§ Monday, 23rd February 1998.
§ The Committee met at half-past three of the clock.
§ [The Deputy Chairman of Committees (Lord Ampthill) in the Chair.]
§ The Deputy Chairman of Committees (Lord Ampthill)Before I put the Question that the Title be postponed, it may be helpful to remind your Lordships of the procedure for today's Committee stage. Except in one important respect, our proceedings will be exactly as in a normal Committee of the Whole House. We shall go through the Bill clause by clause; noble Lords will speak standing; all Lords are free to attend and participate; and the proceedings will be recorded in Hansard. The one difference is that the House has agreed that there shall be no Divisions in a Grand Committee. Any issue on which agreement cannot be reached should be considered again at the Report stage when, if necessary, a Division may be called. Unless, therefore, an amendment is likely to be agreed to, it should be withdrawn.
I should explain what will happen if there is a Division in the Chamber while we are sitting. This Committee will adjourn as soon as the Division bells are rung and then resume after 10 minutes.
§ Title postponed.
§ Clause 1 [Basic interpretative provisions]:
§
Lord Craig of Radley moved Amendment No. 1:
Page I. leave out lines 9 and 10 and insert—
("(a) is stored or being processed as text or image by equipment responding to instructions given to achieve those purposes,").
§ The noble and gallant Lord said: This is a probing amendment to see whether the basic interpretative provisions of the Bill will encompass closed circuit television and similar surveillance systems. The report of the House of Lords Select Committee on Science and Technology on Digital Images as Evidence was published at the weekend. In Chapter 4 of our report we addressed the benefits and concerns we had about the use of closed circuit television and similar surveillance systems in public spaces, which may be defined as sites to which the public have free access.
§ As the report is only just released, it may be for the convenience of the Committee if I indicate briefly our conclusions and quote the recommendation that is particularly relevant to the amendment. We felt that these surveillance schemes are a very valuable tool for prevention of crime and civil disorder. They will in future be based on digital technology and, unless they are seen to be under adequate control, the broad public acceptance that these schemes now enjoy is likely to be diminished. The Select Committee concluded, on the 2GC evidence that it heard, particularly from the Association of Chief Police Officers, that improved controls were needed.
§
If these were not put in place, there was a danger that the actions of a few, by, for example, the release of video images for entertainment purposes, could undermine the public consent under which these schemes operate in public places. The controls that the Select Committee thought necessary relate in particular to the release of data and the use of data-matching techniques. In paragraph 5.15 of House of Lords Paper 64 we say:
We have not made a specific legislative proposal for improved control over public space CCTV systems, but the similarity of our objectives with the current Data Protection Act suggest that this, or its successor [i.e. the Bill before us] might be an appropriate vehicle".
§ It cannot be often that a Select Committee report and the passage of a piece of legislation relevant to a part of its recommendations coincide. What we are seeking by means of the amendment is to ensure that public space surveillance systems, in particular closed circuit television, are unambiguously within the scope of the proposed legislation before us. Later we shall have an amendment to address the issue of enforceable codes of practice. On that I was interested to hear the Home Office Minister from another place, Mr. Alun Michael, say on Radio 4 that the Government were prepared to approve enforceable codes.
§ But first, does this Bill cover closed circuit television and similar surveillance systems? We are aware, from evidence given to us by the Data Protection Registrar in the course of our inquiry, that a number of CCTV systems are outside the scope of the 1984 Act. Clause 1(1) of the Bill significantly expands the definition of personal data and the requirement of the earlier 1984 Act that processing should be undertaken solely by reference to the individual. We welcome that, but have three specific reasons for tabling the amendment, apart from seeking confirmation that it is intended to encompass closed circuit television and similar systems.
§ It is not clear whether "instructions given for that purpose" refer to the processing of information or the automatic features of the equipment involved. The apparent ambiguity needs to be considered.
§ Secondly, data can, of course, be stored or processed. The definition of processing, at the top of page 2, relates to personal data and includes a reference to the word "holding". Data, whether personal or otherwise can, of course, be stored. Is there a reason for not including in the definition of data the concept of storage? It would be helpful for the Committee to be clear about this aspect of the holding of information. I note that the Minister has down Amendments Nos. 5 to 11 which have a bearing on the definition of data.
§ I wonder also about the use of the word "automatically" in this clause. Again, it would be helpful to have a clear understanding of the meaning here of "automatically". In our proposed amendment we have not thought it necessary to include it.
§ In conclusion, we are proposing Amendment No. 1, with its reference to "text or image", to make explicit that closed circuit televisions and similar systems are 3GC within the scope of the Bill. It also allows the Government to consider whether there is any ambiguity in their present wording, to seek clarification of the concepts of storage and holding and to ensure that the intention of using the word "automatically" in this clause is explained. I beg to move.
§ Lord FlowersPerhaps I may support the noble and gallant Lord, Lord Craig, as a fellow signatory of the proposed amendment. I support everything he said but have three brief points to make.
In the past, the word "data"—in the context of data processing—has usually been taken to apply only to textual information or perhaps in scientific terms also numerical information. It is an extension of that meaning if it is to apply to images as well. Yet this is not specified in the Bill. Perhaps it would be better if it did so. The proposed amendment remedies the situation explicitly.
The second point I wanted to make was that the noble and gallant Lord referred to information being stored as well as processed. One can argue that the act of storage is itself a process. Whereas that is undoubtedly true, the state of being stored is not. It would, therefore, again be better to be explicit about computers storing as well as processing information.
Thirdly, the word "automatically" suggests to most people that no human intervention is involved. In practice, however, there may be a great deal of human intervention in the processing of data, in the setting of options, the correction of errors, and so on. If the word "automatically" can be omitted, it will remove that confusion. If it cannot be omitted, then it should be explained precisely what it refers to.
§ Lord BrainI support the two previous speakers, having participated with them on the committee we have been discussing. I should like to make two slightly different comments. Personal data are often considered to be personnel files held in various different situations. Going back many years, when I was a management consultant, we used to hold on the personal file a photograph of the candidate, or someone like that. That was an image in addition to the text. If the data are to be held electronically, that image will be held electronically. It may have been scanned in incorrectly. On a photograph, if you worked efficiently, you noted the candidate's name and other details. Because scanning an image in does not necessarily have this data scanned off the back, it needs to be available to be checked.
The noble Lord, Lord Flowers made another point briefly, and we heard evidence about this in our committee. Data have to be stored from some source—a camera, a scanning device, or from where they have been typed in indeed—before they can be processed. I therefore support also the addition of the word "storage". I shall not cause further confusion by discussion the word "automatic".
Viscount AstorMy two amendments, Amendments Nos. 2 and 3, are grouped with the noble Lord's 4GC amendments. Amendment No. 2 is a probing amendment. There has been some difference of opinion in the past between the Home Office and the Data Protection Registrar as to what constitutes manual data. I notice that the registrar earlier last month said she wished there would be a clearer definition of "manual data" that would be covered by the new Act. I wonder whether the noble Lord, the Minister, will be able to tell us whether the registrar and he now agree what the definition of "manual data" will be under the Act. Perhaps he could elucidate that point.
My second amendment covers the same subject as that put down by the noble Lord: CCTV. I read the EC directive and, paragraph 14 clearly states that,
in the framework of the information society, of the techniques used to capture, transmit, record, store or communicate sound and image data relating to natural persons, this Directive should be applicable to processing involving such data.The directive clearly says that image data refers to that. It seems to me that there is an intention by the directive to cover CCTV. This is an expanding world and there are CCTV cameras all over the place, whether they are used by government agencies, the police, the highways agencies or shops, for example. We know that they can now be used to match records. It is done by government agencies, but it could equally be done by the supermarket wishing to check whether it was the same person who came in once a week. Using a computer, you could look at the pictures of all the people who came in and match them. It seems that this should be included under the Bill, and the noble Lords have made a powerful case.
§ 3.45 p.m.
§ The Parliamentary Under-Secretary of State, Home Office (Lord Williams of Mostyn)If I may, I shall speak to Amendments Nos. 1, 2 and 3. Would Members of the Committee allow me a general observation before I begin? I said at Second Reading, and we have affirmed it subsequently in correspondence with a number of noble Lords and indeed a number of organisation who have written to the Home Office and to officials, that we want to make the best fist we can of this Bill. In order to achieve that, I would gently ask that amendments are put down in a reasonable time. We had 60 on Friday, and although the Bill team is very expert, it is not enormous and to ask officials to work all night and all weekend does not produce the best outcome in terms of responses that we can provide. We have met with co-operation from everyone to whom we have spoken. I recognise that sometimes interest groups tend to bombard one late on Thursday or early on Friday morning, because they have not done the work that they are in this world to do; not in any event with promptness.
Dealing with these particular matters, it is a felicitous coincidence, as the noble and gallant Lord said, that the report of the committee came out just at the time that we were about to discuss these matters. One or two questions relate more to Amendment No. 13, which concerns personal records, and perhaps it is convenient if I deal with those when we come to that amendment.
5GC I understand well the importance, and indeed the topicality, of CCTV systems. There is a great and proper concern about CCTV and the invasion of privacy which it offers, and the possible abuse of information privacy which it threatens.
A number of noble Lords spoke of CCTV. The noble and gallant Lord correctly pointed out that the committee concluded that further controls over such systems were required, and wondered whether the Bill might be the appropriate occasion. Quite plainly, therefore, and I am grateful for the explanation, the purpose of this first amendment is to ensure that digital images are caught by the Bill. I hope I can reassure the Committee that the amendment is unnecessary, because such images are already caught by the Bill and, indeed, Amendment No. 1 might in fact reduce the coverage of the Bill.
In Clause 1(1)(a), data are defined as information which:
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose".The reason that the word "automatically" is inserted there is to differentiate between manual processing, which is covered by different rules. There is no doubt in our mind that,operating automatically in response to instructions given for that purpose",covers text or image, and storage and other processing. Indeed, the description of data is set out in Clause 1(1)(a) on page 1 and at the top of page 2 the Bill states that,'processing', in relation to personal data, means obtaining, recording or holding the data".We have no doubt that that includes storage.I agree with the proposition that the present Data Protection Act 1984, because of the limitations of definition within it relating to personal data and the requirement, as one noble Lord indicated, for processing to be undertaken by reference to an individual, is not as wide as our present scheme. We have deliberately wished to expand the definitions. "Processing", as I said a moment or two ago, covers storage. We believe that the new definitions are broad enough to catch not only sophisticated types of CCTV but much simpler equipment also, for example the sort of equipment which merely projects images of individuals passing a shop into the shop window, without recording those images.
The reason I suggest that the amendment would reduce the coverage of the Bill is that, if one limits the definition of data to information which is being processed as text or image, it is arguable whether that would cover the processing of binary codes by computer. We believe that it certainly would not cover some other forms of information processing such as radio waves.
I hope that explanation is of assistance, and I shall turn briefly to Amendments Nos. 2 and 3 in the name of the noble Viscount, Lord Astor. His Amendment No. 2 would provide that only information which was recorded as part of a relevant filing system, or with the intention that it should form part of such a system, for 6GC the purpose of the processing would be regarded as data. That assumes, we believe, that the recording and subsequent holding of information does not itself constitute processing. As I sought to indicate a moment or two ago, that is not the case because of the definition in Clause 1, which encompasses obtaining, recording, holding, retrieving or even the destruction of data. I hope that is of assistance and is consistent with the spirit of the noble Viscount's probing amendment.
Amendment No. 3 would make it explicit that information,
recorded by camera or video surveillance",falls within the definition of data. We believe that to be unnecessary. I have indicated the reason earlier. The definition of data incorporates all information processed by means of equipment operating automatically or recorded with the intention that it should be processed by means of such equipment. We believe that recording of information by camera or video surveillance already falls within the definition of data, and I hope those explanations prove helpful.
Viscount AstorI should like to thank the Minister for his reply. But I wonder whether perhaps he could answer one question. I quite accept the answer he gave to my Amendment No. 2. Does that mean that he and the Data Protection Registrar are now in agreement, as it were, as to what constitutes manual records?
§ Lord Williams of MostynThat was my rather delphic coded reference to Amendment No. 13. The present position, as I believe I indicated at Second Reading, is that discussions are still continuing between officials in the Home Office and the Data Protection Registrar, and indeed others. The specific answer is, first, that it relates to Amendment No. 13, and, secondly, that no definitive conclusion has been arrived at.
§ Lord Craig of RadleyI am grateful to the Minister for his explanations and views, which I should like to study with care. The concept that "automatic" is the obverse of "manual" seems to be one point, with "holding" being absolutely identical to "storage". I take it at this stage that more thought is necessary, and on that basis I seek leave to withdraw my amendment.
§ Amendment, by leave, withdrawn.
§ [Amendments Nos. 2 and 3 not moved.]
§
Lord Williams of Mostyn moved Amendment No. 4:
Page 1, line 29, at end insert ("and any indication of the intentions of the data controller or any other person in respect of the individual").
§ The noble Lord said: Amendment No. 4 is now grouped with Amendments Nos. 5 to 11, 12, 14 and 16, and I will speak to the amendments in that group if I may. Our purpose in Amendment No. 4 is to seek to put it beyond doubt that the definition of personal data includes indications of intentions towards data subjects. The definition in Section 1(3)of the Act of 1984 says in terms that indications of the intentions of data users towards data subjects are excluded from the definition of personal data. The data protection directive does not allow such exclusion to be maintained.
7GC§ We have tried to make that clear in our July 1997 White Paper. We originally thought that no express reference to indications of intention was needed, but having thought about it further we believe it would be better to put the matter beyond doubt on the face of the Bill, and that is the purpose of the amendment. This is not a change of policy, but we thought we had better make compliance with the requirements of the directive clear beyond any doubt. There is no change of substance; it is a cautious approach.
§ Amendments Nos. 5, 6, 7, 8, 9, 10 and 11 are technical amendments to ensure that we have the basic building blocks of the Bill correct. Essentially the Bill is about processing information about people. "Processing" means doing anything with that information, from collection right through to destruction. The definition of "processing" is presently expressed by reference to personal data, and that means that the definition of "data" earlier in Clause 1 does not work properly. Therefore the first amendment corrects the reference by substituting "information or data" for "personal data". The following amendments change later references to "data" to "information or data".
§ If one looks at the definition of "data" on page 1 of the Bill, your Lordships will see that "data" means information which is dealt with in one of a number of different ways, so at various points in the cycle of the process the raw product, if I may call it that, may be either information or data, and we simply introduce these amendments in order to cater for both possibilities.
§ Amendment No. 12 is in the name of the noble Earl, Lord Northesk. I am not entirely sure at this stage—I am sure it is my deficiency—what the purpose of the amendment is. We think that it is to provide an exception from the definition of processing given in the Bill for the processing of personal data which forms back-up data. We considered at some length whether we could provide an exemption for back-up data such as is to be found in the 1984 Act. However, we cannot see that the directive allows us to make such an exemption. In practice, we anticipate that it may be quite rare that a data subject will want access to back-up data, and there is nothing to stop a controller confirming that a data subject wishes only the most recent records. But if, rarely, a data subject desires access to a set of records, we cannot see any immediately persuasive basis on which that may be properly denied. The question of subject access fees of course falls to be settled in subordinate legislation.
§ I hope that is a helpful pre-rejoinder, since the noble Earl, Lord Northesk, has not said anything about his amendment, but it may have been convenient that I set out our position there.
§ The last two amendments in this grouping are Nos. 14 and 16. Amendment No. 14 is in the name of the noble Viscount, Lord Astor. We are bound to implement the directive, which means in turn that we are bound to provide a very wide definition of what makes data personal data. We have done our best to put that definition as tightly and tautly as possible.
8GC§ The directive also has a very wide definition of what is "to process data", which includes disclosing it, and that is why we have disclosure in the Bill's definition of processing. If a data controller discloses personal data as we have defined it, then we are obliged by the directive to treat that as a disclosure to which the regime applies; we do not see that we have an option to do otherwise.
§ If information identifying the data subject is unlikely to come into the hands of the recipient, those data will not qualify as personal data in the hands of the recipient for that reason, and will therefore not be subject to the data protection regime to that extent. We do not see any basis in the directive which would allow us to deem disclosures not to be disclosures in the way suggested by the amendment. Again, I hope that has been helpful.
§ We believe that there is a logic to the conclusion to which the directive points us. A data controller may find it quite hard to know what information is likely to come into a recipient's hands. He may have little control over what a recipient does with the data, but the directive suggests he should minimise the risks by complying with the data protection principles.
§ The last amendment in this group is Amendment No. 16, again in the name of the noble Viscount, Lord Astor. We do not believe that the amendment is strictly necessary, though we are not out of sympathy with its underlying purpose, which we take to be the clarification of who the controller is in the case of messages sent by telephone or on systems like the Internet. I think I am right in saying that the approach in the amendment follows that in Recital 47 in the directive. The effect crudely would be that if I used the Internet to send a message, I, not the Internet service provider, would be the controller for any personal data contained in my message, but the Internet service provider would be the controller for any personal data used in the system underpinning the message. The distinction is there, and it is understandable when one sits down with a wet towel for some hours and a bucket of black coffee—so I am told!
