Data Protection Bill [H.L.]

§ The Lord Chancellor

My Lords, aficionados of "Yes Minister" will recollect that in the chapter described as "Big Brother" Sir Humphrey Appleby advised his Minister (who had been severely shaken by an encounter with my former adversary, the late Robert McKenzie) that legislation would be necessary to deal with the potential dangers of the data bank. This Bill, of which I now rise to propose the Second Reading, is yet another example of the soundness of Sir Humphrey's advice, and the lame way in which truth follows painfully in the wake of fiction.

As long ago as 1973 another place debated the Younger Report on Privacy, and even so long ago as 1978 Sir Norman Lindop's committee published its own well-informed report. But since then information technology has taken off. It is well and truly airborne. Great benefits have followed its advance into, and above, the stratosphere—increased efficiency and the ability to perform tasks previously incapable of fulfilment; vast new prospects for the optimistic forecaster of the future. The Government, as Sir Humphrey Appleby would doubtless wish his Minister to say, are fully committed to the importance of information technology, sometimes known as IT. This Bill is not, therefore, Luddite in its intentions. It is not designed to shackle it. Nevertheless, it is designed to insure against the public disquiet at some of the possibilities of abuse in the hands of potential owners of data banks, including, of course, the Government themselves. What are the grounds of this disquiet? First, there is the fear that other people whose identity we may not know may possess computer-fed information about us, the accuracy of which we cannot correct. "How did they get my name?", we sometimes ask ourselves when some unknown advertiser blandly informs us by post that we are the lucky winners of a free gift if only we hurry, hurry, hurry to purchase his wares. This may be harmless enough, or at the worst only a temporary nuisance. But suppose the information is potentially harmful? Suppose it is held by a computer owner with power? Suppose—and this may be the rub—there is no control over the use to which it is put? Worst of all, suppose the information as well as being embarrassing may also be wrong, or at least misleading? How can we hope to put it right if we do not know who owns it or to what purpose he means to put it? These are the fears we must do our best to dispel.

Our first objective has been to take account of the work of the Lindop Committee. I do not use the word "implement", as Sir Humphrey might have done. After five years it is obvious that refinements and adjustments will have been necessary. But I hope the members of that committee will feel that we have built upon their work, and, where we have diverged, will also feel that we have at least taken account of it and diverged for intelligible, perhaps even sufficient reasons.

My Lords, I must now say that there is also an European dimension to all this, and this dimension is as much economic as political. By reason of their recent history, perhaps, European nations are, if anything, even more apprehensive than are we about 1535 what I might call the Big Brother aspects underlying this Bill. Even under their democracies, in some of those countries there exists a horrible thing called a PIN. PIN is an acronym for "personal identification number". In each of those countries a PIN is assigned to each citizen, which, combined with the ability to link individual citizens' files with one another, could give rise to serious abuse.

Serious or not, European concern has emerged as a consensus, and this European consensus is contained in a Convention of the Council of Europe and a series of guidelines on the part of the OECD. It is the purpose of this Bill, apart from its intrinsic merits, which I shall be endeavouring to describe, to enable us to ratify that convention. Indeed, if our infant industry in IT is not to be strangled at birth, or at least subjected to severe malnutrition, it is vital that we should do so, since countries with the protection of personal data will inevitably restrict their exports to countries of lesser breeds without the law, among which, without the Bill, we should have to number ourselves.

My Lords, the Bill itself is the product of extensive consultation with countries who already have data protection and experience of using it. My right honourable friend Mr. Timothy Raison visited no less than four European countries last September, and in October the Fourth International Conference of Data Protection Commissioners, which was actually held in London, gave opportunity for further discussion. In practice, each country has followed its own line of legislation, and so, in the event, does ours; and this is why this Bill is somewhat longer than an ordinary Bill enabling the ratification of a convention.

In the nature of things, however, the Bill is designed to deal with the problems of data stored in computers and the like. I do not mean thereby to imply that there are no dangers or no problems connected with manually-stored data. Of course there are. We all know about them, and they have been with us for a long time; but these are obviously different in scale, and would obviously require to be dealt with by the solution of different and perhaps more difficult problems of enforceability—and, I should have said, they are of nothing like the same urgency in legislative priority.

Perhaps with that introduction I could turn to the Bill itself. Those who are interested in seeing purposive principles embodied in legislation, like my noble friend Lord Renton, for example, will turn at once to Schedule 1. In the immediate past the eight principles enumerated in Schedule 1 may look for a European parentage. But in truth and in fact, their real ancestor is the work of the Younger Committee. These principles, scheduled to Clause 2, are really what this Bill is about. Perhaps I may, therefore, summarise them, though in doing so I know that I am oversimplifying.

