Data Protection Act 1984 (Amendment)

§ Mr. Harry Cohen (Leyton)

I beg to move, That leave be given to bring in a Bill to amend the Data Protection Act 1984. Data protection is a complicated subject. Some people think it has its own language. [Interruption.]

§ Mr. Speaker

Order. If hon. Members are leaving the Chamber, will they please leave quietly?

§ Mr. Cohen

The Minister last week described me as an aficionado on the subject for asking parliamentary questions and trying to extend the rights of individuals. Data protection is like a freedom of information right for individuals to see the computer records that are held on them. Access should be as wide as possible. Exemptions, restrictions and denial of access should be kept to a minimum. The Data Protection Act 1984 does not do that. It is much too narrow and seriously deficient in many respects.

Tomorrow is data day when subject access will be available, but it will be far too expensive. For example, answers to parliamentary questions that I have asked show that someone may have to spend £900 to get information from the Department of Employment, £720 at the Scottish Office, £700 at the Home Office, £420 at the Welsh Office and £300 at Agriculture. As well there are loopholes. Some universities have already devised ways round the Act to ensure that students will not have access to examination marks to which they should be entitled.

Already under the Act the new rights can be used to the disadvantage of the data subject. For example, an insurance company could require a data subject to obtain a copy of his own medical data before offering life insurance and treat the person as a bad risk or uninsurable if he did not supply the information. This will work to the detriment of data subjects. Also, under the Act access to one's personal information held on a computer is constrained by a multitude of subject access exemptions. There is no consistency or logic to justify what should be properly held. There needs to be a proper procedure for data subjects to check suspicions effectively.

My thorough Bill will provide for that, will rectify many of the deficiencies in the Act and will make substantial improvements. I have had wide-ranging consultations with many groups to find the best compromise to improve the current Act. Last summer I distributed the first draft to many representative groups which are in contact with the registrar. The constructive comments I have received have been most helpful in drafting the revised Bill. I should like to thank all those who offered advice and support.

For example, the Freedom of Information Campaign called the first draft of my Bill a very valuable reform. The Churches Main Committee told me that my reform of registration "would be welcomed" and the Institute of Data Processing Management said that the concept of using data codes of practice instead of registration was delightful. Even the National Computer Centre, although not agreeing with every point in the previous Bill, thought that some of my ideas were useful improvements.

The main improvements put forward in my Bill are, first, that registrations will be necessary in relatively few cases. That aspect of the Bill should be attractive to small 164 businesses, as it will remove at a stroke all the red tape, or should I say blue tape because the Act is a Tory creation, which businesses so frequently complain about.

My Bill contains a list of categories of personal data and purposes that require to be registered, but for the first time they will embrace many public sector data records. These will relate only to the most sensitive personal datum, which is specified. Most businesses will not have to register, and so they will be relieved of bureaucratic arrangements.

My Bill would allow statutory codes of practice to be introduced. The arguments about statutory or voluntary codes were dealt with by the Lindop committee. I agree with its conclusion—that bad apples, so to speak, might take advantage of non-regulatory regimes.

Last year, the consumer protection legislation incorporated statutory codes of practice, and I have taken the opportunity to use the same wording. My Bill allows for a gradual change-over from registration to operation under codes of practice, which is favoured by industrial, commercial and public sector data users. These codes of practice will be supervised by and agreed with the data users to comply with the law; they will clarify the responsibilities of users.

Properly adhered to, such codes of practice provide security for data users against prosecution and claims for compensation. Thus, the changes will bring benefits to data users, who will also have responsibilities.

In particular, there will be a need to provide data subject access. In that respect, my Bill provides for stronger policing powers for the registrar, who is given power to undertake random spot checks, and to inspect personal data that are the subject of a complaint or a dispute. In addition, a data subject will be able to appeal to an independent data protection tribunal against the refusal of the registrar to serve an enforcement notice on a data user. I propose that the registrar will be able to use the new powers to scrutinise developments such as the Government's data network, the proposed poll tax registers, share and electoral registers, and even records of the security services and the police national computers, subject to proper safeguards.

I frankly admit that these proposals are not likely to find favour with the Government, who have shown scant regard for civil liberties. They have Sarah Tisdall, Clive Ponting, Peter Wright and raids on the BBC on their record, so they almost certainly do not want to see legislation that might get in the way. However, we need a data protection watchdog with the ability to bite as well as bark, not one of the authoritarian fiefdoms that form part of this Government, who abuse the collection of personal data on computer.

For the first time, my Bill will bring within the ambit of the Act personal data held on individuals for national security purposes. This will be done by allowing one of the data registrar's staff who has sufficiently high security clearance, or a member of the Security Commission, to investigate a complaint and make reports. My Bill, unlike the current Act, will ensure that data subjects will have an uncomplicated right of access to their personal data. Where an exemption applies, my Bill establishes a consistent test with which it must comply. The registrar, in the circumstances surrounding an access exemption, can inspect the data in question before deciding whether to allow access to it. A data user and a data subject can appeal to an independent data protection tribunal.

165 The registrar, subject to issuing a warrant signed by a circuit judge, is given powers of inspection of any data user or computer installation, if he suspects a breach of the law and data protection principles.

Instead of the subject access fee, which I have already said is exorbitant, my Bill provides for a maximum fee to be prescribed for all personal data held by a user. I get rid of the crazy non-disclosure provisions, which are complex and confusing, and fundamentally designed to deter people from realising that they can obtain computer information that is held on them. [Interruption.] I also provide an order-making power to extend those principles to manual records. The National Consumer Council has already said that some people are putting information on manual files to avoid the Data Protection Act and that should be stopped.

My Bill is based on the Data Protection Act as far as possible, as many data users, as well as the registrar, have already established procedures to deal with the current legislation. [interruption.] But it improves it substantially and builds on that existing legal framework, experience and knowledge. It is a forerunner of future change in this area, and that may even be necessary in this parliamentary Session as the deficiencies in the Data Protection Act gather pace. I commend the Bill to the House.