§ We believe, therefore, that the definition of data controller in Clause 1 already has the desired effect. When I send my message on the Internet, I determine the purpose of the processing—that is, the reason for my sending the message—and the manner of the processing—that is, the Internet. The Internet service provider has no part in the determination of the purpose of the process, so he cannot be controller for the message content. However, he does determine the process and manner of processing of any personal data used in the support of the message—for instance, if I am to be billed for use of the service. In the billing context, the service provider is the controller, not I who simply use the service that the service provider provides.
§ We think, therefore, that our definition achieves the effect which we believe to be the purpose behind the amendments. Those are the words that I wish to offer to the Committee in respect of that group.
9GC§ 4 p.m.
§ The Earl of NortheskI am grateful to the invitation from the Minister to clarify Amendment No. 12, which is in this group. In essence, I am trying to tease out an issue that I raised at Second Reading. As I attempted to explain at that time, a great deal of computer software has been designed to conduct a series of routine operations in the background without any specific input being required of the user of the programme or—this is the key point—without his necessarily being aware that they are being carried out. For example, mail merge functions could be interpreted as falling into this category. Over coming years, if not months, programmers will be designing more and more macros to facilitate repetitive and laborious computer operations and building them into commercial software.
One example I cited at Second Reading was that of e-mail programs. As a matter of course these are frequently designed to generate a number of personalised fields in the headers which fall within the definition contained in Clause 1 of the Bill. That being so, it is possible that anyone using an e-mail programme, except in so far as the exemptions in Part IV of the Bill apply, will qualify as a data controller and/or a data processor within the terms of the Bill.
Of course, for large organisations, either public or private, this may not be a particular problem. The data processing operations of such bodies will almost certainly be subject to the provisions of the Bill for other legitimate reasons in any event. I am much more concerned about the burden that this could impose upon individual users of such programs. For example, it is entirely possible that a sole trader or a self-employed person, without otherwise processing data within the terms of the Bill, may be using e-mail as a preferred means of business communication with contacts elsewhere in the European Union. As currently drafted, and if I understand it correctly, the Bill could require such persons to be subject to its notification provisions. In effect they would require a form of permission before being allowed to conduct their business and/or communicate with colleagues. Indeed, much the same could be said of Members of Parliament who use e-mail in pursuit of their duties.
Equally, this raises awkward questions with respect to e-mail communication with third-party countries. More generally, it is conceivable that the Bill could be applied to all Internet traffic, not just to e-mail, because of the way in which relevant software programmes process data in the background—again, essentially without the knowledge of the user. Inevitably this particular aspect will become increasingly significant as digital television and set-top-box technology comes on screen. It may or may not be a good thing to have inadvertently stumbled upon a mechanism that has potential in terms of regulating the Internet but, to my interpretation, this is outwith the purposes of the Bill as defined in the Long Title.
Thus the attempted purpose of the amendment is to exclude these forms of background processing from the provisions of the Bill. Of course, I acknowledge that my drafting leaves a great deal to be desired. Nor am I 10GC wedded to using this particular route to resolve the problem—if indeed there is a problem here. I hope that the Minister will clarify that and other points I have raised in due course.
In passing, I do not wish to embarrass the Minister, particularly bearing in mind his gracious opening remarks, but I should perhaps mention that I wrote to him about this point on 5th February, seeking clarification on a number of other matters. It is perhaps regrettable that I have not yet had a reply to that letter.
Viscount AstorIt may be convenient if I speak to Amendments Nos. 14 and 16. I can only half thank the Minister for replying in advance to my amendment. I had rather hoped to ask him a series of difficult questions about Amendments Nos. 14 and 16, but he has asked me a whole series of difficult questions about my amendment. Unfortunately, I do not have the hot towel, the coffee, or any of the support that is needed.
Perhaps I could start in reverse order, because that is the question I remember better. My concern, as the noble Lord rightly surmised, was that telecommunications operators should not be considered the data controller for personal data which are carried as part of a message. As the noble Lord said, this is provided for in paragraph 47 of the directive, to ensure that anybody who is just providing a service would be exempted, if I understood him. It is only those who were providing a service who were not only sending the data but in some way processing them who would therefore be caught. That is what I understood from the noble Lord. Therefore, for example, if British Telecom or any other Internet provider provides the lines, it is not a controller: it is just using the lines and therefore it is not caught. I am grateful for the noble Lord's clarification on that.
On Amendment No. 14, about anonymous information, I am rather concerned by the noble Lord's reply. In the directive, paragraph 26 is clear. It says that:
The principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable".I accept what the Minister said, but I feel that the Bill is weak in making that clear. I wonder whether there is some way in which we can ensure clarity. Information will be used for statistical and research purposes and it would be a pity if that information could not be used because there were worries on this issue. I wonder whether between now and the next stage the Government could address the issue and come forward with a solution to clarify it on the face of the Bill. I entirely accept what the noble Lord says are the intentions. However, I am not 100 per cent. convinced that this is clarified in the Bill as it stands.
§ Baroness Nicholson of WinterbourneI have a comment on Amendment No. 16. We have not heard the last of the need to address the problems of personal privacy on the Internet. The Commissioner, Mr. Mario Monti, of the Internal Market and Financial Services, announced last week that he will be seeking from the Council of Ministers a possible brief to negotiate on the drafting of guidelines for the protection of individuals 11GC with regard to the collection and processing of personal data on the information highways. He has stated that, while working on this in the Council of Europe, he believes he should ensure that the work is of a comparable level of protection with Directive 95/46EC, and does not interfere with its implementation. He goes on to say that he believes the Commission should pay particular attention to a number of quite stringent points. My own view, for what it is worth, therefore, is that while we may believe that we make up our minds on this, it will end up in a holding position while we await yet another directive.
§ Lord Williams of MostynThe noble Baroness may well be right, and I make my response to her comment on Amendment No. 16. We sought to get the balance as safely as we can. It may well be that circumstances will make us take a different view.
Let me say how sorry I am that there has been any apparent personal discourtesy in respect of the noble Earl, Lord Northesk. I gave particular instructions that the letter was to be delivered to him before we began this Committee in the Moses Room. I know that I have signed it and it may well be on its way. But it is extremely unsatisfactory and I can assure not only the noble Earl but the Committee that I intended no discourtesy. His letter was very informed and detailed, and required quite a good deal of research, which I know officials began as soon as the letter came to the Home Office because I made the particular request that they should do that, and I know they have. I will take that further and find out where the letter is. It may well simply not have arrived; it may have been lost in the building.
§ The Earl of NortheskI thank the Minister very much for that, and I know perfectly well that no discourtesy was intended.
§ Lord Williams of MostynI am grateful to the noble Earl.
The noble Viscount, Lord Astor, returned to this question on Amendment No. 14. All of these matters are certainly worth considering because there is no absolutely right answer to any of these problems. I can undertake that we will give them careful thought, by which I mean truthfully and literally rather than any implied inducement, because I am not in a position to give any sort of inducement at all, nor to indicate by a nudge and a wink that we are likely to change our minds. We are genuinely wanting assistance, I cannot repeat that too often, and I am most grateful for the further questions that have been put, which we shall of course consider.
§ On Question, amendment agreed to.
§
Lord Williams of Mostyn moved Amendments Nos. 5 to 11:
Page 2, line 1, leave out ("personal") and insert ("information or").
Page 2, line 2, after ("the") insert ("information or").
Page 2, line 3, after ("the") insert ("information or").
Page 2, line 4, after ("the") insert ("information or").
12GC
Page 2. line 5. after ("the") insert ("information or").
Page 2, line 6, after ("the") insert ("information or").
Page 2, line 9, after ("the") insert ("information or").
§ On Question, amendments agreed to.
§ [Amendment No. 12 not moved.]
§
Viscount Astor moved Amendment No. 13:
Page 2, line 15, leave out ("particular").
§ The noble Viscount said: I can be very brief with this amendment. It concerns the definition of "relevant filing system". By eliminating what one might call the second hurdle, more files will come with the ambit of a "relevant filing system". Otherwise files which are structured by reference to individuals but not also by reference to the particular information which they hold would not come within the definition. That does not seem to be what the Bill intended. In trying to improve some of the drafting of the Bill, I suspect I might not have it necessarily right, but I look forward to the noble Lord's response. I beg to move.
§ Lord Williams of MostynIt was this amendment to which I made oblique reference earlier. Let me say at the outset what I am directed to say at the end, which is that we will certainly look at the wording of this clause to see if we can get more precision. At present, the Act of 1984 only applies to computerised records. Because of the directive, we have the obligation to extend the regime of protection to some manual records. This is extremely important and it is also extremely difficult to get the right phrasing.
The definition as it stands is our best effort so far, and we have tried to identify three key elements: one, the set of information must be structured: two, the structuring must be done by reference to individuals; and, three, particular information about particular individuals must be readily accessible. There is no doubt that that can be criticised as lacking certainty. It does not make it absolutely clear as to whether all personnel files will be caught, but the answer is that it depends on the way in which the files are structured and upon the ease of access to particular information. To give an example: a personnel file about a named individual which contains a miscellaneous set of papers filed in date order may not be caught. A personnel file about a named individual with nothing in it but annual staff reports might well be.
I mentioned at Second Reading—and have reiterated to this Committee in answer to the noble Viscount's question—that the Data Protection Registrar does not share our view on the effect of the definition as drafted. Her view, if I have it correctly, is that it already covers the general personnel file. She believes that it is sufficient for the file to be about a single named individual for it to be caught by our present definition. That would apply to files of any kind.
I did say at Second Reading that we were willing to have another look at the definition to see whether it could be made more precise. We need to reach a conclusion, after the full debate, as to which categories of records are to be included. One possibility would be to make clear that the definition did, indeed, apply to 13GC the broader category of records which the registrar believes are already included. As the noble Viscount said, that would virtually be the effect of his amendment.
If that is the way we are to proceed, there would be for all users of manual records important consequences and substantial extra burdens. From representations we have received, it would not seem to be welcomed by those who hold large collections of this type of file, going back decades.
Our present preferred approach would be to maintain the present definition and limit it to a narrower category of files. However, as I stressed at the outset speaking to Amendment No. 13, I do not pretend that we have necessarily arrived at a perfect drafting answer. We are content to look further as the debate itself develops.
§ 4.15 p.m.
§ Lord FlowersI understand why the Minister wishes to make such a sharp distinction between automatic and manual, because it has been a problem in the past and he is concerned about it. However, the future of computing is an interactive one, in which automatic processing pauses from time to time and waits for the operator to feed in manual information or instructions. Increasingly, computing is developing in that interactive manner. It will become more and more difficult to make a sharp distinction between automatic and manual. In the amendment put forward by the noble and gallant Lord, Lord Craig, which I support, we raised an objection to the use of the word "automatic" for that reason. I emphasise again, in the context of the particular paragraph now under discussion, that the same objection applies. I hope that the Minister will reconsider the use of the word "automatic" throughout.
§ Lord Williams of MostynI certainly listened carefully to the points which have been made, because they may well be points of general application, not specifically directed to Amendment No. 13. I am bound to say that the noble Lord's comments echo quite a number of observations which have come from industry and from business in general. I shall certainly bear in mind his cautionary note. It is perhaps of wider application than simply Amendment No. 13.
Viscount AstorI am grateful for the Minister's reply to my amendment in particular, if I may call it that, and also his statement concerning the current situation with the registrar, which, of course, is a wider issue.
There is an important point here and one which I am sure we will want to consider further. It is likely that we will have to move somewhere towards the position outlined by the noble Lord, Lord Flowers, on one part of the Bill before the next stage, so that we are all—if nothing else—in a position of clarity. Unless this Bill is made clear, it will, in effect, be interpreted by the new commissioner. She will be looking over her shoulder, as it were, at what the Bill says and also at what is said as the Bill progresses through Parliament. It would be better for all involved, as I am sure the Minister will agree, if we could have a Bill which clarifies the issue entirely. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment No. 14 not moved.]
§
Viscount Chelmsford moved Amendment No. 15:
Page 2, line 22, at end insert ("and
(c) "consent" includes the consent of data subjects obtained through standard contractual provisions, where such conditions have been approved by the Commissioner.").
§
The noble Viscount said: This amendment follows up some of the issues which were discussed at Second Reading. Schedule 2 begins with the comment that where,
the data subject has given his consent to the processing".
the first principle applies. It is a question of establishing what is consent.
§ We all know perfectly well in our minds what is personal data that may move from place to place and be totally appropriate, legal and correct, in particular in the business sense. We all know perfectly well what is data which, if passed without consent, are probably not legal or appropriate. There is a dividing line somewhere; and that dividing line probably differs slightly for each one of us. It is almost something that cannot be put on paper and defined. But I am not discussing the dividing line; I am simply suggesting that when business needs to move personal data, and it is obvious to anyone with a modicum of common sense that that personal data will be accepted by the data subjects because it is in the data subjects' interests, then there should be some means of taking a short cut.
§ The obvious way to take a short cut is contractual. There are a number of contracts in different parts of the industries which are standard. We mentioned two of the many standard business contracts at Second Reading—the employment contract and the proposal forms for insurance. I suggest that where the business wishes to take that short cut in order to move things along speedily it can apply to the data commissioner to inquire whether a standard clause in the standard contract about personal data would be acceptable. I beg to move.
§ Baroness Nicholson of WinterbourneThe other part of the amendment has already mentioned by the noble Viscount, Lord Chelmsford, but my point is the more personal one. My amendment talks about free and informed consent, and from that it may be seen immediately that I am thinking particularly, to give the ultimate example, of the asylum seekers whom we imprison at the moment without trial and with no knowledge of any crime they may have committed. It was a move put in by the previous government and prisons or places of detention such as Campsfield where there are many nationalities altogether in prison without free movement, unable to leave an institution which appears to have more physical barriers than Dartmoor.
Because of that situation, I put forward strongly the view that free and informed consent surely is a civilised country's obligation in legislation such as this where we have an opportunity to discuss this matter. We have a chance to put a provision on the face of the Bill. It is frightening for people to give medical data, family data, and such information in such circumstances to a doctor they have never seen before, to a person in authority 15GC over them—perhaps from Customs and Excise—who can be quite fierce with them for reasons of their job. These people probably do not speak English properly and are in fear of deportation. Not all of them are deported, but records are created on all of them.
I believe strongly that as a civilised society, we should insert "free and informed" before "consent".
§ The Solicitor-General (Lord Falconer of Thoroton)The two amendments that have been put so well by the noble Viscount, Lord Chelmsford, and the noble Baroness, Lady Nicholson of Winterbourne, both deal with the same topic; namely, there is no definition in the Bill of the word "consent". We do not believe that it is necessary either for the purposes advanced by the noble Viscount, Lord Chelmsford, or for the reasons advanced by the noble Baroness, Lady Nicholson, to include a definition of consent. We believe that it is for the courts to determine on a case-by-case basis if consent has been given.
The first proposal, that made by the noble Viscount, Lord Chelmsford, seeks to give a partial definition of consent in a particular set of circumstances, which in effect means accepting a standard form approved by the commissioner. In our view, that is not a desirable approach to be taken. We believe that whether consent has been given is a matter which must be capable of being assessed in all the circumstances of an individual case. We do not feel it either necessary or desirable to be any more prescriptive. To try to be more prescriptive is in our view liable to cause more difficulties than it can solve. People will be raising questions about the particular consent that they gave, perhaps in a long form. We believe the courts can deal with that sort of problem, and that it is better for it not to be dealt with in an amendment of the sort proposed by the noble Viscount.
The same approach follows in relation to the amendment proposed by the noble Baroness, Lady Nicholson. The courts are very practised in determining in many contexts whether consent has been appropriately given. They are well used to considering whether any purported consent which is neither free nor informed, which is the wording of the amendment of the noble Baroness, can properly be considered a true consent at all. These things all need to be judged in the circumstances. We believe that the best course is for the courts to deal with it on a case-by-case basis, which I am sure will give the best protection. In those circumstances, I respectfully ask whether both the noble Baroness and the noble Viscount would consider withdrawing their amendments.
Viscount ChelmsfordPerhaps I may question the Minister a little further. On Second Reading, I thought I understood the noble and learned Lord to say that his initial feeling—and I will not hold him to this—was that a clause or a box in a proposal form would probably be acceptable, but that perhaps a clause in an employment contract was not. I hope I do not put words into his mouth, but it was something of that nature. It means that he is clearly making a judgment, even though he prefers not to do so officially.
16GC It would be helpful for business if some ground rules were laid down. It seemed to me that the Minister was quite keen on giving the commissioner latitude to make decisions, and that this was a sensible route to take. Is he now saying that the commissioner has no power to advise data controllers on the matter?
§ Lord Falconer of ThorotonThe noble Viscount exactly records what I said on Second Reading. The effect of what I said then seems to indicate that it has to be dealt with on a case-by-case basis, and the best people to deal with it in that way would be the courts and not the data controller. I say that because the courts are focusing on whether it is a real consent, which is what one is looking for.
