HL Deb 25 February 1998 vol 586 cc126-34GC

(".—(1) In this section— data matching" means the matching of personal data held in different relevant filing systems, whether by different or the same data controller, for the purpose of obtaining information that cannot be obtained other than by such matching government department" includes any executive agency for which the department is responsible.

(2) Every government department shall prepare, within six months of the date on which this Act is passed, a code of practice relating to data matching.

(3) A code of practice prepared under subsection (2) above— (a) shall contain a commitment not to undertake data matching, whether involving data held within the department or in cooperation with other departments, except in circumstances where it is necessary—

  1. (I) to fulfil any statutory obligation, or
  2. (ii) to prevent fraud or other unlawful activity; and
(b) shall he laid before Parliament.").

The noble Baroness said: I seek the noble and learned Lord's permission to concentrate on inserting this new clause on data matching. Data matching is the automatic exchange of data held by different official bodies. I refer particularly to official bodies in this new clause, and therefore to Government.

I am already aware that the detailed drafting is not all that it might have been. It does not cover all relevant data, as has already been pointed out to me by the Data Protection Registrar, and it needs to be tidied up. However, that is not the point. This evening I wish to put the problem before the Committee. It is a large and important problem, and I have offered a solution in the form of codes of conduct for each department, which could be dealt with on the basis of a negative or positive resolution laid before Parliament.

Geoff Hoon, MP, was a Member of the European Parliament and introduced the legislation in February 1992 to the European Parliament, when he was the rapporteur to the Committee on Legal Affairs and Citizens Rights. He pointed out, correctly, that it is no exaggeration to say that today, in the European Community, it should be possible to write a detailed personal history of every man, woman and child by taking information contained in a variety of files. That is exactly what the Data Protection Bill is all about.

Data matching, however, is a particular aspect of that, which, even at this stage of the Committee's work, I must talk about, because once again this relates to the right to privacy. I quote again from the European Parliament debate on the legislation. At the convention in June 1995, Medina Ortega commented that the citizen's right to privacy is so large that it prevails over the right to communication, except in special circumstances when people in the public eye are involved. Sierra Gonzalez stated that, bearing in mind the trend for administrations to transfer many kinds of information to other public bodies—which is the key issue we are looking at in data matching—controlling the transfer of data becomes one of the fundamental issues of legislation aiming to regulate data protection. He talked particularly about data liable to manipulation, such as that pertaining to race and ethnic origin and so on.

Non-statutory codes of conduct covering data matching have already been put into practice in member states such as France and Germany, where data protection authorities have a role. Australia has an Act devoted entirely to data matching, and in New Zealand also, as in Australia, the privacy commissioners have powers to regulate and audit data matching exercises by public bodies.

Here in the United Kingdom, however, data matching has developed in a rather ad hoc manner. The Audit Commission, for example, has developed powers to require information from local authorities for efficiency studies and so on. Despite the exceptionally wide criticism of the 1997 Social Security Administration (Fraud) Bill—which, as the Ministers know, allows data matching between a very wide range of government departments and local authorities—as lacking any specific measures of data protection against abuse or error, only a non-statutory code of practice was promised. This has still not emerged as far as I know. I remind the Committee that the third data protection principle in the Data Protection Act 1984 is that, personal data held for any purpose should not he used or disclosed in any manner incompatible with that purpose". The Social Security Administration (Fraud) Bill changed those rules and has not yet given us any safety valve which would enable us to feel more comfortable with it.

The data matching by the Audit Commission with the National Fraud Initiative is undertaken by participant authorities, but it does not give the citizen the right to object, or the knowledge that this might happen, despite the right in the convention to be informed of data processing operations involving oneself, of the right to object and of the application of the other principle, that personal data should be used as little as possible. There is also the purpose principle in European Union directives which covers who wishes to use what data, and why. Those principles on data matching are not being significantly enough addressed by the British Government.

Local authorities are far advanced in information technology mechanisms. They are so far advanced that, although they do not necessarily have data matching processes in practice, they have the capability to do that very easily indeed. I have considerable detail on that following my concern on the poll tax, which brought together for the first time significant amounts of tax and benefit material on individual citizens locally. It was pooled together and put on to computerised records.

