THE DATA PROTECTION PRINCIPLES

§ Mr. David Atkinson (Bournemouth, East)

I beg to move amendment No. 14, in page 48, line 40, at end insert— '9A. The data controller must take reasonable steps to ensure that any computer system used in processing the personal data is capable of dealing accurately with dates later than 31st December 1999.'. The amendment is a response to the situation facing many computer systems in Britain, and even more so world wide, on the failure to recognise the year 2000, which the Prime Minister has dubbed the millennium bug. It seeks to introduce a statutory obligation on data controllers to ensure that computer systems are millennium compliant, thus ensuring that the personal data that they contain are fully protected from any problems arising from the century date change and the year 2000 being a leap year. [Laughter.] I do not know why that is funny, but no doubt the Minister will enlighten me when he replies.

I hope that the House knows what I am talking about. This is an issue to which I have drawn attention and about which I have warned on several occasions since my initial question to the then Prime Minister in December 1995, following which I introduced an Adjournment debate and have since introduced two private Member's Bills on the issue.

§ Mr. White

The hon. Gentleman will know that a number of dates in 1999, including 31 December 1999, 610 may cause problems to certain computers. Why does not the amendment cover all the problem rather than just part of it?

§ Mr. Atkinson

The hon. Gentleman is obviously an expert on the issue, so he will know that for computer systems to be millennium compliant they will also take account of the problems anticipated before the turn of the century.

The office of the Data Protection Registrar has produced a two-page paper entitled "The Millennium Bomb" which states that there are two problems whenever a two-digit year, represented as 99, changes to 00. It says that personal data may be interpreted as relating to 1900 rather than 2000—that is, the date is out by 100 years—and that the year 2000 is a leap years which is not usually the case for a centenary year.

If computer systems are not millennium compliant, a number of basic data protection issues emerge. Inaccurate personal data may be processed. Obviously, therefore, the provisions of the Bill that relate to accuracy—the fourth principle—and those relating to compensation for damage caused through the use of inaccurate personal data, come into play. There may be unfair processing. If the processing is date dependent—for example, age-dependent calculations—it may give inaccurate results and lead to the deletion of personal data before the planned retention time has expired.

Such eventualities would appear to breach the first principle in the Bill—providing for personal data to be processed fairly. It can result in the irretrievable loss of data, destroyed prematurely, as well as circumstances in which personal data are lost temporarily—for example, personal data that are unavailable for processing while the problem is being fixed. That appears to breach the seventh principle, relating to the loss, destruction of or damage to personal data.

Many more concerns were drawn to the attention of the Science and Technology Select Committee during its investigation of this issue, on which it reported to the House on 7 April. The report was called, "The Year 2000—Computer Compliance".

The Minister may argue that my amendment is unnecessary.

§ Mr. Hoon

Very good.

§ Mr. Atkinson

It appears that I have anticipated the Minister. He may argue that because the seventh principle requires: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. I hope that he does not use that defence, which would be an inadequate response to a unique issue relating to computer systems and the data that they process and the protection of that data for which the Bill provides. Nor would it reflect the Government's clear warnings that the problem is serious and must be addressed if we are to avoid serious difficulties.

611 As the need for computer systems to be millennium compliant is so obvious and serious, it should be mentioned in as many words in the legislation. That is why I propose a new paragraph in schedule 1 which states: The data controller must take reasonable steps to ensure that any computer system used in processing the personal data is capable of dealing accurately with dates later than 31st December 1999. I hope that the Government will have the foresight to accept my amendment.

§ Mr. Hoon

The amendment raises an issue of great topicality. The House is grateful to the hon. Member for Bournemouth, East (Mr. Atkinson) for allowing us to have this brief debate on the data protection implications of the year 2000 problem. He is worried that there may be a risk to personal data processed in computer systems that have not been not programmed to cope properly with the change of date at the end of the millennium. If the problem is as serious as he warns, there could be a risk of corruption of data held on computer systems.

The hon. Gentleman invites the House to amend the Bill expressly to deal with that risk. As he anticipated, however, the Government do not believe that such an amendment is appropriate. We believe that the seventh data protection principle and paragraph 9 of part II of schedule 1, already make adequate provision. They ensure that the data controller must take appropriate technical and organisational measures to ensure the required level of security. The requisite level has to be appropriate to the harm that might result from, among other things, accidental loss or destruction of, or damage to, personal data. That appears to cover the entire range of eventualities that might occur to personal data as a consequence of some failure of a computer system because of the year 2000 problem.

Problems of this sort could presumably occur for reasons other than the ending of the millennium. The formulation in paragraph 9 is intended to cover the unfortunate consequences that might occur from any failure of a computer system, whether or not it occurs as a consequence of the year 2000 problem. In the light of what I have said, I hope that the hon. Gentleman will agree that his amendment is unnecessary and will feel able to withdraw it.

§ Mr. David Atkinson

I am disappointed that the Government have not recognised the value of my amendment and surprised at the flippant way in which the Minister responded. I am surprised because of the prominence that the Government are trying to give the issue, especially since the Prime Minister's speech on 30 March warning of the consequences to the nation if we do not get it right. I am especially surprised because the Minister has been aware of the issue for longer than any other Minister because he was Labour's spokesman on it before Labour became the Government on 1 May last year.

If computer systems are not millennium compliant, there will be problems. The privacy of information contained in computer systems will be at risk if they crash because they are not millennium compliant. That is something which few people realise. It appears from what the Minister has said that he and the Government have not yet grasped the issue with the seriousness that it deserves.

612 By ignoring the opportunity that my amendment provides, the Government have missed a valuable opportunity. They are showing amazing complacency on the issue. I appreciate that my amendment was tabled only early this week, so perhaps Ministers have not given serious thought to this aspect of the Bill. I hope that the Government will give my proposal further thought in the other place.

I clearly have not persuaded the Government, but I hope that they will give it further thought. I beg to ask leave to withdraw the amendment.