Viscount ChelmsfordI thank the noble and learned Lord for that answer. I need to go away and reflect on the matter. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ Amendment No. 16 not moved.]
§ On Question, Whether Clause I, as amended, shall be agreed to?
§ Lord SkelmersdaleI should declare an interest as a director of a mail order company. I spent a moderately happy three hours this morning amending a mailing list. This involved removing names, adding names and recording order numbers and occasionally telephone numbers, by hand, on index cards which are arranged by name and postcode—steam technology perhaps, but nonetheless it is, as I understand it, a relevant filing system under the Bill.
In my case, or rather that of my business, all these cards are as a result of personal intervention by a customer or potential customer answering an advertisement, or telephoning in as a result, say, of a newspaper article; in other words, they are applied for. We have never bought mailing lists, although it is perfectly legitimate to do so.
The point I should like to make is that my actions were, and under this Bill still will be, perfectly—I intended to use the word "kosher" but my noble friend Lord Chelmsford supplied my answer—correct. However, were I a maker of cigarettes this would shortly become illegal under the tobacco advertising directive, which is currently undergoing the process of being signed up to by the Government.
For many years now if you have filled in a questionnaire or applied for an offer for a packet of cigarettes, you have had to sign and declare that you are a smoker over 18 years of age. It follows that if you are sent a letter as a result of being on such a mailing list, you are in exactly the same position as one of my firm's customers—except, of course, that it would be on computer. Why, then, is one to be banned and not the other? It cannot be because of cigarette advertising as the individual has already been in contact with the company and is, by definition, already hooked.
I do not expect an answer today because I have rather sprung this on the noble Lords, but if they will cogitate I shall be very interested in receiving an answer by letter at an appropriate moment.
§ Lord Williams of MostynI guarantee it.
§ Clause 1, as amended, agreed to.
§ Clause 2 [Sensitive personal data]:
§ 4.30 p.m.
§
Viscount Astor moved Amendment No. 17:
Page 2, line 46, after ("racial") insert (", national").
§ The noble Viscount said: In moving Amendment No. 17 I shall also speak to Amendments Nos. 18 and 19. I have tabled Amendments Nos. 17 and 18 purely because in the Crime and Disorder Bill I happened to notice that Clause 26 defines "racial group" with reference to nationality and national origins. I wonder therefore whether, for consistency of legislation, that should be included in this Bill.
§ I turn to Amendment No. 19. I looked, first, at the directive and then at the Bill and thought what a very unattractive way it was of dealing with legislation. Someone has thought of the word "orientation", which is almost as bad as the words in the Bill. It seems to me that we are getting into a strange kind of legislation. Is there no all-encompassing term that could be used? I am not sure how one defines sex life in law: what does that include; or what does it not include? It might include lots of different things in Scotland that it might not include in England, as we know!
§ Is there not an all-encompassing legal term that the Minister could suggest which would say that people's private lives remain their private lives—a more general thing—rather than this laborious way of saying what it might include? Looking at this rather extraordinary list, it seems to me that it is a recipe for wrangles in the future. I look forward with interest to the Minister's reply. I beg to move.
§ Lord Williams of MostynI shall speak to Amendments Nos. 17, 18 and 19 together. The noble Viscount asks what is sex life and what does it include. I do not think I should venture too keenly into that territory; otherwise we shall both be sharing an unfortunate headline. What I say is that we have amply covered those areas that need to be covered—or, indeed, uncovered—in this context because we have put in Clause 2(f) the general description of "his"—which includes her—"sexual life". Therefore, sensitive personal data relate to data which are information as to sexual life. We believe that that is the best definition we can get.
Certainly one is dealing here with sensitive personal data. We have tried to get the definitions right. In other contexts—certainly the Crime and Disorder Bill or in race relations legislation—nationality is included. What we have to look at here is sensitive personal data. We believe that the fact, as a matter of information, that an individual is of a particular nationality (though it will give no indication of his racial or ethnic origin) is not sufficiently sensitive to require the application to that information of the more restrictive regime (which is the personal data), which is the sensitive regime, rather than the general personal data regime. We have reached that 18GC conclusion, which we believe to be right. Data about nationality are not of the same sensitivity as data relating to racial or ethnic origin.
The third matter relates to colour or nationality, so colour is included here. We think that the issue of colour ought to be regarded as in itself information as to racial or ethnic origin. It is not the same thing, but it does seem to be information as to racial or ethnic origin, which is already within the Bill's definition. I do not believe there is a real ambiguity there, and I hope. I have been able to satisfy the noble Viscount as to his queries and questions.
Viscount AstorI am grateful to the Minister for his reply. I note that the Bill virtually copies out word for word what Article 8 of the directive says, except for one interesting gap. Article 8 says "religious or philosophical beliefs", whereas the Bill says "religious or other beliefs". Presumably the Home Office believes you can have philosophical beliefs and you can also have other beliefs, and that is therefore the only word which is not the same. However, I am grateful for the noble Lord's explanation and I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendments Nos. 18 and 19 not moved.]
§ Clause 2 agreed to.
§ Clauses 3 and 4 agreed to.
§ Schedule 1 [The data protection principles]:
§
Viscount Astor moved Amendment No. 20:
Page 38, line 16, leave out ("necessary.") and insert ("appropriate,").
§ The noble Viscount said: Amendment No. 20 is a probing amendment. I wonder why the word "necessary" is there because it seems not to be necessary. I wonder whether the Minister could explain for whom and what purpose "necessary" is included.
§
I see that Amendment No. 22 is grouped with this amendment. This amendment attempts to strengthen the provision. Subparagraph (1)(b) states:
the data controller ensures that … the data subject has, is provided with, or has made readily available to him, the information specified".
But qualifying this requirement by stating,
so far as practicable before the relevant time",
and,
as soon as practicable after that time",
seems to weaken the provision. I wondered why that was that case. I have put this amendment down so that we can elucidate an answer from the Minister. I beg to move.
§ Baroness Turner of CamdenI shall speak to Amendment No. 23, as it is grouped with Amendment No. 20. This follows up what a number of noble Lords said at Second Reading in relation to insurance fraud and fraudulent claims. It will be recalled that at Second Reading I and several other noble Lords referred to the difficulties that could arise if it was not possible to retain statistics against future fraudulent activity. It is believed essential, as a safeguard against fraudulent activities of 19GC habitual claim-makers, for files and other records relating to earlier investigations of suspect or potentially fraudulent claims to be retained for future reference. This appears at present to be in conflict with the fifth data protection principle which requires that,
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes".I am advised that the ability of insurers to avoid payment of fraudulent claims is very much dependent upon their being able, often with the assistance of loss adjustors, to assess details of earlier claims made by policy-holders who would otherwise falsely be able to maintain that no such earlier incidents had occurred.The amendment that has been drafted is fairly self-explanatory. It says that it,
shall be permitted for whatever period is deemed appropriate by the Commissioner".In other words, the responsibility in relation to authorising the retention rests clearly with commissioner, and it is felt that that in itself would give sufficient protection in terms of data protection.Incidentally, while speaking on the issue of fraudulent claims, I take this opportunity to thank the Minister for his kindness in writing to me and to my colleagues on the whole issue of fraudulent claims. I beg to move.
§ Lord SkelmersdaleI have a related point to make. In the cards to which I referred a few moments ago, I might very well come across one which said "give no credit" on the basis that in previous years the customer had not paid. How long would I be expected, or be allowed, to keep that on the card? I might want to keep it until I discovered that the person had moved and therefore the information was irrelevant. I might want to keep it for two years, until they had settled their bill. In all this, there must be a length of time, I suspect, which the Government have in mind.
§ The Earl of NortheskI note that Amendment No. 26 is in this grouping, so I shall speak to it now. Part II of Schedule 1 sets out the interpretation of the data protection principles appearing in Part I of the schedule, against which the legitimacy of data processing is tested. In respect of the seventh principle—that requiring the proper integrity of processing systems—the Bill seeks to transpose the provisions of Articles 17.3 and 17.4 of the directive. However, it seems that in this transposition the specific provisions have been changed. My amendment seeks to return the interpretation of the directive's provision on to the face of the Bill.
Article 17.3 of the directive states:
The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller".Article 17.4 states:For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph I shall he in writing or in another equivalent form".20GC However, as currently drafted in the Bill, paragraph 13(a) of Schedule 1 requires contracts with the processors of personal data to be in writing and on strict construction; that is to say signed. To my interpretation, the provisions in the directive were directed towards securing evidence of the terms of the contract under which the data controller authorises and legitimises processing on his behalf by the data processor. In effect, the Bill as drafted goes beyond the requirements of the directive and seeks a more prescriptive approach. I believe that this will have unforeseen and unwelcome consequences which, if enacted, will cause the Bill to operate to the great disadvantage of many traders.In particular, the British Retail Consortium has raised concerns about the effect that these provisions will have on the agency mail order trade in the United Kingdom and the millions of women who act as informal agents for the industry. According to the analysis of the industry conducted by the Monopolies and Mergers Commission and set out in its report on the proposed merger between the Littlewoods Organisation plc and Freemans plc in 1996, the agency mail order sector had sales of £3.25 billion, primarily conducted through non-commercial agents. On the commission's analysis, these agents were described as being predominantly women aged between 25 and 55, overwhelmingly not in employment or even part-time employment, with 62 per cent of their number drawn from socio-economic group C2, D and E.
The commission also estimated that agency mail order was used by 20.75 million people in the UK, 7.4 million of whom were acting in the capacity of agents. Of these, it was further estimated that some 2.5 million were described as "traditional agents", buying for more than one customer—that is to say, likely to be buying for persons outside their own households.
One of the strengths that has characterised the way in which mail order has been conducted throughout this century is its informality. The requirement for agency mail order companies suddenly to suspend operations with their agents while some 7.4 million processing contracts are issued and returned duly signed by the agent is a burden being imposed by the Bill as drafted, and yet the directive itself does not seek this. My amendment would ensure that it would be sufficient that processing was conducted on the terms of a written memorandum of agreement tendered in the regular and periodic communications with agents rather than requiring the company to refuse to do business with them in the absence of a signed copy of a written agreement. This would seem entirely equitable and completely within the original intention and spirit of the directive.
§ 4.45 p.m.
§ Lord Falconer of ThorotonThere are four amendments in the group. They are all slightly different from one another and I shall deal with them one at a time.
The noble Viscount, Lord Astor, moved Amendment No. 20. At present Principle 4 in Schedule 1 says:
Personal data shall he accurate and, where necessary. kept up to date".21GC The noble Viscount wants to replace "where necessary" with "where appropriate". Why, he asks me, is it "where necessary" rather then "where appropriate". As the noble Viscount knows, the reason we are bringing in this legislation is in large measure that we have to give effect to the directive. We are required to make provision at the level set by the directive. This provision of the Bill, the fourth data protection principle, follows the corresponding provision of the directive (Article 6.1(d)) word for word. It would not therefore be appropriate for us to delete the word "necessary" and put in the word "appropriate". I hope that that answers the noble Viscount's first amendment.His second amendment, Amendment No. 22, seeks to reduce the flexibility that a data controller has in giving information to the data subject about the information that the data controller holds on the data subject. The extensive interpretive provisions in paragraphs 2 and 3 of Part II of Schedule 1, which the noble Viscount seeks to amend, are intended to give effect to certain transparency requirements in the directive. It may help if I briefly explain how they work.
Articles 10 and 11 of the directive require certain information to be provided to individuals about whom data are collected. Essentially, the information is the name of the controller, the purposes of the processing and any other information needed to make the processing fair. Article 10 deals with data which are collected from the data subjects themselves. Article 11 deals with data collected from persons other than the data subjects. That is the situation covered in paragraph 2(1)(b) to which the amendment relates. Paragraph 2(1)(b) requires the information to be provided to the data subjects before the relevant time,
or as soon as practicable after that time".The noble Viscount wishes to delete those last words.The "relevant time- is defined in paragraph 2(2). It means the time when the data controller first processes the data or, in essence, the time when the data are first disclosed by the controller, if he has the intention to disclose them.
I return to the noble Viscount's amendment. I do not think it is desirable to make this change. It would make it very difficult, if not impossible, for controllers to comply with the requirements of the paragraph. The Committee will remember that the Bill is concerned here with data which are collected otherwise than from the data subject: they may be collected, for example, from some sort of public register. If the controller collects them by entering them directly from the register on to his portable computer, he is already processing them. Without the words which the noble Viscount's amendment would remove, the controller would be required already to have given the relevant information to the data subjects.
It is difficult to see how that would work in practice. We should be putting controllers in the position of having to choose between not collecting the data from third-party sources and doing so but not complying with the law. We believe, therefore, that the wording that is already in the Bill is essential to the practical operation of this provision. Having explained that, I respectfully invite the noble Viscount to withdraw the amendment.
22GC I turn to the amendment moved by the noble Baroness, Lady Turner of Camden. As I understand her point, the insurance industry is concerned that it should be able to keep information about claims so that when a person makes a further claim one would be able to refer back to that particular information that one already has. The basic principle is that you are entitled to keep the information for as long as necessary. If the position is that it is necessary to keep that information against another claim being made, there would be no infringement of the relevant data protection principle. I cannot tell the Committee how long is necessary because that will depend on a particular case; nor I imagine would the Data Protection Registrar be able to say how long is necessary because it will depend upon the individual case concerned. However, I would like to emphasise that the data protection principles permit the retention of information for as long as necessary, which we believe meets the point made by both the noble Baroness, Lady Turner, and the noble Lord, Lord Norton. We believe that the position is covered.
There is a separate provision in the Act, Section 32(5), which permits material to be held purely for statistical purposes and then there is no limit in time. But although I may have misunderstood it, I do not believe that is what the noble Baroness has in mind. If it is purely statistical and does not relate to an individual person, then the data protection business would not apply and one would not be worried about it. But I believe it is the first situation. I hope that puts the minds of the noble Baroness and the noble Lord at rest and in those circumstances they will withdraw their amendment.
Finally the noble Earl, Lord Northesk, seems, with the greatest respect, to be operating under a significant misapprehension, although I may have misunderstood the position. He says that in paragraph 13 of Part II of Schedule 1 to the Bill, where it says,
the processing is carried out under a contract in writing under which the data processor is to act only on instructions from the data controller",that means the contract must not only be in writing but must also be signed. That is not my understanding of the Bill, nor is it the understanding of the Bill of those who were responsible for giving instructions for its drafting. The concern which underlay much of the very good speech made by the noble Earl in support of his amendment is probably misplaced. Speaking as a lawyer, I can tell the Committee it is absolutely right that where it says "contract in writing" you do not need to have it signed, so that is a genuine misapprehension.Having said that, there may be a point which we should consider, where one has a contract which was evidenced in writing but was originally made orally. We may not have to deal with that, but there are a number of points on paragraph 13 which we could usefully consider without giving any guarantee of coming back with anything. The point which underlay the noble Earl's concern was probably, with respect, misplaced and I hope in those circumstances he will withdraw his amendment.
§ Baroness Turner of CamdenI would like to thank the Minister for clarification. He is quite right in his interpretation of my concerns. I was thinking in terms of material which was not necessarily statistics. I am grateful for the explanation he has given. I would like to think about it and perhaps the people who have been sending me briefing material would be appropriately satisfied.
Viscount AstorMy Amendment No. 20 was the original amendment in this group. I am grateful for the answer of the Minister, which I will study carefully, and I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§
Baroness Nicholson of Winterbourne moved Amendment No. 21:
Page 38, line 25, leave out ("adequate") and insert ("equivalent").
§ The noble Baroness said: The purpose of the amendment is to ensure that data will only be transferred to third countries outside the European Union which have an equivalent level of protection in relation to the processing of personal data. I am sure that the Minister will see the irony in this, in that the United Kingdom, until now at least, has been one of the less well protected of the developed nations, particularly in the European Union, prior to this Bill due to the deliberately weak interpretation of the Council of Europe directive of 1981; but we have moved on and we are taking on this directive now, for which the Committee is most grateful. Therefore, it warrants a careful look before we authorise the transfer of personal data outside the European Union.
§ I look at the USA, where the privacy law was drafted in 1970 and therefore predates the computer explosion; at the Far East, where protection is not a top priority; and at the Gulf and Africa. This should remind the Ministers that there are international customers whose details are held on databases of multinational companies in the United Kingdom.
§ I also remind the Ministers that while paragraph 14 of Schedule 1 lists the factors which are to be taken into account when considering at an adequate level of protection, it does not set minimum standards. I suggest that by adopting the requirement of an equivalent level of protection we would achieve a standard which could be modified, with regard to subject access and non-disclosure provisions, as time moves on. Effective safeguards for the transfer of data to developed and underdeveloped economies outside the European Union is, surely, very important. I beg to move.
Viscount AstorAmendment No. 27 is grouped with the amendment of the noble Baroness, Lady Nicholson of Winterbourne. This is an extremely important area, because the free flow of data, including personal data which will be covered by the Bill, is of enormous commercial importance to companies both in this country and, for example, in the United States. British pharmaceutical manufacturers transfer large quantities of patient data to their US affiliates to secure approval of new medicines. Airlines and financial institutions 24GC maintain transatlantic databases for customers, and companies that do business on the Internet routinely transfer personal data to and from the United States.