Finally, let me remind the Committee that we are in a seismic explosion of information technology. The capacity for information storage, for example, which I have researched, continues to increase at the rate of 20 to 40 per cent. annually. Many new innovations are coming and there are significant developments of systems which are not influenced by human behaviour outside those systems. In other words, one starts the data-matching exercises and those systems are not human-dependent, they just continue.

There is also a new concept which should be considered with this which is called "data-mining". It is specifically aimed at probing files and discovering like characteristics of individuals. That has become an industry already in some parts of the world, with, automated techniques used to extract buried or previously unknown pieces of related information from large databases".

Of course, it is extremely difficult in the modern world to stop these things happening. One place where there is an opportunity is in government, both local and central, because government have ownership of the information that they have collected on citizens and can control how it is used. My proposal suggests that for government purposes codes of practice should be developed by every single department and they should be placed in front of Parliament. I beg to move.

8 p.m.

The Earl of Northesk

If I may, I shall speak to Amendment No. 147 which is in this grouping. I do not have a great deal to add to the arguments of the noble Baroness, Lady Nicholson of Winterbourne, on data matching, except possibly to say that I suspect that the practice is very much more prevalent than we are prepared either to imagine or admit.

Certainly there is a strong argument in favour of some form of statutory control of data matching, bearing in mind its power as an analytical tool and how open it is to potential misinterpretation. My thinking on this matter has been guided in very great part by the observation in the report from the Delegated Powers and Deregulation Committee—I have already cited it—that, developments in computer technology continue to push areas of the law into hitherto uncharted territory". Data matching is but one such example, as is video surveillance by CCTV with its associated operations of digital enhancement and manipulation of images, referred to by the noble and gallant Lord, Lord Craig, in his Amendment No. 138.

To my mind, the difficulty here is how to draft the Bill in such a way that it can take account of technological developments which have data protection ramifications, at the same time as ensuring that appropriate checks and balances are in place to afford proper parliamentary scrutiny of the hitherto uncharted territory, as and when it occurs. Perhaps there is a reference hack to Clause 28(4) here. The new clause I am proposing in this amendment seeks to address this problem.

In effect, it would supplement the duties relating to codes of practice given to the commissioner by virtue of Clause 49(3). In normal circumstances, these would be non-statutory as with trade associations cited in sub-paragraph (b). With respect to codes drawn up under the proposed new clause, that is to say those that entered uncharted territory, these would have statutory authority and as such would be open to wide consultation and parliamentary debate.

Obviously techniques such as data matching and CCTV, where under Clause 21 the processing would be particularly likely, (a) to cause significant damage or distress to data subjects, or "(b) otherwise significantly prejudice the rights and freedoms of data subjects", would fall within the remit of my proposed amendment.

Lord Williams of Mostyn

I have considerable sympathy with the underlying concerns which have been expressed so fully by the noble Baroness, not only on this occasion but on earlier occasions. I recognise the rightness of what she says in that government departments, not only central but local, have a vast amount of information on people's private activities.

If one has the possibility of data matching, one looks at that with a degree of anxiety which was reflected, rightly I believe, by the noble Earl. Equally, the other side of that particular penny, everyone recognises that data matching may well have a proper part to play, not least in fighting crime, in particular fraud.

The amendment of the noble Baroness would require, as she indicated, every government department and agency to prepare a data matching code of practice within six months of the passage of the Bill. That would apply whether or not the department or agency had any plans or any prospects of undertaking data matching. She specified the nature of the code and I do not trouble the Committee with it. There are one or two technical deficiencies. I mention them not to chide but to be of assistance, in case the noble Baroness wants to return to this matter in due time. I am simply seeking to be helpful.

She refers to "relevant filing systems" and that would refer to manual records, and therefore that would miss the particular bull's eye at which she was looking. I stress that I simply seek to be helpful and am therefore likely to be the subject of instant dismissal! If the noble Baroness is going to return to this, I do not want to be in the position of saying, "By the way, there is a technical deficiency", which I regard as the last refuge of the inadequate!

The next technical deficiency is the definition of "government department", and, again, perhaps we may discuss that privately. There is a deficiency there but it is not of such pulsating interest that I need to develop it further.

