It has nothing to do with clause 1, which does not use the phrase "data material" at all. Schedule 3 enables rules of procedure to be made to provide for the inspection and testing of data 628 equipment and materials, such as floppy discs, for the purposes of proceedings before the appeal tribunal. Therefore, one can forget about the definition of data material when one is dealing with clause 1.
My hon. Friend was worried about the exceptions for domestic use. They are limited. Such detailed matter is well suited to consideration in Committee. My hon. Friend asked whether there would be an advertising campaign telling people of their rights. We shall have to consider in due course whether any advertising should come from the registrar or from the Government.
My hon. Friend the Member for Bournemouth, East said that he nursed a resentment for being included on a computer used by the Social Democratic party. I do not blame him. He mentioned the important points raised by the British Medical Association. I have dealt with them. There is no question of any information having to be transferred as a result of the Bill. No data subject will be a jot worse off as a result of the passage of the Bill. Most data subjects will be much better off.
My hon. Friend dealt with clause 32. There ought to be provisions in the Bill for exemptions so that, for instance, when it might not be desirable for an adopted child to find out its true parentage, it would not have access.
The hon. Member for Thornaby mentioned clause 29, which refers to exemptions forpersonal data consisting of information as to the physical or mental health of the data subject.I assure the hon. Gentleman that that power is included in the Bill, but the regulations will be formulated as a result of consultations with all interested parties. We merely want to do what is thought to be right by those who operate in that area.
The hon. Gentleman also said that he would prefer an authority to a registrar and referred to the use of codes of practice. His remarks were echoed by my hon. Friend the Member for Huddersfield, West. I repeat that I was not filled with enthusiasm when I heard that, if codes of practice were to be used as the route forward, there would have to be about 50 of them.
My hon. Friend the Member for Dorset, North was concerned about interference with small businesses. He was one of those who hinted that in some respects the Bill went too far. It is precisely because we recognise that intolerable burdens should not be imposed on industry that we have cut down the formalities attendant upon registration to a bare minimum.
I hope that at the end of the day the House will give a warm welcome to the Bill. The hon. Member for Oldham, West (Mr. Meacher) got it hopelessly wrong. He said that the registrar would have no power to order the correction of inaccurate data. That is entirely untrue. The registrar will be able to use his threat of deregistration to ensure that defective information is corrected.
The Bill is a useful step forward. It will help British industry and will help to secure British jobs. It is also a useful step in the direction of increasing the rights of individuals in the community.
§ Question put and agreed to.
§ Bill accordingly read a Second time.
§ Bill committed to a Standing Committee pursuant to Standing Order No. 42 (Committal of Bills).