Under the directive, personal data may be transferred to countries outside the EU. such as the United States, only if those countries ensure an "adequate level of protection".
Many British and American companies believe that data transferred to the United States from an EU country can be protected adequately through a combination of industry codes and contractual guarantees. Many companies have developed codes of conduct and plan to require their US partners to give contractual undertakings to comply with those codes.
As I understand it, however, European Commission officials have questioned whether data transfers to the USA can continue after the directive takes effect in October, unless the United States enacts a national data protection law similar to Directive 95/46 or takes other similar measures. I also understand that there is no prospect that the United States Congress will enact a comprehensive data protection law before this October. In fact, no law is even under discussion in the United States. There is a possibility that the US Federal Trade Commission will enforce privacy codes under provisions of US law that prohibit "unfair" or "deceptive" practices, but that issue has not yet been resolved.
Schedule 1, Part II, of the Bill contains provisions for interpreting the data protection principles. It states that the determination whether there is an adequate level of protection is made case by case, taking account of relevant factors. The existence of a data protection law is one factor, but others include codes of conduct and any security measures taken in the country to which data are transferred.
My amendment would make it absolutely clear that contracts are among the security measures to be considered under Part II of Schedule 1. It is consistent with the policy of the directive. The amendment would eliminate uncertainty about the appropriateness of contractual arrangements as one part of a programme to ensure an adequate level of protection of personal data transferred, for example, to the USA.
Having spoken to this amendment, which is simple but requires a somewhat convoluted explanation, perhaps I may briefly comment on the amendment proposed by the noble Baroness, Lady Nicholson of Winterbourne, to replace the word "adequate" with "equivalent". This amendment would, I feel, be quite wrong. It is almost impossible to say "absolutely equivalent". "Adequate" is sufficiently challenging. The danger of using "equivalent", of course, is that it amounts in effect to exporting EU law to other countries, and other countries, particularly the United States, would be quite paranoid about such behaviour.
§ 5 p.m.
§ Lord Falconer of ThorotonThese two amendments raise the important issue about the exportation of information beyond the EU. The noble Baroness, Lady Nicholson, seeks to remove the word "adequate" and 25GC replace it with the word "equivalent" in Schedule I, which is in the data protection principles, and the noble Viscount, Lord Astor, seeks to include contractual issues as being one of the protections one has to consider when dealing with the question of adequacy. The Government take very seriously the position of other countries and their laws in relation to data protection. Indeed, when the Home Secretary went to the United States of America with the Prime Minister recently he discussed data protection with his counterparts there.
Having said that, I have to say that in relation to the amendment of the noble Baroness, Lady Nicholson, we could not contemplate matters of the sort she proposes for a number of reasons. First, as she knows, the Bill is to implement the directive. The directive sets the standards for transfers to third countries at the level of adequacy: the question of adequacy is itself to be monitored by the European Commission. To move away from that definition, as the amendment proposes, is to take the Bill out of line with the directive by imposing restrictions on British business which will not apply to our European competitors. We are not prepared to put our businesses at that sort of unnecessary trading disadvantage. Adequacy was the level agreed on by our EU partners as appropriate, and we do not intend to depart from it at this stage.
We believe that the adequacy of protection test provides a balanced approach. On the one hand, it ensure sufficient protection for the particular personal data concerned, consideration having been given to all the circumstances of the case, while on the other hand it has sufficient latitude to allow for variation in the requirements as they relate to particular cases. Equivalence of protection, which is what the amendment contends for, establishes a much stricter test, requiring exactly the same level of protection in the receiving country as is provided here, although the circumstances of a particular transfer may not require them.
I understand the noble Baroness's desire to ensure proper protection of individual's personal data, but we believe that proper protection is already provided by the Bill as it stands in a practical way in accordance with that which all our EU partners regard as appropriate. In the light of those comments, I would urge the noble Baroness, with respect, to withdraw her amendment.
As far as the amendment of the noble Viscount, Lord Astor, is concerned, he wishes to include in the list of matters that are to be considered for the purposes of applying the adequacy test a reference to contractual arrangements, particularly by reference to security of the data. Paragraph 14, as I have indicated, lists those circumstances to which regard should be had, and most of those are linked to the country or territory itself. They are the country-wide or territory-wide circumstances which prevail.
The noble Viscount's amendment seeks to qualify one of those general country-wide or territory-wide sets of circumstances, namely the security arrangements, by requiring consideration to be given to the arrangements made between contracting parties. A requirement to consider specific arrangements of this kind—even if it 26GC were possible, given the multiplicity of contractual arrangements that might be found within any country—would not be consistent with the more general approach set out in the paragraph.
This is not to discount the relevance of contractual arrangements to transfers of personal data to countries outside the European Economic Area. Your Lordships will be aware that contractual arrangements feature in Schedule 4, which sets out the circumstances where transfers may take place to countries without adequate levels of protection. Paragraph 2 of that schedule allows transfers where these are necessary for the performance of a contract between the data subject and the data controller; and paragraph 3 of that schedule allows transfers where these are necessary for the conclusion or performance of a contract between a data controller and a person other than the data subject.
Finally, in paragraph 8 of that schedule there is the model contract approach where transfers are made on terms of a kind approved by the commissioner, but that is in the other schedule. We believe that it is not appropriate to include the amendment that the noble Viscount seeks, because it does not seem to us appropriate to have regard to the form of that particular schedule. In light of what I have said, I hope that the noble Viscount will agree to withdraw his amendment.
§ Baroness Nicholson of WinterbourneI thank the noble and learned Lord the Solicitor-General for his clear explanation. If he believes that proper protection is more suitably addressed with "adequate", then I am very happy to accept his reasoning and I will not raise the amendment again. I believe that all EU partners should march together on this sort of matter, if not on one or two others.
I would argue, however, with the noble Viscount, Lord Astor, that "equivalent" would have been impossible to achieve. It would have been perfectly possible to achieve. We merely have to look at the other data protection laws in the countries to which we are exporters. Enforcing EU law in other countries is surely a noble aim for all of us. I beg leave to withdraw the amendment.
Viscount AstorBefore the noble Baroness withdraws the amendment, perhaps I may reply to the Minister. I shall, of course, briefly reply to the noble Baroness. She is right that we could have an "equivalent" level of protection if other countries have a data protection law, but the problem is that some of them do not. If they do not have a data protection law, we cannot have the word, "equivalent", because it would not work.
Perhaps I could address the points made by the Minister on my amendment. I quite understand what he says but I believe there is concern from industry about transfer particularly to the USA, and these concerns are ones that have come from the European Commission when it has been talking particularly to companies that do business both in this country and in America. This is an important issue. I am not sure exactly what the answer is, but I am sure that we will have to clarify the 27GC situation before we reach the end of the Bill's proceedings. However, I thank the Minister for his helpful reply.
§ Amendment, by leave, withdrawn.
§ [Amendment Nos. 22 and 23 not moved.]
§
Lord Falconer of Thoroton moved Amendment No. 24:
Page 40, leave out lines 25 and 26 and insert—
("() he contravenes section 9 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified,
() he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section. or").
§ The noble and learned Lord said: This is a technical provision which relates to the powers of the commissioner to take enforcement action for breach of the sixth data protection principle. That principle requires data to be processed in accordance with the data subject's rights. One of those rights is the right conferred by Clause 9 to prevent certain processing which is causing, or is likely to cause, harm of the type specified there. So if data are processed in contravention of that right, that is something in respect of which the commissioner can act in furtherance of her duties to enforce the data protection principles.
§ Paragraph 9 of Part II of Schedule 1 explains in more detail when a data controller is to be taken as failing to process in accordance with the data subject's rights. As regards the rights in Clause 9, it currently provides that a breach will occur where a data controller fails to comply with a notice duly given under Clause 9, requiring him not to process. However, Clause 9 makes clear that the giving of a notice cannot by itself be conclusive as to the right. For example, under Clause 9(3) a court can only order compliance with a notice if it appears to be justified to that extent. A notice will only, of course, be justified if it shows reasons to believe that the processing in question is the cause of substantial damage or substantial distress which would be unwarranted. Only to that extent should the notice be enforceable. This amendment achieves that result and, therefore, brings the powers of the commissioner into line with those of the court. I beg to move.
Viscount AstorMy Amendment No. 25 is grouped with the Minister's amendment. Mine is a drafting amendment. I am struggling to understand why I regarded it as necessary, but I know that there was a very good reason. I believe the reason was that under Clause 7 failing to supply information includes Clause 8 but, as I read it, makes Clause 7 supplementary to Clause 8, and that seemed to me not what the Bill intended.
Perhaps between now and the next stage those drafting the Bill would look at the matter and see whether I am talking absolute nonsense, and whether this Clause needs to be improved.
§ Lord Falconer of ThorotonWe understood why the noble Viscount, Lord Astor, had tabled the provision, but we think it is unnecessary. He included Clause 8 in 28GC those clauses which would be the subject of enforcement. We do not think it is necessary because Clause 8 is supplementary to Clause 7, and therefore you would never seek to enforce a right under Clause 8 because Clause 8 creates no rights at all; it simply adds to rights which are specifically derived from other clauses. We understand why the amendment was tabled, but we do not think it is necessary.
Viscount AstorI am grateful to the noble and learned Lord, Lord Falconer of Thoroton, for confirming that I did indeed have some logic in tabling my amendment and I am grateful for his explanation.
§ On Question, amendment agreed to.
§ [Amendments Nos. 25 to 27 not moved.]
§ Schedule 1, as amended, agreed to.
§ Schedule 2 [Conditions relevant for purposes of the first principle: processing of any personal data]:
§ [Amendment No. 28 not moved.]
§
Viscount Astor moved Amendment No. 29:
Page 42, line 5, after ("other") insert ("similar").
§
The noble Viscount said: This is a simple drafting amendment. The reason I tabled it was that the
other functions of a public nature
referred to in paragraph (5)(1)(d) should be similar to those outlined in sub-paragraphs (a) to (c). I wonder whether the noble Lord might comment. I beg to move.
§ Lord Williams of MostynSchedule 2 follows Article 7 of the directive very closely. That article sets out conditions which must be met if processing is to meet the fair and lawful requirement in the first data protection principle. Paragraph 5 deals with processing which is necessary in the public interest. The first three paragraphs are intended to cover processing such as that carried out by the courts, by central government and by those exercising statutory functions. There may be other circumstances where the public interest requires data to be processed. That is the purpose of paragraph 5(d).
The amendment in the name of the noble Viscount, Lord Astor, would add a restriction to paragraph 5(d). We do not believe it is necessary because paragraph 5(d) already contains safeguards. First, the processing must be necessary; secondly, the functions must be public functions; and, thirdly, they must be exercised in the public interest.
We do not see any benefit in the addition of the word "similar". The amendment would require those other functions to be similar to those of the Crown and central government. I cannot presently think of any such functions. We feel it adds a restriction which is too restrictive and unnecessary. I hope that I have demonstrated that the safeguards are fully contained within sub-paragraph (d).
§ Amendment, by leave, withdrawn.
§ Schedule 2 agreed to.
29GC§ Schedule 3 [Conditions relevant for purposes of the first principle: processing of sensitive personal data]:
§
Viscount Astor moved Amendment No. 30:
Page 42, leave out lines 23 and 24.
§
The noble Viscount said: This is a probing amendment and it considers the power in Schedule 3 under paragraph (2)(a). I am concerned as to why this power is necessary. Sub-paragraph 1 states that:
The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment".
However, the power in sub-paragraph (2)(a) allows the Secretary of State to,
exclude the application of sub-paragraph (1)".
I do not understand that: and the amendment gives the Government an opportunity to explain the need for those powers. I beg to move.
§ 5.15 p.m.
§ Lord Williams of MostynIn drawing up the third schedule, we paid close attention to the requirements of Article 8 of the directive. Paragraph 2 follows closely the corresponding provision in Article 8. It provides for the processing of sensitive data, which is necessary to meet legal rights and obligations in the employment field. It makes provision for the Secretary of State to make an order attaching conditions to such processing, but it also allows the Secretary of State, by order, to prohibit such processing again in particular cases. If the noble Viscount's amendment were to succeed, it would remove the second of those powers from the Secretary of State.
We believe that paragraph 2 of Schedule 3 gives proper effect to the requirements of the directive. Sometimes, as the directive recognises, there will be the need for processing sensitive data in the employment field. But sometimes the Secretary of State in this country will need to be able to regulate such processing, in particular by the obligation of the provision of adequate safeguards.
We also need the power for prohibition of processing in particular cases. That is why we have included in the Bill the order-making power in paragraph 2(2) to which the noble Viscount's amendment is directed. It is possible—and reasonably to be anticipated—that there may be cases where processing simply should not take place at all. We want that power, even if it is only rarely to be exercised.
I hope that explains to the noble Viscount the thinking behind the construction of this section of the Bill.
Viscount AstorI am grateful to the Minister for his explanation. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§
Viscount Astor moved Amendment No. 31:
Page 43, line 2, at end insert ("to that end,").
§ The noble Viscount said: This is a simple drafting amendment. I wonder whether my words might improve the Bill. I beg to move.
§ Lord Williams of MostynI believe that the noble Viscount and I are at one in what we wish: in other 30GC words, to which end we are intent upon deliberately moving. We believe that when one has the word "deliberately" in this context in this part of the Bill, that is a necessary implication of what the noble Viscount wants. He says that his amendment may improve, may give clarity, may give desirable certainty. If it does have that effect, our minds are certainly riot closed to it.
Viscount AstorI am grateful that the noble Lord sees that there could possibly be some merit in the amendment, and I am sure that those drafting the Bill will consider this important issue very carefully. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§
The Earl of Northesk moved Amendment No. 32:
Page 43, line 14, at end insert—
(" . The processing is
§ The noble Earl said: As I understand it, under the 1984 Act sensitive personal data held for specified purposes of law enforcement and tax collection remained subject to the first data principle. However, Clause 28 has the effect of wholly exempting these purposes whenever their application to a particular case would be likely to prejudice any of the matters mentioned.
§ In this context, the first data protection principle, as now defined in Schedule 1, embraces the application of Schedule 3, which imposes new conditions on the holding of sensitive data. Those data, defined in Clause 2, include such matters as political opinions and sexual life. As drafted, the exemption under Clause 28 will in principle leave the police, and other bodies, free to hold such data concerning any individual. The intent of the amendment to Schedule 3 is to make it clear that, notwithstanding what may happen to amendments to Clause 28 later in Committee, the restrictions on processing sensitive data will nonetheless remain, thereby doing a certain amount to restore the position with respect to sensitive data to that which prevailed under the 1984 Act.
§ That deals with Amendment No. 32. I note that Amendment No. 36 is grouped with it and I wish to speak to that also. I suspect that I may be retreading some ground already covered by the noble Baroness, Lady Turner, in Amendment No. 23. Amendment No. 36 draws on the authority in Article 8.2(b) and 8.5 of the directive, which permits processing, where necessary, for carrying out obligations and specific rights under employment law as well as the processing of data relating to offences, and so on, subject to, among other things, specific safeguards. The amendment, therefore, seeks to allow the collection of data in respect of criminal records being kept for the purpose of use in considering employment matters.
§ As a member of the All-Party Retail Group, I am acutely aware of the difficulties experienced by that industry in respect of staff theft. Only last week, the British Retail Consortium published its 5th annual retail 31GC crime survey. This indicated that, while theft by staff has fallen, it still remains a significant problem, with some 17,000 staff being apprehended for theft or fraud in 1996–97. The cost of staff theft is estimated at £374 million, but this is likely to be an underestimate because of undetected theft. It is, therefore, very important to be able to build comprehensive records of dishonest staff, as the industry is only too well aware that they frequently move from company to company, taking advantage of their position of trust, before being discovered and dismissed or prosecuted. Such records would, undoubtedly, act as a disincentive to employees whose main purpose is to feather their nest through dishonest means.
§ I am aware of the provisions of the Rehabilitation of Offenders Act in relation to its purpose in allowing rehabilitation of those who have taken the opportunity to lead an honest life. However, there is nonetheless a need to safeguard business—and, hence, consumers. Amendment No. 36 will provide this vital safeguard, as well as closing off a potential loophole that criminals could use to their advantage were the Bill to be enacted as drafted.
§ The whole matter is also an issue of concern to other interested groups like the CBI, the ABI and the British Bankers Association. Indeed, it may well be that the Government have in mind the issuance of an order under paragraph 9 of Schedule 3, to address the problem. For the avoidance of doubt, there is merit in putting the purpose on the face of the Bill. I beg to move.
§ Baroness Young of Old SconePerhaps I may speak on Amendments Nos. 33 and 34, which have been grouped with Amendment No. 32. Again, I should perhaps point out that the purpose of my amendments is to seek information and assurances.
Amendment No. 33 seeks to clarify the circumstances under which a not-for-profit organisation might process sensitive data relating to possible risks to children and young persons. The Bill, quite rightly, includes provisions in Schedule 3 to control the processing of sensitive personal data. It does not, however, appear to allow for the processing of that kind of data by those not-for-profit organisations which have close contact with children and young persons in circumstances where no crime has been committed.