The real question is how do we deal with these matters? The noble Earl had an important point, if I may say so, in that drafting is difficult because one is going to set in stone, if one is not extremely careful, drafting requirements which will not then be competent or have the ability to deal with changed circumstances. We believe that that is an indicator towards a certain degree of flexibility rather than the degree of rigidity which might be consequent on the amendments of the noble Baroness.

At the moment, the Bill is in general terms. It requires that personal data shall be processed fairly and lawfully on the first data protection principle. That means it could only be done lawfully by government departments and their agencies if it were under the authority of statute, common law or by virtue of royal prerogative. We think that that is a degree of stringency in itself.

What we are looking to, essentially, is Clause 49(3) of the Bill. That enables the commissioner to prepare and disseminate codes of practice, to encourage the preparation and dissemination of such codes by trade associations (which includes bodies representing data controllers) and to advise on the adequacy of any such codes submitted for her consideration. They would not, I readily concede, need to be laid before Parliament, but they would be expected to have a detailed statement of the application of the enforceable data protection principles.

That, I hope, would meet the purpose upon which we are all generally agreed, together with the warning, which I have accepted, about the desirability to have a degree of flexibility to meet quite rapidly-changing technological conditions. We believe that that process, which will be under the remit and informed control of the commissioner, gives us a preferable solution because it offers flexibility and informed input rather than something which is a statutory code.

We ought perhaps to pause for a moment on Clause 21 because that allows preliminary assessment or prior checking. It relates in particular to processing that is likely to cause significant damage or distress, or significantly otherwise to prejudice the rights and freedoms of data subjects.

The commissioner can prohibit processing. If during the prohibited period processing occurs it will be an offence. If the commissioner concludes that the processing is unlikely to comply with the Bill's requirements, the processing may still go ahead, but at the data controller's risk of enforcement action.

The particular processing to which the clause applies is to be specified in an order that will be subject to the affirmative resolution procedure. No decisions have been made as to which categories of processing operation should be subject to preliminary assessment—prior checking—but Members of the Committee will be aware from the proposals that we published last July that data-matching operations are primary candidates. I undertake to pay particular regard to the concerns that were so admirably deployed and explained by the noble Baroness.

On the second amendment, the general points I have made apply and I do not repeat them. The noble Lord's amendment would bring about a situation whereby, where processing was subject to preliminary assessment, it could only be done in accordance with a code of practice issued by the Secretary of State, subject to affirmative resolution. We do not ourselves see the necessity for that because processing is already able to be the subject of scrutiny of preliminary assessment. What we are looking for at the moment is the development of codes of practice under the remit—I cannot stress this too highly—of an admirable commissioner and a first-rate department. We believe that that is likely to be a productive way ahead.

I hope that I have gone at least some significant way—if not to the final winning post—in meeting the concerns, which I fully recognise are legitimate and widely held by a large number of people.

Baroness Nicholson of Winterbourne

I thank the Minister very much for his clear explanation and for the knowledge that he has given us. I believe it is very important in the Data Protection Bill for this subject to be properly addressed. As has already been seen from the social security fraud legislation, it will flow in to other legislation now more and more. I want both Houses of Parliament to have the opportunity on a constant basis to examine the infringement of citizens' privacy, which is so large when data matching happens without their knowledge and consent.

I welcome the Minster's acceptance of my concern and his sharing of it. I will look carefully, as I know the noble Earl will, at what he has said, and then see whether maybe he could be persuaded to go a little bit further later on; but it is a most welcome statement that he has made.

Amendment, by leave, withdrawn.

[Amendment No.147 not moved.]

Clauses 58 and 59 agreed to.

Clause 60 [Orders, regulations and rules]:

Lord Williams of Mostyn moved Amendment No. 148: Page 34, line 6, leave out (" 64(2)") and insert (" 64(3)").

The noble Lord said: The drafting is incorrect. There is a reference to "Section 64(2)" and it should be "Section 64(3)". I beg to move.

On Question, amendment agreed to.

Lord Williams of Mostyn moved Amendment No. 149: Page 34, line 12, at end insert— ("section 13(5)").

The noble Lord said: I shall speak to Amendments No. 149 and 152, if I may. These amendments provide that an order to prescribe circumstances other than those specified in Clause 13 in which automated decision-making may be permitted shall be subject to the affirmative, not the negative, resolution procedure. Because an order under this clause could affect the rights of data subjects, we have thought about it and we accept that it should be subject to the fuller parliamentary scrutiny of the affirmative process. This change was recommended by the Select Committee on Delegated Powers and Deregulation. We thought about its recommendation and believed that the proper thing to do was to accept it. That is the purpose of these amendments. I beg to move.

