NATIONAL SECURITY

§ Mr. Harry Cohen (Leyton and Wanstead)

I beg to move amendment No. 13, in page 17, line 43, at end insert— '(13) The relevant Commissioner may—

1. (a) investigate any procedure which relates to—
1. (i) the processing of personal data for the purpose of safeguarding national security,
583
2. (ii) the application of an exemption which is required for the purpose of safeguarding national security, or
3. (iii) the signing of a certificate under this section,
2. (b) make any recommendation which relates to—
1. (i) an investigation under paragraph (a) of this subsection, or
2. (ii) safeguarding the interests of data subjects, and
3. (c) if appropriate—
1. (i) raise any matter which relates to an investigation in an annual report, or in any other report to the Prime Minister, or
2. (ii) liaise with the Data Protection Commissioner or another relevant Commissioner on matters which relate to an investigation.

(14) The Data Protection Commissioner may raise with a relevant Commissioner any matter which relates to the processing of personal data for the purpose of safeguarding national security. (15) In this section, the "relevant Commissioner" means the Commissioner appointed by virtue of—

1. (a) section 4 of the Security Service Act 1989,
2. (b) section 8 of the Intelligence Services Act 1994,
3. (c) section 91 of the Police Act 1997, or
4. (d) section 8 of the Interception of Communications Act 1985.'.

The idea of the amendment is to introduce some element of accountability to the processing of personal data for the purposes of national security. I find it strange, to say the least, that, in certain respects, the Government are offering more privacy protection to members of the mafia and terrorists under investigation by the security services than they are to ordinary law-abiding members of the public—for instance, a data subject who is being positively vetted.

What is more, I am concerned that the Data Protection Act 1984 is being watered down. That Act placed a duty on the security services, by virtue of section 2(2), to comply with the data protection principles. That duty has been removed by this Bill; an exemption under clause 28(1)(a) removes the obligation to comply with the principles.

Under section 27 of the Data Protection Act 1984, personal data held for safeguarding national security are exempt only from the enforcement regime, registration and rights of data subjects. That means that GCHQ and MI5 and MI6 had a legal duty to apply the data protection principles, even though there was no way for the data protection registrar to test whether the duty was complied with. The 1984 Act therefore places those organisations under a moral duty to comply with the principles, but, under the provisions of clause 28, they are permitted to process personal data insecurely, disclose personal data to unauthorised persons, and even sell it to newspapers by virtue of the exemption from clause 55(4).

It may seem a flippant question, but I ask the Minister whether the fees raised by the sale of such unlawfully procured personal data will go into the Consolidated Fund, and how much revenue he expects to be raised in the next financial year.

The Minister might say that MI5, MI6 and GCHQ will not sell unlawfully procured personal data. If that is his argument, why is the exemption in clause 28(1)(c) so wide as to include exemption from clause 55(4), which makes the selling of such personal data an offence? That shows how unnecessarily wide the exemption is with respect to safeguarding national security. Selling misinformation to 584 the newspapers about politicians and perhaps even about the Government will be perfectly lawful for the security services.

In support of my amendment, I draw the attention of the House to some of the differences between warrants and certificates under the Bill. In respect of warrants signed by the Secretary of State—for example, for the interception of communications, or burglary—there is a safeguard, in that such a warrant is signed and validated for six months at a time. By contrast, under the provisions of the Bill, a certificate lasts for ever and is never reviewed.

I note that for warrants under the Interception of Communications Act 1985, there is an obligation under section 6(3) of that Act to discard irrelevant personal information that has been intercepted. Under the Bill, however, the negation of the third and fifth data protection principles means that irrelevant personal data obtained by means of a certificate can be kept indefinitely.

The previous Government gave the security services a new role—to assist the police in dealing with serious crime. The obligations of the police in respect of data protection compliance are apparently not to be required of the security services. The Minister should explain why he has come to that conclusion.

The Government seem to be ignoring the advice of the Data Protection Registrar, who asserts in her document "Our Answers": The extension of the role of the Security Service into areas of traditional policing should not carry with it an extension of the exemptions provided by section 27"— the section of the 1984 Act that deals with national security.

There is a significant risk that improper processing of personal data—for example, data obtained by what may be regarded in other circumstances as unlawful means—relating to a serious crime suspect, would not be subject to any data protection rules at all. Such processing can be undertaken by the security services. That could jeopardise the quality of evidence before a court and the subsequent trust placed in it by a jury. If data protection is so thoroughly disregarded, there is a possibility that some serious criminals will not be convicted.

My amendment would go some way towards introducing a smidgen of accountability into the way that the security services process data. It would use the expertise of the commissioners established by section 4 of the Security Services Act 1989, section 8 of the Intelligence Services Act 1994, section 91 of the Police Act 1997 and section 8 of the Interception of Communications Act 1985.

It would be the duty of those commissioners to examine procedures with respect to data protection. They would have powers to investigate any procedure relating to the processing of personal data for the purpose of safeguarding national security; the application of an exemption that is required for the purpose of safeguarding national security; and the signing of a certificate by a Cabinet Minister. The relevant commissioner could make any recommendation relating to that investigation, and make recommendations that were needed to safeguard the interests of data subjects. The proposals in my amendment are no different from the current duties associated with warrants.

585 The amendment would permit the commissioner, if appropriate, to raise any matter that relates to an investigation in an annual report, or in any other report, to the Prime Minister, and to communicate with the Data Protection Commissioner or any other relevant commissioner. That is a pretty moderate amendment.