Voluntary organisations with youth programmes receive many applications for positions as voluntary youth leaders, working closely with vulnerable young children in positions of trust. I am sure everyone is aware of the cunningness and persistence, now emerging as a pattern, practised by paedophiles in inserting themselves into organisations. This often happens over a long period of years. It is essential for voluntary organisations with youth programmes to maintain and process personal data on applications from those seeking to become voluntary youth leaders. Information about personal references, police checks and various other inquiries undertaken by voluntary organisations is vital to establish the suitability of these applicants to work with young persons.
32GC It is important, too, for these data to be kept and processed over a substantial period of time in view of the persistence of paedophile rings in not only applying on one occasion but also on successive occasions over many years. It is also important that this data can be held on a national as well as a local basis since many of these rings are well organised.
The second amendment, Amendment No. 34, covers a similar subject to Amendment No. 86. I should like to thank the Minister for responding promptly to a letter I sent some time ago on appropriate safeguards under this amendment. It may well be that he will simply wish to restate his reassurance to me then about it being an issue which was possible, provided appropriate safeguards were undertaken, and that it might well be the subject of subsequent subordinate legislation.
The issue in question is whether voluntary organisations can be exempt from subject information and non-disclosure provisions where information is held to assist in the prevention and detection of crime. I wish to declare an interest and give two specific examples of some voluntary organisations. One is the Royal Society for the Protection of Birds of which I am Chief Executive, and the Royal Society for the Prevention of Cruelty to Animals. Those gather substantial information on possible or actual breaches of the law which are not held or collated otherwise by the police authorities.
I am merely probing whether there is in the Bill the possibility of such voluntary organisations maintaining and processing such information. That has substantial benefits in logging possible infringements in the law. Individually, they may not lead to court action but together they may build up a picture of law breaking which would be extremely useful to the statutory and police authorities and assist them in the detection and prevention of crime in the future.
The provision also has the benefit of being able to draw together national information rather than simply local information held currently by police authorities. Much of the crime in which an organisation such as my own would be concerned—in terms of infringement of wildlife law and in particular trade in protected species—is a national and international trade rather than just a local one. At the moment the police authorities do not collate this information nationally. It is important that it is drawn together nationally, because that can reveal patterns which can subsequently aid the statutory authorities in the protection and apprehension of crime. It would be a major step backwards in the upholding of the law if voluntary organisations were prevented by the Bill from holding that information under the sensitive personal data provisions.
I simply seek assurances that the Bill will not prevent either of the two circumstances outlined in Amendments Nos. 33 and 34 happening. I beg to move.
§ Lord Williams of MostynI am speaking to Amendments Nos. 32, 33, 34 and 36. The noble Earl, Lord Northesk, dealt with a particular point about Clause 28(1). As I understand it, that is to be the subject of a government amendment which will be Amendment No. 83, which we are likely to deal with on Wednesday.
33GC If it is to the convenience both of the noble Earl and of the Committee, perhaps I can deal with matters more fully then. I am grateful.
Amendments Nos 33 and 34 relate to particular problems of the processing of sensitive data. These two amendments together would add new conditions under which sensitive data could be processed. Nobody could sensibly object to the issues. Indeed, in part, if one looks at paragraph 4 of Schedule 3, one sees particular reference to those organisations. We believe, however, that these amendments are much too widely drafted. Amendment No. 34, for example, would allow processing of sensitive data in any situation where the data controller could argue that it was necessary to assist with the prevention and detection of crime. It makes no reference to suitable safeguards. That is a very dangerous step indeed. It is not consistent or consonant with the spirit or the underlying philosophy of the Bill.
Paragraph 9 of Schedule 3 to the Bill allows the Secretary of State by order, subject to the affirmative resolution procedure, to specify additional circumstances in which sensitive data may be processed. Any processing of data authorised under an order would need to be carefully defined and, in particular, would need the application of suitable safeguards. We believe that that is the right context for considering in more detail the matters raised by the noble Baroness, which I recognise as being areas of legitimate concern, and, if I may say so, of genuine widespread public anxiety. However, we believe that is the place to deal with such a situation.
Amendment No. 36 is the last amendment in this group to which I speak. As we have already seen on a number of occasions, Schedule 3 sets out threshold conditions. We have taken the general approach in Clause 2 of the Bill in that we include data relating to offences in our general definition of "sensitive personal data". So data of that sort can be processed in any of the conditions specified in Schedule 3.
Paragraph 2 of that schedule specifically speaks about processing in the employment context, and it makes general provision to allow it. However, we must be mindful of the requirements of the directive and, therefore, it also allows such processing to be made, subject to conditions, by order, so that in any case where our existing laws do not appear to furnish safeguards to the necessary extent, those safeguards may be added. That is an extremely important proviso.
There is the general power of paragraph 9 of the schedule to provide further new conditions in which sensitive data may be processed. If it became necessary to deal with changing circumstances, which none of us can presently anticipate in detail, any exercise of that power would have to bear in mind the limitations set down in the directive. I know that these are important matters. That is why I have taken a moment or two longer than usual to deal with the concerns that have been expressed.
§ 5.30 p.m.
§ Baroness Young of Old SconePerhaps I may just ask the Minister for clarification. I entirely accept the assurances that he has given about further safeguards being available under the legislation to deal with some of these specific circumstances.
However, he mentioned paragraph 4 of the schedule and said that provisions were there for the sort of voluntary organisation that I described. I take the point that there are provisions within Schedule 4 of the Bill for voluntary organisations of certain sorts, but they would not cover the provisions that I described in either of my two amendments. I just wanted to make that point for clarification.
§ Lord Williams of MostynThe noble Baroness makes a correct point. I said that this general area of concern is dealt with in paragraph 4 of Schedule 3. I understand that the specific organisations to which she referred might well not fall within the enabling provisions of paragraph 4 of the schedule.
§ The Earl of NortheskI am grateful for the response of the Minister. I shall read carefully what he said, specifically with respect to my Amendment No. 36. As regards Amendment No. 32, I look forward to our further discussions on the matter. In the meantime, I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment Nos. 33 and 34 not moved.]
§
Lord Teviot moved Amendment No. 35:
Page 43. line 22, at end insert—
(". The personal data are processed for research purposes by a recognised record office regularly open to the public which complies with a code of practice approved by the Secretary of State.").
§ The noble Lord said: This is the first of my three amendments which deal with archival matters. For many years, I have been a genealogist and record agent, researching in archives. Therefore, I must declare an interest. The amendment attempts to regularise the position of record offices which have been swept up into the Bill. Perhaps it is behoven to me to describe the term "record office". I take it to mean a place or repository of archives or records to which the public have access. The term "holding" is one of the activities defined under "processing" in Clause 1, and that is why record offices are affected by the Bill.
§ Unless those record offices are authorised to continue keeping and accepting on deposit "sensitive" personal data, albeit under strict conditions, there is a real fear that future generations of genealogists, family historians and other researchers will be denied information—much of it quite innocuous—about their ancestors which has hitherto been freely available. The proposed code of practice in the amendment would specify the classes of records that they would be allowed to process, the period before which the material would not be made available for research, and the conditions which would apply during a transitional period, as envisaged in the 35GC EU Directive 95/46. This would simply give official recognition to what is current normal practice in record offices. I beg to move.
§ Lord Williams of MostynI am grateful for the clarity of the exposition which the noble Lord has given to the Committee. I indicated earlier that when we brought forward Schedule 3 we tried to follow the provisions of Article 8 of the directive very closely. That sets out specific circumstances in which member states may allow sensitive data to be processed.
In Article 8.4 is found a provision allowing member states to specify additional circumstances in which sensitive data may be processed on the ground of substantial public importance. That provision is reflected in paragraph 9 of Schedule 3, which allows the Secretary of State by order to specify further circumstances in which sensitive data may be processed.
I am happy to say that we undoubtedly recognise that there will be circumstances beyond those set out in Schedule 3 in which substantial public interest requires personal data to be processed. We have a strong preference to follow the approach for which we have made provision and to deal with those further circumstances as and when they arise, as and when the case is made for them, by means of the Secretary of State's order made by virtue of the power given to him under paragraph 9.
We have not decided on specific activities which will need to be covered by such an order, or orders. As far as my personal interest is concerned—this is not governmental policy—I very much sympathise with the cause for which the noble Lord contended and I am more than happy to consider any activities which the noble Lord. or others, wish to put forward in due time when the Bill becomes law, for possible inclusion. I hope that is of assistance.
§ Lord TeviotI am grateful to the noble Lord. We in the archive profession are extremely grateful to the Government for the differences in the Bill from the White Paper. Many of our fears have been allayed by the Bill and I am grateful for what the Minister has said. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment No. 36 not moved.]
§ Schedule 3 agreed to.
§ Schedule 4 agreed to.
§ Clause 5 agreed to.
§ Clause 6 [The Commissioner and the Tribunal]:
§
Viscount Astor moved Amendment No. 37:
Page 4, line 17. after ("Chancellor") insert (", after consultation with the Lord Advocate.").
§
The noble Viscount said: This may be described as a Scottish amendment. If noble Lords look at Clause 6(4), they will see that the tribunal shall consist of—
(a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate".
§
It then goes on under paragraph (b):
36GC
such number of deputy chairmen so appointed as the Lord Chancellor may determine".
However, when it comes to deputy chairmen, the poor Lord Advocate is missed out. It seems to me that if he was being consulted on who should be chairman, it should be certainly reasonable in the light of devolution and all these things that he should be consulted with regard to deputy chairmen, and it should be on the face of the Bill.
§ Lord Falconer of ThorotonWith respect, I agree with the point made by the noble Viscount, Lord Astor, but we feel that the Bill achieves it in a legalistic way:
such number of deputy chairmen so appointed",that is, appointed by the Lord Chancellor after consultation with the Lord Advocate. That is how it works. That is the intention; that is the effect as a matter of wording. So I believe we have met the point.
Viscount AstorI am interested by the Minister's reply, and indeed both Ministers seem to be in agreement. I am always nervous when two such distinguished lawyers are in agreement over such a small clause. I bow to superior legal knowledge. I will be consulting before Report stage with others who will not have the legal knowledge of both noble Lords. I am grateful for the explanation. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ Clause 6 agreed to.
§ Schedule 5 agreed to.
§ Clause 7 [Right of access to personal data]:
§
Lord Teviot moved Amendment No. 38:
Page 5, line 5, after ("communicated") insert ("or made available").
§ The noble Lord said: Many classes of records containing personal data are defined as "sensitive" in the Bill because they touch on political or religious affiliations. For example, political party subscription lists or church registers are already held by local record offices in manual files. Record offices fear that Clause 7, as it stands, will oblige them to search through many such sources before replying to a person's written request and that this would stretch their resources unnecessarily. They would, however, be happy to make the material available to the searcher or his commissioned agent, as is the usual practice now. I beg to move.
§ Baroness Turner of CamdenI shall speak to Amendment No. 41, which is grouped with Amendments Nos. 38 and 42. I will probably be told that this is not necessary, but this again is another attempt by me to deal with the issue of fraud.
Subsection (6) refers to situations where it is reasonable in all the circumstances to comply with the request under subsection (4)(c) without the consent of the other individual concerned. My amendment seeks to write in an additional clause where the data relevant to the request are being or are likely to be processed under subsection 28(1). Subsection 28(1) of course is the provision that relates to crime which includes fraud. It 37GC may well be that this is by way of a probing amendment and I will perhaps be told that it is quite unnecessary, but I would be grateful if the noble and learned Lord could let me have his views on this amendment.
§ 5.45 p.m.
§ Lord Falconer of ThorotonI shall speak to Amendments Nos. 38 and 41, the latter having just been moved by the noble Baroness, Lady Turner of Camden, and Government Amendment No. 42. I will first consider the amendment of the noble Lord, Lord Teviot.
It is the Government's view that "communicated" does not constrain the means by which the information is to be provided. Clause 8(2) provides for data subjects to be given access to their data otherwise than by being given a hard copy of their consent. The wording in Clause 8(2) is consistent with that. Moreover, there is a very good reason for using "communicated". It is the word used by the directive. We might be running the risk of contravening the directive if, by using a different term, we were to make provision for an approach which the directive did not contemplate. We are compelled to stay with that word, and moreover the amendment would not make any difference. I would respectfully invite the noble Lord to withdraw his amendment.
If I may move to the amendment of the noble Baroness, Lady Turner of Camden, I understand entirely what she is trying to achieve by this and other amendments, but I am not sure that the amendment would necessarily have the desired effect. Clause 7(6) sets out the conditions to which regard must be had by a data controller in deciding whether it would be reasonable to give subject access in circumstances in which a third party, who would not be consented, would be identified. My noble friend's amendment would add to the list of express considerations the fact that Clause 28(1) was applicable to the relevant data, and, as she has explained, this clause provides an exemption from the subject information provisions of the Bill. It applies very broadly where personal data are processed for law enforcement purposes, and giving subject access would prejudice those purposes in a particular case.
The difficulty I have with my noble friend's amendment is that I cannot see what additional benefit it would bring. My noble friend's intention is to ensure that where third party data are being used for law enforcement purposes, that is relevant to the question whether those data should be disclosed without the third party's consent. I tend to agree, but I believe it to be the case that those data would not be disclosed in any event since they benefited from the exemption under Clause 28(1).
If one looks at Clause 28(1) it specifically says,
Personal data processed for any of the following purposes—(a) the prevention or detection of crime …are exempt from the first data protection principle and section 7 in any case in which the application of those provisions to the data would he likely to prejudice any of the matters mentioned in this subsection".So the way in which Clause 28(1) would work is to give a complete exemption in any event. Even if I am wrong about that I would point out that the test in Clause 7(6) 38GC is non-exhaustive—there can be other matters apart from those specified in Clause 7(6) which can be taken into account. It would be open to controllers to have regard to other considerations that are not specifically mentioned, and even if there are other relevant circumstances they must have regard to them.I hope that I have understood the purpose of the amendment. It does not achieve what I believe is a perfectly legitimate purpose. That is either covered under the exemption under Clause 28(1) or, if it is not, by the fact that it is a non-exhaustive list that could be taken into account. I hope that the noble Baroness will consider my reply, and I invite her to withdraw her amendment.
The last amendment in this group is a government amendment. It is a technical amendment. It improves the drafting of "relevant day" in Clause 7(9). That is the day from which, as provided in Clause 7(7), the timetable within which a data controller must comply with a subject access request begins to run. The amendment makes it clearer that the relevant day is either the day on which the data controller receives the request itself or the day on which any condition is allowed by the Bill to attach to the request is subsequently fulfilled. These conditions may be the payment of a fee, the provision of information about the identity of the person making the request and the data in question or the consent of a third party, where relevant. At the appropriate moment I will move that amendment.
§ Lord TeviotI thank the noble and learned Lord very much for his comments on my Amendment No. 38. Obviously the word "communicated" is not appropriate. However, I shall read in Hansard every word he says, and, if necessary and if it is not covered, try to improve the wording at the next stage of the Bill. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§
Baroness Nicholson of Winterbourne moved Amendment No. 39:
Page 5, line 15, at beginning insert ("Subject to subsection (2,6) below,").
§ The noble Baroness said: These are two probing amendments. I ask the Minister and my noble and learned friend the Solicitor-General to look at the principle underlying them. I accept that the wording may not be adequate. Nonetheless, there is a point here that the Government should consider in the light of their manifesto and their correct statements of empowerment of the individual citizen.
§ I speak on this amendment only about government records. The Minister will see at once that I have excluded, because I have not included them, the records held by such government agencies as the police, the Inland Revenue and so on. I speak of the commonality of government records which reflect a government service to the individual citizen such as records of the National Health Service, social security and much of the work carried out by local authorities.
§ If I comment a little critically on the accuracy and security of those records, it does not mean that I do not fully recognise that accuracy and security, in particular 39GC in digitally compiled and held records, are entirely concomitant with the amount of funds available to put into them. In other words, with public pressure on hip transplants, it is unlikely that data entry clerks will be paid the high salaries required for the small margin of error that would be tolerated in a commercial environment in inputting that data.
§ The purpose of the amendments is to look at who owns those records and who controls their dissemination; and to put a marker down for citizens' ownership, or possibly citizen control, in terms of the organisation of the movement of that material. In other words, my amendments seek to shift the burden of authorisation from the Government to the individual. When one answers a beguiling advertisement to buy something by post through the newspapers, one ticks a box if one does not want one's name to go forward. It would be perfectly possible to achieve such a situation, for example, with National Health Service records.
§
Let me give support to what I am offering in these probing amendments from the Audit Commission. In its report last week, A Ghost in the Machine,published on 19 February 1998, the commission found that:
Soaring levels of computer fraud within the NHS, schools and London town halls are costing the taxpayer at least £4 million a year.
§
I am not commenting on the cost, but only on the accuracy and in particular on the security of the Government's records. The Audit Commission goes on to claim that:
More than half of the capital's councils and hospitals suffer from hacking and other forms of computer abuse and the problems will get worse with the growth of the Internet.