On Question, amendment agreed to.

[Amendments Nos. 150 and 151 not moved.]

Lord Williams of Mostyn moved Amendment No. 152: Page 34, leave out line 23.

The noble Lord said: I have already spoken to this. I beg to move.

On Question, amendment agreed to.

[Amendments Nos. 153 and 154 not moved.]

Clause 60, as amended, agreed to.

Clauses 61 to 63 agreed to.

Schedule 10 agreed to.

Schedule 11 [Repeals and revocations]:

Lord Williams of Mostyn moved Amendment No. 155: Page 57, line 36, column 3, leave out ("paragraph 15") and insert ("paragraphs 15 and 40").

The noble Lord said: I wonder whether I might speak to Amendments Nos. 155 and 156, and for a purpose which will appear later, inquire of the noble Viscount as to whether he intends to move his objection to Clause 64 stand part.

Viscount Astor

Before the noble Lord arrived I did say that this was purely a way to say something about the Government's proposals on transition.

Lord Williams of Mostyn

These are both technical amendments which delete references to the 1984 Act in subordinate legislation which are no longer needed. I beg to move.

Viscount Astor

The Motion on Clause 64 is grouped with this amendment. As I said earlier, I did notify the Ministers earlier that it was to ask the Government what are their proposals with regard to transition periods. I understand that the Government will come forward with amendments at some stage.

There will be very little time between Royal Assent and the implementation of the directive on 24th October this year for businesses to ensure that their systems will be able to comply. Industry faces quite a few hurdles at the moment. Not only are there major issues relating to data protection, but there is the year 2000 and the millennium. For some, there are changes required for dealing with the forthcoming euro currency. For some of us who are involved in the financial services industry, there are major changes in the regulatory structure under the Financial Services Authority. All this amounts to a great deal of work.

In the White Paper, the Government state that they will use the full extent of the three years within which existing processing must be brought into full compliance. What have the Government considered? I hope the Government will stand by their assurance to take full advantage of the transition period which is allowed under the directive in Article 32.

Lord Williams of Mostyn

I am grateful for that. As is well known now, the directive comes into force by 24th October, which I readily concede is much closer than one is prepared to anticipate. There is the three-year window which allows processing already under way on that date to be brought fully into compliance in respect of automated processing. Then there are six years beyond that to bring structured manual filing systems into conforniity.

Dealing specifically with the noble Viscount's question, we are preparing transitional provisions which will take advantage of those discretions. They will be tabled as soon as possible. I cannot give the noble Viscount or the Committee a precise date, but I will say that we shall try, if at all possible, to have them ready by Report stage.

The reason I asked whether the noble Viscount was going to say anything on clause stand part in respect of Clause 64 was, first of all, to say that the Solicitor-General and I have had every assistance in this Committee in the Moses Room. That demonstrates that this procedure for a Bill of this sort is apt and productive.

I also ought to say that the Bill team has been absolutely first-rate. There were late amendments on Friday, for which I chide and criticise no one, but that meant the whole weekend was occupied. There were late amendments last night, which meant a great deal of work. To be able to turn to the Bill team and ask when they will have the transitional provisions of the noble Viscount, Lord Astor, ready, and have the willing and cheerful answer that, "We will do our best by Report", is a strong tribute to public servants, who are too often overlooked.

Viscount Astor

I am grateful for the Minister's remarks. I certainly echo his comments about all the officials in the department.

On Question, amendment agreed to.

Lord Williams of Mostyn moved Amendment No. 156: Page 58, line 3, at end insert—

(" S.I. 19962827. The Open-Ended Investment Companies (Investment Companies with Variable Capital) Regulations 1996. In Schedule 8, paragraph 3 and 26.")

The noble Lord said: I have already spoken to this amendment. I beg to move.

On Question, amendment agreed to.

Remaining schedule and clause agreed to.

Title agreed to.

Bill reported with amendments.

The Deputy Chairman of Committees (Lord Elton)

This concludes the Committee's proceedings on the Bill.

The Committee adjourned at twenty minutes past eight o'clock.