On 1 June the Under-Secretary of State for the Home Department, my hon. Friend the Member for Knowsley, North and Sefton, East (Mr. Howarth) replied to me that the Government have decided not to depart from the existing policy that the Security Service should not register any of the personal data they hold under the Data Protection Act 1984. He went on to say: I understand similar considerations also apply to the Secret Intelligence Service and GCHQ."—[Official Report, 1 June 1998; Vol. 313, c. 52] However, it is a departure from data protection policy when the security services take on a traditional policing role, and that is against the advice of the Data Protection Registrar. I believe that it is an unwise decision. At the very least, the Minister should explain it to the House.

§ Mr. Richard Allan (Sheffield, Hallam)

We have some sympathy with the spirit of the amendment. My noble Friends in another place also tabled amendments on the issue of the security services exemption, because we are concerned about any blanket exemption, where there is no specific justification for exempting data from the data protection principles. The thrust of the Bill derives from European conferences and conversations in which the Parliamentary Secretary, Lord Chancellor's Department was deeply involved, and which reflected, to ome extent, the experiences of the residents of the former East Germany, who had good reason to be suspicious of the way in which their security services held data.

We have been extremely fortunate in this country, in that—apart from the odd rumour that is kicking around—our security services have not generally been held responsible for holding damaging personal data. However, one could argue that the security services hold the most damaging data about individuals. They could leak information about someone, perhaps accusing him of heinous crimes such as being a member of CND or—dare I say it—a socialist. Rumours have circulated only recently that the security services hold information and files on people as prestigious as members of the current Government, and that such information was potentially leakable and potentially damaging.

We applaud the spirit of the amendment, which seeks to ensure that there is some oversight of security services data and that the buck stops with someone who is accountable under the legislation. We look forward to hearing from the Minister how the Bill would cope if damaging, sensitive personal data were revealed and were traced back to a security services source. If a person sought redress for that, we would be interested to hear what channels would be available to him, and how the issue would be resolved.

§ Mr. Greenway

I have been looking forward to the contribution of the hon. Member for Leyton and Wanstead 586 (Mr. Cohen). He tabled a great number of amendments for the Standing Committee, but sadly, for reasons that I cannot explain, he was not selected to serve on the Committee, so we were denied the opportunity of hearing from him. However, having listened to the hon. Gentleman, and having considered his amendment No. 13, Conservative Members would oppose its inclusion in the Bill.

We considered this important matter in Committee, and we were at pains to support the Government in requiring that the provision be in the Bill. It is provided for by the directive in article 13 and we believe that, on balance, clause 28 provides an adequate appeal mechanism to the tribunal. While we understand that there are always concerns about such matters, we are not convinced that the House needs to go further in this legislation than the appeal mechanism that is already provided in clause 28.

§ Mr. George Howarth

My hon. Friend the Member for Leyton and Wanstead (Mr. Cohen) and the hon. Member for Sheffield, Hallam (Mr. Allan) tempt me along highways and byways in this debate that it would probably be sensible not to pursue. However, it is important to say at the outset that the Data Protection Act 1984, to which my hon. Friend referred, does not exempt agencies from the data protection principles. Only data users who are required to register are bound by the principles. Section 27 of the 1984 Act provides an exemption from registration where the exemption is needed for national security purposes. That is the exact position.

Consistent with that, clause 28 provides for personal data to be exempted from the main elements of the Bill when that is necessary in order to safeguard national security. The question of necessity is subject to ministerial certification. There is a right of appeal for any person who is directly affected by that certification. The exemptions provided in clause 28 apply only to the extent needed, and a Minister must satisfy himself that the exemptions claimed are in fact required for the purpose of safeguarding national security before issuing a certificate.

The right of appeal against a national security certificate is an important new safeguard. It represents an advance on the 1984 Act, which offered no appeal rights. Appeals will be considered by a specially constituted panel of the data protection tribunal, whose membership will be drawn from the chairman and deputy chairman appointed by the Lord Chancellor and designated by him as being capable of hearing such appeals.

My hon. Friend's amendment would, perversely, have the effect of extending the roles of certain commissioners well beyond those that Parliament intended for them. Commissioners were appointed to carry out certain well-defined and limited functions specifically in relation to the security and intelligence services, the use of intrusive surveillance by the police and the interception of communications. Furthermore, the commissioners' remits by no means cover the whole field encompassed by the national security exemption.

The arrangements set out in clause 28, as drafted, give continued effect to the well-established policy that personal data should be exempt from the main elements of the data protection regime, including supervision by the Data Protection Commissioner, where that is necessary in order to safeguard national security. My hon. Friend 587 chooses not to recognise that the exemption is balanced by the provision for appeals to be made to the tribunal against the issue of ministerial exemption certificates. My hon. Friend's amendment would undermine that policy.

§ Mr. Cohen

I hear what my hon. Friend has said, particularly in his initial comments. The thrust of my argument is that, under the 1984 Act, the security services have a legal duty to comply with the data protection principles, although they do not have to register. The Bill takes away that duty in the law for security services to comply. Is the Minister saying that I have misread the situation—that the security services still have a duty to comply with the data protection principles and that the 1984 Act has not been weakened in any way?

§ Mr. Howarth

I apologise if my hon. Friend misunderstood me earlier. The 1984 Act exempts the security services from the principles, and it is important to recognise that fact. In light of my arguments and the necessity for such arrangements, I hope that my hon. Friend will feel able to withdraw his amendment.

§ Mr. Cohen

I will seek to withdraw my amendment, as I hear what the Minister has said. However, I ask him to re-examine his last comment that the 1984 Act did not require the security services to comply with the data protection principles. As I understand it, section 2(2) of part I of the Act requires them to comply with those principles. I ask my hon. Friend to re-examine that point and perhaps clarify the situation in writing. On the basis of my hon. Friend's comments, I beg to ask leave to withdraw the amendment.