§
The commission also found that:
senior employees are responsible for up to a quarter of such crimes.
Losses per incident have gone up by 25 per cent in the past four years … as hacking has trebled.
§ That caught my eye because I was the person who framed the computer hacking legislation and obtained the mechanism for getting that into law. Perhaps I may consider again unlawful access of government-held material on behalf of citizens' personal data. I quote here from someone senior in a higher level security organisation. There is reference to a number of accounts and records being accessed and then this unlawfully gathered information offered for sale. I am sure that is also true.
§ We address the problems of merging information later on in the Bill. I do not intend to move into that particular group of amendments and materials at this inapposite moment, save to say that I came across in the other place the way local authority material could be unlawfully accessed. In other words, it has become so attractive that it is now a magnet for unlawful access. I found with the poll tax that data from different sources on pensioners that had not been drawn together before under the data function were being put on records and held in local treasurers offices. Some resultant records were almost instantly accessed by hackers. If one looks at the way in which local authorities organise their material, naturally 40GC however much effort they put in. they do not have the money to make that material "unhackable—inaccessible unlawfully.
§ When we turn to national government records, I believe that the best example is the National Health Service. I came across the problems myself with CJD when I sought a health Minister's approval and his agreement to release the knowledge to CJD victims of child growth hormone, as to which young people have been treated with child growth hormone which might trigger CJD which was derived from human cadavers and with which young people had been treated by the scientifically created material a little later on in the 1970s who were therefore not at risk. The Minister refused to release those health records to the families. I then asked a range of Parliamentary Questions on who in the UK owned the National Health Service records; and in 1992 I was given the knowledge that in fact it was the state. At that time it was deemed on a Treasury QC's advice to be the Secretary of State. Now that ownership has been passed down to the chairmen of National Health Service trusts.
§
When I look at how medical records are being used internationally, I see on 16th February an excellent article in the Washington Post which tells us that there has been an intrusion into medical records with,
the great computer in the sky having a list of every drug you take from which can be deduced your likely diseases".
§ In other words, USA citizens are now receiving letters from drug companies asking them to refill their prescription or to vary it or to try a new drug that has been found—a probable breach of medical ethics.
§
In Europe, we take these things just as seriously. Commissioner Mario Monti, who is seeking his brief from the Council of Ministers on guidelines for the protection of individuals with regard to the Internet, describes a most important premise. As he states, the Commission will pay particular attention to:
The practical enforcement of the right to be informed of data processing operations involving oneself and of the right to object to any processing".
§ That is the basis of my probing amendments.
§ As I mentioned at Second Reading, I am well aware, from the work I did on the access to medical records Bill, the computer hacking Bill, the Copyright Act, the access to employee and access to schools records legislation, that in Britain we have not had a right to privacy. Certainly personal privacy rights at the moment, at least for the print media, appear to revolve around curtains. I am not attempting to find rats in the arras when I say that it is very important to take the decision that a measure of personal privacy is inherent in this Bill and that we do not have a right as a member of the European Union to push that aside. We have to accept and honour it. Certainly, if I have identified correctly the coming Internet Commission investigation, it also rests on the right personal privacy and data rights.
§ I believe, therefore, that the authorisation of the use of personal information, when held by government on citizens for services for which citizens pay through their tax bill, should rest with the citizens themselves.
41GC§ Medical records offer the best example. I do not criticise hard-pressed medical professionals or suggest that they are in any way acting outside their duty of confidentiality: I am sure that they are not. My point, however, is that medical professionals no longer have effective ownership or control or authorisation of use of patient records as the patients' data are now so widespread on a number of different computer systems. Although the National Health Service, particularly through the excellent Caldecote Report, which came out in November 1997, offers the new National Health Service number as a protective measure, this is too simplistic. With IT, the patient record has passed on from general practitioners to be held and processed by a very wide variety of staff. I doubt very much whether the patient's doctor would feel that he or she had the capacity to control use of the record any more.
§ It is difficult to contain information in the modern world, but the person who cares most about accuracy and use is the citizen himself. I suggest therefore that whether it is a question of record ownership, control, authorisation of use, or accuracy and security of the records, the citizen's rights should predominate. The European convention states that our citizens have rights of privacy. To exercise that right with government records such as health, we should move choice from the state to the individual.
§ I say again that this is a probing amendment. I would ask the Government to give the serious philosophy of my point active consideration. I beg to move.
§ 6 p.m.
§ Lord Falconer of ThorotonThe right of a data subject to obtain details on the information on him or her being processed by a data controller is fundamental to data protection. At present the Bill treats all data controllers, whether they are private or public, in exactly the same way as regards subject access requests. The amendment would introduce special rules for subject access requests made to government departments. It seeks to do it on the basis that government departments, when confronted with a request, set out to develop their procedures on the basis of treating all data subjects making such requests as having a prima facie claim to ownership of any personal data relevant to those requests.
I have listened genuinely carefully to what the noble Baroness has said in moving the amendment, but I do not fully understand the purpose lying behind the first limb of the amendment. It will be the case, I believe, that, subject to any subject access exemptions that apply, individuals will be entitled to gain access to all personal data held about them by government departments, and indeed any other bodies. I am not sure or clear how the question of ownership affects that position. They do not need a reference to ownership to get all of the rights that are referred to in the Bill.
My belief is that the question of ownership does not arise in relation to information. Ownership of information per se is not a concept that is known to English law. The whole data protection regime proceeds on the basis of that premise. We should therefore be 42GC entering deep and uncharted waters were we to follow the approach advocated in the first limb of the amendment. Surely the important point in data protection terms is that individuals should be able to get the access they need. We believe that the Bill provides properly for this, subject to appropriate exemptions, and I see no justification—indeed, simply a recipe for confusion—for going further. That is the first limb of the proposed amendment.
As to the second limb, which relates to the price to be paid for information, in the White Paper on our proposals for data protection published in July last year we made it clear that we would be maintaining the £10 maximum subject access fee, which we believe to be by no means onerous. That is still our intention. It will, of course, be open to data controllers to charge a lower amount or nothing at all. We shall be setting fees in an order to be made by the Secretary of State once the Bill has been passed. I do not believe that we are proposing anything other than very modest fees in this respect.
In the light of what I have said, I hope that the noble Baroness will not press her amendment.
§ Baroness Nicholson of WinterbourneI thank the Minister for those helpful illuminations. I know about that as a co-sponsor of the right of access to medical records Bill, a co-sponsor of the right of access to schools' records Bill and as the initiator of the rights of employee records access.
I turn to the NHS—my core example—for the substance of my argument. I have here an excellent document which is a best practice statement about confidentiality in the NHS. It is a statement to be given to the patients as a best practice statement from the department:
We only ever use or pass on information about you if people have a genuine need for it in your and everyone's interests. Wherever we can we shall remove details which identify you".There are two big gaps in that. The judgment of whether it is in "your and everyone's, interest" rests entirely with the Government. There is no guarantee—in fact there is the reverse of a guarantee—that personal data detail will be removed.Here is further proof in a World Health Organisation document—this is again a European Union Rights of Patients consultation under the auspices of the WHO, another EU piece of material. The European Union believes strongly that:
Confidential information can only be disclosed if the patient gives explicit consent".I fully accept that that ownership of information is not in English law. But what about control of its use?As I said at the beginning, perhaps my phraseology is not adequate for this. I of course perforce must withdraw the amendment. However, I would wish to have a meeting, perhaps with the Minister or with the noble and learned Solicitor-General, to discuss whether or not some form of citizen control of use could be built into records of services from the Government to the individual. These are services for which the individual pays—such as health and social security—and which would not in any way unsettle Government need to 43GC perform national actions for the citizens. If commercial companies can do it, why cannot the Government? I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment No. 40 not moved.]
§
Baroness Turner of Camden had given notice of her intention to move Amendment No. 41:
Page 5, line 47, at end insert ("and
() whether data relevant to the request is being, or is likely to be, processed under section 28(1)").
§ The noble Baroness said: I had already spoken to this because it was grouped with Amendment No. 38. I should like to thank the noble and learned Lord for his explanation. I shall not move the amendment.
§ [Amendment No.41 not moved.]
§
Lord Williams of Mostyn moved Amendment No. 42:
Page 6, leave out lines 19 to 24 and insert—
("the day on which the data controller receives the request or, if later, the first day on which the data controller has all of the following—
- the required fee,
- (a) the information referred to in subsection (3), and
- (b) in a case falling within subsection (3), and
§ © in a case falling with in subsection (4) but not within paragraph (b) or © of that subsection, the consent of the other individual concerned.").
§ On Question, amendment agreed to.
§ Clause 7, as amended, agreed to.
§ Clause 8 [Provisions supplementary to section 7]:
§
Viscount Astor moved Amendment No. 43:
Page 7, line 5, leave out ("a trade secret") and insert ("an intellectual property right the disclosure of which would give rise to an action for breach of confidence").
§ The noble Viscount said: This amendment involves the words "trade secret" and their definition. It seems to me that an intellectual property right which would give rise to an action for breach of confidence is capable of interpretation by the courts, whereas the words "trade secret" are not a clearly defined term of intellectual property law. My amendment, therefore, seeks to clarify those issues.
§ I am concerned by the meaning of those words. They can mean almost anything, from a complicated chemical formula to the number of hours spent working on some deal. They could indeed be what time a factory starts. They seem to be words for which I have been unable to find any definitions that have been used adequately in English case law. My amendment is an attempt to clarify the situation. It is difficult. It is one of those issues where, if one looks at it, one realises more and more that it is something which may be further elucidated if we had the freedom of information Bill coming on at the same time, but that of course is no part of this process. It will not come in this Session. I do not believe that there is an adequate definition in law of "trade secret" and the Government need to give some thought to the matter.
44GC§ My second amendment, Amendment No. 44, is an extension of that theme. I believe that there should be a specific provision allowing information involving intellectual property, as it were, in addition to trade secrets—because what might be intellectual property might indeed not be a trade secret or it might be—to be exempt from the data subject's right to be informed of the logic involved in certain automated decision-making.
§ That is consistent with the directive, under Recital 41, which states that this right is not intended to allow either trade secrets or intellectual property to be adversely affected. As I understand it, "trade secret" at the moment can include intellectual property, but it is not clear in legislation. Page 18 of the Government's White Paper on freedom of information (in relation to commercial confidentiality specifically) refers not only to trade secrets but also to intellectual property. Therefore, there is an inconsistency in that respect.
§ I am concerned that knowing the logic involved in certain circumstances would increase the incidence of fraud, which is also the third leg to the amendment. Businesses have a duty to prevent the commission of crime and the amendment seeks to ensure that they are able to do so. This is a difficult area, and the Bill does not adequately define these two areas. I hope that the Government will consider the issue. I beg to move.
§ Lord Falconer of ThorotonI am grateful to the noble Viscount, Lord Astor, for moving the amendment and also for his Amendment No. 44 which puts forward an alternative formulation of trade secret; namely,
or intellectual property or would, or is likely to, facilitate the commission of a criminal offence".One proposal that he puts forward is to delete the reference to "trade secret" and replace it in effect by reference to an intellectual property right; the other proposal is to keep in "trade secret" and put in the words "or intellectual". If I may say so, that is a very legalistic way of dealing with the issue.Perhaps I may deal with both the noble Viscount's amendments. The noble Viscount is concerned that this safeguard for "trade secrets", which is contained in Clause 8(5), is not sufficiently wide to protect intellectual property. His second amendment is to prevent the commission of offences. In bringing forward this particular provision in Clause 8(5), we have paid particular attention to the question of intellectual property. The provisions of Clause 8(5) protect commercial or other information from disclosure. Intellectual property rights are not just—or perhaps even mainly—about disclosure. The Bill is not intended to affect any protected restrictions on the use by the data subject of information acquired by this route. Where it is necessary to protect information from disclosure, whether or not that information is the subject of intellectual property rights, we consider that that information will have the necessary quality of a trade secret. As a lawyer, I know from my own experience that "trade secrets" is a phrase used in a large number of decided cases in order to define certain sorts of information which people are not allowed to disclose.
45GC As to the facilitating of criminal offences, I am not convinced that there is a problem here. Clause 8(5) is concerned with a very narrow set of circumstances. It is about the situation in which an individual seeks access to the logic underlying a fully automated decision. It is pertinent to ask what criminal offences may be facilitated by the provision of limited information of this kind. The answer is, I suggest, that the offences would be those relating in some way to the way in which the organisation in question carries out its business. It is difficult to see what more general opportunities for criminal activity might be facilitated. That being so, I would suggest that the expression "trade secret" is again sufficiently wide to mean that the organisation would not have to reveal information of a kind likely to assist criminal activity.
I note the concern that the noble Viscount has expressed about the phrase "trade secret", but it does the trick and it is the best way to deal with the matter. In the light of what I have said, I would hope that the noble Viscount will feel able to withdraw his amendment.
Viscount AstorI thank the noble and learned Lord the Solicitor-General and I will certainly withdraw the amendment. I quite understand what he said about intellectual property rights. I am still somewhat concerned, however, about the openness of trade secrets. As he said, this can be interpreted in a fairly wide way, and I am concerned about what will and will not be interpreted as a trade secret. However, I will study carefully what the noble and learned Lord said, and I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment No. 44 not moved.]
§ Clause 8 agreed to.
§ 6.15 p.m.
§ Clause 9 [Right to prevent processing likely to cause damage or distress]:
§
Lord Williams of Mostyn moved Amendment No. 45:
Page 7, line 34, leave out from ("manner") to ("likely") and insert—
("(a) is causing or is").
§ The noble Lord said: Amendments Nos. 45 and 49, which are government amendments, are grouped with Amendments Nos. 46, 47, 48, 51 and 55. It may be for the Committee's convenience, if I speak to Amendments Nos. 45 and 49. To save the noble Viscount, I can dispose of Amendments Nos. 51 and 55 immediately. The noble Viscount indicates that there may be deficiencies in the Scottish context. There may well be, but I have not been able to consider the matter. If it is helpful and saves the noble Viscount indicating his area of concern—and I do not know whether it is right—I will undertake to consider the suggested changes. If change is necessary, we shall bring forward appropriate amendments in due time.
§ I shall therefore speak to Amendments Nos. 45 and 49, which are government amendments. These are partly technical adjustments to the test which has to be 46GC satisfied by a data subject so that he has the right to prevent certain processing of data about him taking place. The test, basically, is that he has to show, with reasons, that the processing of the data, generally or for a particular purpose or in a particular manner, is not warranted as causing, or likely to cause, substantial harm. The amendments make it clear that it is the harm itself—the substantial damage or substantial distress—which must be unwarranted. We have therefore tried to make the test more clearly dependent on the likely effects of the processing, and thus easier to apply.
§ In bringing forward these amendments, we took carefully into account representations from the media, to whom, as always, I am most grateful for their constructive approach as to the desirability of clarifying this aspect. I beg to move.
Viscount AstorI am grateful to the noble Lord for saying that he will consider my Amendments Nos. 51 and 55. I was looking forward to the Solicitor-General explaining to me why I would be wrong in saying why distress is not a term of art in Scots law, but that can no doubt wait for another occasion.
Perhaps the Minister could comment briefly on Amendment No. 47 which leaves out "substantial" and inserts "significant". I was concerned that the threshold was really too high and that the harm should only be significant, rather than substantial. Could the noble Lord comment briefly on that?
§ Lord Williams of MostynThere ought to be a reasonably high threshold for the use of the remedy, because we are stopping potentially perfectly lawful processing at what is otherwise too low a level. The directive itself looks to a high threshold, "compelling legitimate grounds" I believe is the phrase. The noble Viscount wants to substitute "significant" for "substantial", but we think substantial is what we are looking to. That is the term used elsewhere in the Bill, so it has the virtue of consistency and of putting into effect domestically what the directive requires.
§ Lord NortonI wish to speak on Amendment No. 46. This is a probing amendment. Clause 9 puts into effect Article 14 of the directive, of which the Minister has pointed out the most important words are "compelling legitimate grounds". It does not seem to me that these words easily translate into substantial damage or substantial distress. Substantial damage is a concept which is easy enough to understand. It is not just material measurable damage; it is serious damage. Is it right to process data that will materially damage an individual but not substantially damage? I suspect an individual may well consider that he has compelling legitimate grounds when no damage is caused—a personal detail of a person's health records for instance. Compelling legitimate grounds, it seems to me. in essence is an emotional measure that could result in damage. How can substantial distress be measured? It is subjective.
47GC In the days of the reforms of the noble and learned Lord, Lord Woolf, it must be better to bring more certainty to the law rather than to include subjective grounds which have to be left to the courts to decide. In this probing amendment I am asking whether the Minister would consider a more certain objective test, to the benefit of the data subjects and the data controllers.
§ Lord Williams of MostynI am grateful for that careful review, which the noble Lord has put forward. If the amendment were accepted it would substitute what is a less rigorous test of material damage. I have travelled part of this ground in my response to the invitation of the noble Viscount when he wished our policy answered, as it were.
We do not feel it is right to make the change the noble Lord, Lord Norton, suggests. After all, the new regime introduces a completely new concept into data protection law. It bears repetition, I hope, that it gives individuals the right to object to processing which is in all respects lawful, and if there is to be a block on that the test should be set high, and that is why we have set it high. It is not to be overlooked perhaps that in the same section of the Bill one finds the word "unwarranted". We believe that our phrase, "substantial damage or substantial distress", is capable of being adjudicated on by the appropriate body. Material damage sets the hurdle quite low, and when one is dealing with interference with an activity which is otherwise lawful one needs to have a higher threshold simply than material damage.
§ On Question, amendment agreed to.
§ The Deputy Chairman of Committees (Lord Strabolgi)I must inform the Committee that if Amendment No. 46 is agreed to I cannot call Amendments Nos. 47 or 48.
§ [Amendments Nos. 46 to 48 not moved.]
§
Lord Williams of Mostyn moved Amendment No. 49:
Page 7, line 35, at end insert ("and
(b) that damage or distress is or would be unwarranted").
§ The noble Lord said: I have already spoken to this. I beg to move.
§ On Question, amendment agreed to.
§
Lord Norton moved Amendment No. 50:
Page 7, line 40, at end insert—
("() The data controller must within the prescribed period respond in writing to any person who has given a notice under subsection (1), indicating—
() In this section "the prescribed period" has the same meaning as in section 7.").
§ The noble Lord said: I also speak in respect of Amendment No. 52. In Clause 9 there is no requirement for the data processor to respond to the notice in writing from the data subject. An unscrupulous data processor 48GC could just ignore matters and the data subject would have the problem of not knowing whether the request for the non-processing of data had been successful, or worse, the data subject would not know the grounds upon which his request had been rejected when the processing took place. This amendment would force the data controller to respond to the data processor's letter within the prescribed period as defined in the Bill, setting out whether the data controller agrees to the request, and, if not, on what reasons the processing is taking place. It provides the link between the data processor and the controller from a dialogue before the matter has to be taken to the courts. The Data Protection Registrar has welcomed this amendment. I beg to move.
§ Lord Williams of MostynI also speak to Amendments Nos. 50 and 52 in the name of the noble Lord. I agree that the consequence of his amendments would be to put upon data controllers the responsibility of making a particular reply.
I sympathise with the thinking behind these amendments. Notices under Clauses 9 and 10 are not on all fours of course with subject access requests under Clause 7, because the only satisfactory way to comply with the subject access request is to reply to it in writing, either enclosing the information requested specifying what further details are needed or explaining why the information requested cannot be supplied.
I agree with what the noble Lord has said. A notice objecting to processing can be complied with simply by the data controller stopping the processing. It is not on this scheme essential to inform the individual in writing that this has been done. Because it is not essential that the data controller should write to the individual to explain the extent to which he does not intend to comply and why he has taken that decision, there is a query about the virtue of the scheme. Therefore, I believe there is some force in what the noble Lord has said and I undertake to consider it further.
§ Lord NortonI am grateful to the Minister for his very positive response and I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ [Amendment No. 51 not moved.]
§ Clause 9, as amended, agreed to.
§ Clause 10 [Right to prevent processing for purposes of direct marketing]:
§ [Amendment No. 52 not moved.]
§
Baroness Young of Scone moved Amendment No. 53:
Page 8, line 13, leave out ("or marketing material") and insert (", marketing or promotional material, excluding information-based material not of a direct selling nature,").
§ The noble Baroness said: This is a rather sensitive area in that we all have very strong views about the issue of direct marketing. However, I seek clarification on the definition of direct marketing material for the benefit of the not-for-profit sector which relies very much on material that could be so defined for the communication with supporters and members.
49GC§ The Bill rightly includes clauses to protect individuals from unwelcome and unsolicited direct marketing material. I must confess I am rather a fan of junk mail in that it opens one's eyes to the range of goods and services that one might otherwise never have dreamt existed. The definition of direct marketing material used in the Bill could be subject to misinterpretation in the case of not-for-profit and voluntary sector organisations. Voluntary sector organisations recognise the legitimate wishes of individuals not to be showered with large quantities of direct mail seeking funds.
§ However, in many cases when the not-for-profit sector is communicating with supporters or members, it is doing so in a way which is dual purpose. It is primarily providing factual information on its work or on issues in which it and the data subjects have a mutual interest. It may at the same time also be soliciting support in that issue. This support may be of a financial nature but it could equally be of a non-financial nature. I am talking about circumstances when voluntary organisations and charities, for example, send out briefing material to supporters on issues and perhaps ask them to return cards saying that they are concerned about that issue, so that the degree of that concern can be communicated to Government or other opinion formers or decision makers. It is really to seek assurance from the Minister that he will consider whether a more detailed definition of marketing material may be inserted into the Bill to ensure that legitimate material coming from the voluntary sector, which I believe is in the public interest, will not be disbarred by this provision in the Bill.
§ 6.30 p.m.
§ Lord EltonAs one not so keen as the noble Baroness on receiving junk mail, perhaps I may use this opportunity to put an idea in the Minister's mind, if it is not already there. Many of us in receipt of torrents of the stuff are quite unaware from where our name and address have been obtained, in particular if they are supposed to be in some sense secure. Perhaps the noble Lord may have in mind the possibility of requiring agencies who precipitate this material to put a code on the address label which indicates the source. Instead of writing to 33 sellers of shoes, motor cars, aeroplanes, boats, and so on, we can write to one agency which has a central address list that they sell to others. It would make life much easier.
§ Lord SkelmersdaleI am glad I gave way to my noble friend Lord Elton. I should like to begin by declaring an interest as chairman of a medium-sized medical charity, which of course uses mailing lists all the time. I can see no earthly reason why a charity should be absolved from the responsibility of removing a name from a mailing list when it is asked to do so. After all, under the Bill commercial firms are asked to do exactly the same thing.
As regards the point made by my noble friend Lord Elton, what happens if it is impractical to code the address labels, for example, where a manual system is being used? That is what I referred to earlier. That manual system may not only be the construction's 50GC mailing list; it might be direct typing of envelopes. It would take forever to put a different code on the individual envelopes. I do not think that that is a good idea.
§ Lord Williams of MostynI am sorry to bring harmony where there is apparent disharmony between the noble Lords. I am deeply saddened by the mental picture of the noble Lord laboriously going through typing envelopes. I am sure there should be a law against it.
In respect of the observation made by the noble Lord, Lord Elton, a similar parallel right can be seen at page 5 of the Bill in Clause 7(1)(c)(ii). That is a scheme which exists, but only in respect of a data access request. I cannot do more than say that his proposition is a novel one, plainly not without instant controversy. But I shall certainly put my mind to it.
On the earlier question that the noble Baroness raised, it is giving the citizen of this country an entirely new right. She rightly observed that direct marketing is defined in the Bill as encompassing all advertising and marketing material directed to particular individuals. It is not simply the bargain offers for 300 tulip bulbs—"Hurry while stocks last"—that irritates people. Individuals find other forms of advertising—some from non-profit-making organisations, some from religious organisations, some from what many of us would call fringe or cult organisations—of irritation sometimes; some people evidently find them of fascination.
All that this does is to give citizens the right to prevent all kinds of intrusive direct marketing material being sent to them by any means. It does not stop any data controller entering into the process and sending out the material; indeed, he is perfectly entitled to do so. On the other hand, citizens who do not wish to receive this material to which they are entitled, are now, quite rightly, able to say, "Do not send me this material"; in other words, they have the right to prevent such processing for direct marketing purposes. We do not see any reason to draw a distinction between those who are doing the processing. We are protecting here someone who does not wish his data to be used in this way, with the consequence of having material which may or may not be junk.
Viscount AstorI have not spoken so far on this amendment, but perhaps I would like to speak in favour of the Government. The Minister has made a good point. I suppose I ought to declare an interest as my wife is a jeweller and sends out a Christmas catalogue. A few years ago she went through the rather disastrous process of buying a mailing list, which she then utilised. However, all she received for the next month were furious telephone calls from wives saying, "Has my husband been into your shop, and, if so, what did he buy and who for?". That explains the dangers of buying mailing lists. The citizen does have certain rights to be able to say, "I do not want any more".
§ Lord SkelmersdaleBefore the noble Baroness decides what to do with this amendment. perhaps I may respond very briefly to the Minister, whose answer in a sense I pre-empted. I would not like him to go away this 51GC evening with the idea that I spent a lot of time typing envelopes myself. What I do is something of which the Government would approve; namely, employ people on a part-time basis to type the envelopes for me. The Minister should approve of that.
§ Baroness Nicholson of WinterbourneCould I just remind noble Lords that many people enjoy receiving such material. If they did not enjoy receiving it, those companies which send direct mail letters would not do it because it is an extremely expensive exercise. It is a pity to destroy harmless pleasure for a lot of people and clamp down on this too hard. I myself have just sent out a couple of thousand appeal letters for Iraqi refugees, with an 18 per cent. response rate, which is well above the norm of 2 per cent. I should remind noble Lords that there are such things as window envelopes.
Quite apart from that, we are talking about an important right because some people are thoroughly irritated by it. Nevertheless, it is trivialising to clamp down on direct mail when it is a commercial operation that only works if it is cost effective; and, therefore, it is self-limiting.
§ Lord Williams of MostynI am inclined to take that point. Some people like it and they can have it; some people do not like it, and they do not have to.
§ Baroness Young of Old SconeI thank the Minister for his answer. I am not sure that I accept that it deals totally with my concern, which is the circumstance where a voluntary organisation or a charity is giving information to the public through this method, but could be prevented from doing so because such information happens to contain a request for support of some sort associated with it. However, I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn
§ Clause 10 agreed to.
§ Clause 11 [Compensation for failure to comply with certain requirements]:
§
Lord Falconer of Thoroton moved Amendment No. 54:
Page 8, line 15, leave out ("An individual") and insert ("A person").
§
The noble and learned Lord said: This is a technical amendment. Clause 11 of the Bill presently says:
An individual who suffers damage by reason of any contravention by a data controller",
has a right to compensation. We do not intend to exclude companies who suffer damage as a result of any contravention of any requirements of the Bill in the appropriate case. We therefore wish to amend Clause 11 by changing the word "individual" to the word "person", so that it is not restricted simply to individuals. In those circumstances, I beg to move.
§ On Question, amendment agreed to.
§ [Amendment No. 55 not moved.]
§ Clause 11, as amended, agreed to.
52GC§ Clause 12 [Rectification, blocking, erasure and destruction]
§
Lord Falconer of Thoroton moved Amendment No. 56:
Page 9, line 1, leave out ("it may also") and insert ("or
(b) is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,
it may").
§ The noble and learned Lord said: This is another amendment designed to fill a gap in the Bill. Clause 12(1) provides for individuals to go to court to seek an order requiring controllers to rectify, block, erase or destroy data about them which are inaccurate. Clause 12(3) complements this provision. It deals with the situation in which, before the rectification and so on, the data were disclosed to third parties. It allows courts which make an order under subsection (1) for rectification to make a further order requiring the controller to tell such third parties of the rectification and so on.
§ However, as the provision stands at present it is not comprehensive. It does not deal with the situation in which the controller rectifies inaccurate data otherwise than in pursuance of a court order but then refuses to tell third parties to whom the accurate data have already been disclosed of the rectification. The directive requires such third parties to be told of the rectification, whether or not the rectification was done in response to a court order. The purpose of the amendment is to correct this small deficiency. It means that courts will be able to make an order requiring controllers to tell third parties of rectification of personal data whether or not the rectification was made following an order under Clause 12(1).
§ A feature of this Bill is that individuals will be able to seek redress either by going to court or by seeking the assistance of the Data Protection Commissioner. Clause 38 of the Bill provides a power for the Data Protection Commissioner to issue an enforcement notice requiring the data controller to tell third parties to whom previously inaccurate data have been disclosed of rectifications which have been made. That clause mirrors the provision in Clause 12. Unfortunately, however, it also mirrors the deficiency. The purpose of the amendments to Clause 38 is to make a similar change to the enforcement notice power of the commissioner to that which I have already described in relation to the courts' order-making power. I beg to move.
Viscount AstorMy amendment is grouped with the noble Lord's and it was put down purely to ask a question of the noble Lord. The clause, as it stands, would result in a situation where the wider the dissemination of the data, the lesser the duty to notify third parties of the rectification. Have the Government considered in what circumstances and how that would 53GC operate, in particular where it says in line 6, in relation to the number of persons who would have to be notified, what really is meant by that?
§ Lord SkelmersdaleBefore the Minister responds to my noble friend, I am not quite sure whether this is a data processing gremlin or whether I am getting tired a little early this evening. The amendment says:
insert ("or (b)".I have looked very carefully at page 9, line 1, and I cannot find (a). Is this in fact felicitously drafted, or is it, as I suggested, a gremlin? If it is infelicitously drafted, perhaps these words should appear a little later in subsection (3), rather than in line 1. It might read rather more happily, but I am sure that the Minister would like to take this away and think about it.
§ Lord Falconer of ThorotonI am obliged. Let me deal first with the point of the noble Viscount, Lord Astor. First of all, the more you disseminate the error, the more people you may have to contact. As far as the court is concerned, it must consider whether it is reasonably practicable to make an order for correction. One thing it must bear in mind is the number of people who have been told. It is a provision that is put in specifically to assist data controllers, and it is a factor to be borne in mind in considering whether to make such an order. We think it is sensible, but in certain cases it would be an almost impossible task to get in touch with everybody, and then the court has to consider in those circumstances whether it is practicable to impose such a burden on a data controller. We think that is sensible and that is why it is there.
As far as the point made by the noble Lord, Lord Skelmersdale, is concerned, it is a good point, but I am told the point is taken care of in the new printing of the Bill. But I am grateful to the noble Lord for raising it.
§ 6.45 p.m.
§ Lord SkelmersdaleI am grateful to the noble and learned Lord. I shall study the reprint of the Bill avidly before Report stage.
§ Lord Falconer of ThorotonIf the noble Lord has time after putting the addresses on all the envelopes he was dealing with!
§ On Question, amendment agreed to.
§ [Amendment No. 57 not moved.]
§ Clause 12, as amended, agreed to.
§ Clause 13 [Automated decision-taking]:
§ [Amendments Nos. 58 and 59 not moved.]
§ On Question, Whether Clause 13 shall be agreed to?
Viscount AstorI wonder whether I could ask the Minister at this stage what the Government's view is about the report of the Select Committee on Delegated Powers and Deregulation. It recommended that the Bill 54GC should be amended to make the power in Clause 13(5) subject to the affirmative resolution procedure. I wonder whether the Minister has considered this.
§ Lord Williams of MostynYes, it is intended that it should be dealt with when we discuss Clause 16 this coming Wednesday.
§ Clause 13 agreed to.
§ Clause 14 [Jurisdiction and procedure]:
§
Lord Falconer of Thoroton moved amendment No. 60:
Page 10, line 5, leave out ("held by") and insert ("processed by or on behalf or).
§
The noble and learned Lord said: These are two technical improvements to the description of the powers of the courts in proceedings for the enforcement of the rights of subject access. The first identifies the data in question as being,
those processed by or on behalf or',
rather than "held by" a data controller. The amendment reflects the wording of the subject access right in Clause 7 itself, as it properly should. According to the definition of "processing" in Clause 1, the holding of data is only one aspect of processing, and it is not our intention so to limit the data to which Clause 14(2) refers.
§ The second amendment deals with a slight gap in the power conferred on courts by Clause 14(2). Where a subject access right is disputed, it may be important for the court itself to have sight of the data in question so that it can form its own view as to whether access should be given to a plaintiff. But it is clear that, pending the court's decision, the plaintiff himself should not have access to that data, whether under the rules of discovery or otherwise; that would be to give de facto subject access before the existence of the right itself had been properly determined.
§ The Bill as drafted gives that essential protection to "information constituting data". "Data" is a term which is defined in Clause 1 of the Bill, but the subject access right in Clause 7 is not just in terms of data. It also, in Clause 7(1)(d), extends to information as to the logic of certain decision taking. That information may or may not constitute data for the purposes of the definition in Clause 1. For example, the information may not be recorded in any form, it may simply lie in the knowledge of the data controller. It may be important, if subject access to such information is contested, for a court to be able to ask for and consider that information before deciding whether a plaintiff should be given access to it. The second amendment provides that missing power. I beg to move.
§ On Question, amendment agreed to.
§
Lord Falconer of Thoroton moved Amendment No. 61:
Page 10, line 5, after ("controller") insert ("and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d)").
§ The noble and learned Lord said: I have already spoken to this amendment. I beg to move.
§ On Question, amendment agreed to.
§ Clause 14, as amended, agreed to.
§ Clause 15 agreed to.
§ Clause 16 [Prohibition on processing without registration]:
§
Viscount Astor moved Amendment No. 62:
Page.11, line 13, leave out subsection (3).
§ The noble Viscount said: Clause 16(3) seems to give the Secretary of State quite wide powers to disapply Clause 1 where it appears to him that the processing is likely to prejudice the rights and freedoms of data subjects. Concerns had been expressed about the width of the power, so I simply put down the amendment to give the Minister the opportunity to explain slightly more concerning the circumstances under which they would be used. I beg to move.
§ Lord Falconer of ThorotonAs the noble Viscount, Lord Astor, has indicated, subsection (3), which his amendment would delete, allows the Secretary of State to make notification regulations specifying exemptions from the prohibition on processing without a register entry. Such processing, therefore, would not need to be notified to the commissioner. It is the Government's wish that the notification arrangements should be as simple as possible for the data controllers.
One of the perceived problems for the present registration arrangements is that they are unnecessarily burdensome. I know that the Data Protection Registrar has already taken steps within the constraints of the present law to make the arrangements more user friendly. I very much welcome that, but I hope that we shall be able to devise arrangements for notification under the Bill that take that process further.
One of the ways in which notification can be simplified is to remove some processing from the requirement to be notified. The Bill already provides that the processing of manual records does not need to be notified (except that to which the preliminary assessment procedure under Clause 21 applies). There is also an exemption for processing whose sole purpose is the keeping of a public register. But the key provision for exemptions is Clause 16(3), to which the noble Viscount's amendment relates.
The Committee might well ask what categories of processing the Government intend to exempt under this provision—the very question the noble Viscount asked. No firm decisions have yet been taken. The Bill provides for the notification regulations to be drawn up in consultation with the data protection commissioner. Of course, the commissioner does not yet exist, but the Government are already in discussion with the Data Protection Registrar about the content of the notification regulations. The scope of the exemptions from notification is one of the important matters that are 56GC being considered. I am sorry not to help further, but I hope I have indicated the general purpose of the exemption power.
§ Lord NortonI wish to speak to Amendment No. 66, which is grouped with Amendment No. 62. This is a probing amendment. Under this clause, the commissioner has to review the working of notification regulations from time to time so as to maintain an up-to-date registration system. Purpose is critical to the notification process. At present there are some 78 purposes, and since three of the eight data protection principles relate to the purpose, it is obviously important to define purpose clearly.
It is important that purpose is not defined too broadly and the right balance is struck. It is for this reason that I have tabled this probing amendment seeking to establish the extent to which the commissioner shall he allowed to emphasise the relationship between the processing of data and its purpose.
§ Lord Falconer of ThorotonThe duty laid on the commissioner in Clause 24(2) to keep the working of notification regulations under review is expressed in a general form, leaving the commissioner to determine how to fulfil this duty. The notification regulations themselves cover a variety of issues. My noble friend's amendment draws out for particular attention from that range of issues one section, Section 15(1)(d), which specifies just one of the "registrable particulars" which have to be notified to the commissioner by data controllers. The "registrable particular" is a description of the purpose or purposes for which the data are being, or are to be, processed. The amendment would require the commissioner to review the way data are processed in order to establish whether the processing is being undertaken in accordance with the processes specified in the notification. That is how I understand the amendment.
The role of the commissioner in reviewing the operation of the notification regulations is to consider how the regulations work in relation to the matters to which they relate. The regulations themselves govern the system whereby data controllers are required, in the interests of transparency, to inform the commissioner of certain details about who they are and what they do.
The detail of how purposes are to be described in the context of Clause 15(1)(d) is certainly relevant in this context. So is the manner in which data controllers are to inform the commissioner of those purposes. However, the "appropriateness" or otherwise of their processing is, so far as I can see, not relevant.
It is important to be quite clear that notification differs significantly from the current system of registration. Registration is about direct controls on processing activities themselves. Notification is not: it is, as I have said, about transparency only.
The extent to which data are processed in a manner appropriate to any purpose seems to me essentially a matter concerned with regulating processing, not transparency. The data protection principles set out rules for appropriate processing. The Commissioner has 57GC powers to enforce those. That, it seems to me, is the right context in which to look at the appropriateness of processing.
In any event, the absence of a specific requirement to undertake a review of the kind proposed in the amendment would not prohibit such a review taking place, were the commissioner to consider one necessary and relevant to the purposes with which he is charged in this provision of the Bill.
In the light of those comments, I invite the noble Viscount to withdraw the amendment.
Viscount AstorI am grateful to the noble and learned Lord the Solicitor-General for his explanation of Clause 16. I am still somewhat concerned that the Secretary of State has an overriding power on this issue, which does not seem to be subject to the limitations that the Bill generally provides everywhere else. I will read carefully what the Minister has said, but this is an issue to which we may wish to return on Report. In the meantime, I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§ Clause 16 agreed to.
§ Clauses 17 to 20 agreed to.
§ Clause 21 [Preliminary assessment by Commissioner]:
§
Lord Falconer of Thoroton moved Amendment No. 63:
Page 13. line 15, leave out ("significant damage or") and insert ("substantial damage or substantial").
§ The noble and learned Lord said: This is another technical amendment. It will provide consistency in the way that damage or distress is qualified in the different clauses of the Bill. Clause 9(1) already refers to "substantial damage or substantial distress". The amendment will bring the wording of Clause 21 into line with that of those other clauses and ensure that this threshold is applied consistently. I beg to move.
§ The Earl of NortheskI note that my Amendment No. 64 is grouped with this amendment and I wish to speak to it. The purpose of Amendment No. 64 is to restrict the circumstances in which the commissioner will be allowed to extend the amount of time that will be given to the consideration of processing which has been notified.
Specifically, the timing of business ventures is important. Indeed, in some cases it is vital if companies are to be the first to launch a new commercial project. The planning of the launch is precise and businesses require a high degree of certainty in respect of their business and legal obligations to meet their projections.
As the Bill is currently drafted, the commissioner may extend the notice period by a further 14 days if "special circumstances" exist. It is conceivable that such circumstances could be extraneous—for example, by virtue of the commission being subject to too great a weight of notifications for its staff adequately to deal with them—and yet they could impact considerably and detrimentally upon the commercial viability of the company concerned. With this in mind I suggest that any additional time required for further consideration as 58GC to whether processing is permitted to progress should only be granted in circumstances that are truly "exceptional".
§ 7 p.m.
§ Lord Falconer of ThorotonClause 21 provides the commissioner with 28 days (or 28 days plus one extension of a further 14 days) within which to determine whether a preliminary assessment of a particular notification is required and then to undertake that assessment. The amendment raises the issue of whether the conditions permitting the commissioner the extra 14 days are the right ones. The amendment proposes a much stricter condition; namely, that the circumstances should be "exceptional" rather than special. As at present advised, we do not see the need for the conditions to be made more restrictive.
The 28 days provided in the Bill already strike a fine balance between the time needed to give proper consideration to the assessment and the interests of the data controller, who is unable to process the data during this period (unless the commissioner has given his opinion on the processing's likely compliance with the legislation). The processing which will be subject to preliminary assessment is processing which is particularly likely to cause significant damage or distress to data subjects or otherwise significantly to prejudice their rights and freedoms. Although only a small quantity of processing is expected to fall within this category, it justifies the special attention it will receive in the preliminary assessment. The further 14 days should be available to the commissioner, if needed, on the basis of "special circumstances" as the Bill provides. This is a relatively modest provision for extension in already restricted circumstances. In the light of those comments, I hope that the noble Earl will feel able to withdraw his amendment.
§ On Question, amendment agreed to.
§ [Amendments Nos. 64 and 65 not moved.]
§ Clause 21, as amended, agreed to.
§ Clauses 22 and 23 agreed to.
§ Clause 24 [Functions of Commissioner in relation to making of notification regulations]:
§ [Amendment No. 66 not moved.]
§ Clause 24 agreed to.
§ Clauses 25 to 26 agreed to.
§ Clause 27 [National security]:
§
Lord Williams of Mostyn moved Amendment No. 67:
Page 15, line 43, at end insert ("any of the provisions or).
§ The noble Lord said: Grouped with this amendment are Amendments Nos. 69, 70, 72, 73, 84, 91, 94, 95, 98, 99, 110, 111, 114 and 120. It is an extended set of technical amendments, which perform identical functions on a number of exemption provisions. They rectify an unintended effect which derives from the way that the exemptions are expressed at present. They seem to operate on an overly rigid all-or-nothing basis, so that 59GC if an exemption is justified in respect of one part of a clause, for example, the whole clause inevitably ceases to apply. That is not what we set out to achieve.
§ Particularly in exemptions relating to Clauses 27 and 31, which potentially disapply a wide range of clauses in the Bill, the exemption should not extend just to those clauses which are appropriate in any given circumstances, but only to the appropriate parts of those clauses. Sometimes it will be right for the whole clause to be disapplied, but not always. We wish to build in a flexibility which is presently missing.
§ It may also be an important factor in Clauses 28 and 37 to make further exemptions from the Bill; we need to be able to express exemptions precisely, so that everyone knows how we wish them to apply. We do not wish them to apply more broadly than is properly justifiable. That is the basis for these numerous technical amendments. I beg to move.
§ On Question, amendment agreed to.
§
Baroness Nicholson of Winterbourne moved Amendment No. 68:
Page 15. leave out line 44.
§ The noble Baroness said: I wish to say that these amendments are drawn to my attention by the excellent organisation Liberty, although I do not in fact belong to it. However, the concerns are mine as well, or I would not be putting them forward. I want to encapsulate them all by suggesting that the clause contains a very large exemption, about which a number of people are extremely concerned. The objective behind the amendment is to ensure that the security services comply with the data protection principles; that they are required to register under the Bill; and that they comply with the notification requirements of Part III.
§ Perhaps I may remind noble Lords that the security services—the Secret Intelligence Service, GCHQ and the Security Service—have been exempt from the protections provided to individuals by the 1984 Act. It is proposed in this particular clause that processing of data for the purpose of safeguarding national security will be exempt from all of the data subjects' rights in Part II of the Bill, from the enforcement provisions in Part V and even from the need to register under Part III of the Bill.
§
Is this really necessary? These are blanket exemptions. Do all the data protection principles set out in Schedule 1 have to be set aside? For example, the requirement that data be,
adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed"—
§
that is the third principle; that data be,
accurate and, where necessary, kept up to date"—
§
the fourth principle; that it should be,
processed fairly and lawfully"—
the first principle. Why should these principles not apply to the security services? Personally, I should have thought that it was exceptionally important that they did. On top of that, is it necessary or acceptable in a democratic society that these simple, essential principles should be set aside?
§ There is also a point of applying the principles specified by the court on an application for judicial review to remove the requirement if a tribunal should reach a decision by applying the test which would he applied in judicial review proceedings. Perhaps the justification of this suggestion is that the judicial review test is too strict, as the tribunal would only allow an appeal where a Minister's decision was considered so unreasonable as to be perverse.
§ To delete Clause 27 entirely is one way forward, and I have attached my name to the amendments which would do just that. The purpose, as I have already stated, is simply to stop this proposal that the security services should be totally exempt. I beg to move.
§ Lord Williams of MostynIn this grouping, if I have it correctly, are Amendments Nos. 68 and 71, the amendments to which the noble Baroness, Lady Nicholson of Winterbourne, has just spoken, Amendment No. 74 also in her name, Amendment No. 75, which is a government amendment and Amendment No. 79, which is the further national security amendment in the name of the noble Baroness.
I understand the underlying concerns expressed by the noble Baroness and, as she says, by a number of organisations of repute in this country. Clause 27: the point of it is to safeguard national security. It is self-evident. There are going to be circumstances in which personal data will need to be processed by the appropriate agencies to safeguard national security. Clause 27 makes it possible for that processing to be carried out without the otherwise subsisting controls putting national security at risk. There will be nothing between any of us in this Committee on the need for a national security exemption. The real question is what should the scope of the exemption be.
The noble Baroness believes that national security can be adequately protected by an exemption from fair processing, subject information and non-disclosure exemptions and that exemption can never be necessary from the other principles or notification requirements. if I have her argument right. This is where we part company. The exemptions as currently drafted can apply only if they are required. I refer to Clause 27(1)(c) on page 16 of the Bill. So a requirement is needed. If the exemptions are not required, the Bill will not allow them to be applied. However, if they were to be required, I believe that they should be available.
It is plain that applying any of the data protection principles could have the potential to damage national security. The noble Baroness's amendments would have the effect of placing compliance with all the requirements that she would exclude from the scope of the exemptions above. That would have the consequence of putting that interest, which I recognise, above the national interest in national security, and there, again, we part company.
The noble Baroness's amendments would require the security agencies to notify their processing to the Data Protection Commissioner. Notification is about transparency, and it must be reasonably anticipated as being possible that such transparency will not always 61GC be compatible with safeguarding national security. If an exemption is needed in those cases we believe, quite adamantly, that it should be available.
The noble Baroness rightly said that the new Bill will provide a fuller application of data protection regime principles to national security activities than is now the case. I repeat this because I recognise its importance. We say that the Bill allows exemptions to be claimed only if and to the extent that they are required for the purpose of safeguarding national security. If they are required, then they must be available.
§ Baroness Nicholson of WinterbourneCould I question the Minister on requirements, if they are required, before the Bill comes before their Lordships' House? I have knowledge of the mechanisms of requirements in terms of authorisations for telephone tapping by the Home Secretary. I know that, had the Home Secretary been required to sign all the authorisations for all the tapping that was going on, he would not have had time to do anything else. Therefore, if I recall correctly, the police were evading the issue, very intelligently, and perfectly within the law—although outside the spirit of what I understood to be the law—because they were tapping the echoes and not the data-flow. Every data-flow creates an echo and they were tapping the echoes. The number of activities, therefore, were many. When the Minister talks about exemptions and requests for exemptions, I simply wonder how that will be achieved and monitored.
§ Lord Williams of MostynI recognise that one is putting that duty on a Minister of the Crown. If, in the past, Secretaries of States did not discharge their duties properly, that is a matter of regret to me. There are, of course, different controls for the interception of communications which are subject, in any event, to review and to reporting by the reviewing commissioner. One sees the answer to the noble Baroness's question: it is a certificate signed by a Minister of the Crown, asserting the requirement that is needed.
There has to come a time, when, however alert one is to individual liberties, the executive needs to take decisions on national security matters. Those are particularly sophisticated and subtle questions. I regret to say this. But the world in which we live makes them not suitable for general public debate. I suppose some people would say that that is totalitarian, but in fact it is not. It recognises that there are difficult decisions to be made. They will have to be made by a Secretary of State, who, after all, is a member of an elected Government, a subject of controls of different sorts—sometimes rightly from the media, sometimes from another place should it wish to be alert to the powers that it has—and subject to Members of your Lordships' Chamber.
The Secretary of State will have to certify the requirement. That is a solemn obligation which I do not myself believe a responsible politician would lightly set on one side.
§ Baroness Nicholson of WinterbourneI thank the Minister for that further explanation. There are many things that cannot be discussed in public but accuracy and fairness are both vital imperatives in a democratic society, and that citizens' privacy should not be invaded by the security services without due course is a bulwark of freedom. There is little that I can add to the points that I have made and I am confident that the Minister has taken them into account. I beg leave to withdraw the amendment.
§ Amendment, by leave, withdrawn.
§
Lord Williams of Mostyn moved Amendments Nos. 69 and 70:
Page 15, line 44, leave out ("any or).
Page 16, line 1. leave out ("any of the provisions of').
§ The noble Lord said: I have already spoken to Amendments Nos. 69 and 70. I beg to move.
§ On Question, amendments agreed to.
§ [Amendment No. 71 not moved.]
§
Lord Williams of Mostyn moved Amendments Nos. 72 and 73:
Page 16, line after ("exemption") insert ("from that provision").
Page 16, line 5, leave out ("the exemption") and insert ("exemption from all or any of the provisions").
§ The noble Lord said: I have already spoken to this amendment and to Amendment No. 73. I beg to move.
§ On Question, amendments agreed to.
§ [Amendment No. 74 not moved.]
§
Lord Williams of Mostyn moved Amendment No. 75:
Page 16, line 35, at end insert—
("() No power conferred by any provision of Part V may he exercised in relation to personal data which by virtue of this section are exempt from that provision.").
§ The noble Lord said: This is a purely technical amendment to ensure that exemption from Part V of the Bill, which relates to enforcement powers, operates effectively. Clause 26 of the Bill gives technical effect to exemptions from the data protection principles. Parts II and III of the Bill provide that references to personal data or processing in those provisions must be read subject to the exemptions. No equivalent technical provision had been made for exemptions from Part V. That is an omission, and this amendment seeks to put it right. I beg to move.
§ On Question, amendment agreed to.
§ Clause 27, as amended, agreed to.
§ Lord Williams of MostynPerhaps I may say one thing before I move the adjournment. It is possible that for a short period of time, because I have another duty elsewhere, I shall not be able to be in the Committee on Wednesday. The Solicitor-General will be here.
63GC No discourtesy is intended. It is simply that there is another matter to which I have to attend for a brief period which overlaps with the considerations of the Committee. Therefore I beg to be excused, not reproved, for my absence.
64GC I move to more joyful news. This may be a convenient moment for the Committee to adjourn.
§ The Committee adjourned at nineteen minutes past seven o'clock until Wednesday next at four o'clock.