The first principle is that data should be fairly and lawfully obtained. The second is that data should be held only for specified and lawful purposes. The third is that the use and disclosure of the data should be restricted to those purposes. The fourth is that the data held should be related to the purposes I have mentioned, and should be adequate but not excessive 1536 for them. The fifth is that data should be accurate and up to date.

The sixth principle is that they should not be kept longer than is necessary for the specified purpose. The seventh is that the individual (somewhat inelegantly referred to, I am sorry to say, as the "data subject") should have the right of access to the data and, where appropriate, have the right to secure correction or erasure. The eighth requires security measures to be taken to protect data against unauthorised access, disclosure, alteration, destruction or accidental loss. So much for the principles on which the Bill is founded. These entitle me, I think, to describe the Bill as one for the protection of the individual against potential abuse, either by the Government or by others. Now I want to come to the practice. Part II of the Bill provides the administrative machinery. The basis of this machinery is the compulsory registration of data users (that is, holders of data) and computer bureaux (that is, those who process or distribute data on behalf of others). This registration is protected by the criminal law—by sanctions provided in, for example, Clause 5 of the Bill—and is policed by a registrar. He is independent of government, is to be appointed by letters patent and will hold office on terms with security analogous to that of a High Court judge; that is, removal on resolution by both Houses (Clause 3 and Schedule 2). His decisions will be subject to appeal to a quasi-judicial tribunal. The chairmen and deputy chairmen of that tribunal are to be experienced lawyers, to be appointed by the Lord Chancellor. The lay members, however, are to be appointed by the Secretary of State. I am summarising Clauses 3, 13 and 14, and Schedules 2 and 3.

I come now to the essential sanction, which is the registrar's power to deregister, or issue what is called an enforcement notice. Clauses 10 and 11 refer. This power will be equally subject to appeal, but will be armed with a power of entry on a magistrates' warrant. These are the teeth of the Bill, the object of which will be to enforce compliance by the data user and the data bureaux, although only where the processes of persuasion and negotiation have failed.

I come now to Part III of the Bill. This supplies the rights of the so-called data subject, that is, the individual citizen. Clause 21 gives him right of access to the data. Clause 22 provides for compensation for inaccuracy. Clause 23 provides compensation for loss or unauthorised disclosure of the data. Clause 24 gives him a civil remedy to enforce rectification or erasure of data. I must emphasise that these rights are additional to, and not in substitution for, existing legal rights; for instance, in defamation, contract, copyright or any other legal rights which the Government may wish to confer on him as a result of the Law Commission's report and the forthcoming report of the Scottish Law Commission on Breach of Confidence.

There are of course certain exemptions in the Bill. The House will agree that these have to exist, but will wish to scrutinise them in detail with a view to drawing a balance between the rights of the public, on the one hand, and the rights of the individual, on the other. The Government's standpoint is that these exemptions should be kept to a minimum. Only national security data and data used for domestic 1537 purposes are wholly exempt from registration. In other cases, the exemption is only from limited provisions—principally the requirement to give subject access—and in such cases applies to crime, taxation and national immigration control (Clause 28), health and social work (Clause 29), judicial appointments (Clause 30) and certain miscellaneous, statistical and research data (Clause 32). I am advised that each of these is compatible with the convention.

In each case, except national security data, the operation of the exemption will be policed by the registrar and open to review in the courts. The Government recognise that, in the police field and other similar areas, the registrar will need professional but independent advice if he is to act on an informed basis. My right honourable friends the Home Secretary and the Secretary of State for Scotland have agreed to make available to the registrar, whenever he should require it, the assistance of Her Majesty's Inspectorates of Constabulary.

The Government will be subject to the same rules as other users or bureaux (Clause 35). Clause 38 provides for an appointed day, followed by two-tier provisions for the transition of the Bill into operation.

I am conscious that I have taken up a good deal of the time of the House, but this is an important Bill. I am also conscious that, for the sake of clarity, I have omitted a great deal which we shall wish to discuss in Committee or in later speeches in this debate. My noble friend Lord Elton will be speaking in reply, and I know the House will expect him to do it well; but I hope I have given the House what I might call a Second Reading guide to the Bill.

It is an intricate Bill. It is a Bill designed to give the individual protection against the dangers inherent in a new, but intrinsically valuable, technology. It is a Bill inaugurating what in this country is, I think, a new but in some ways proven—and I hope where unproven it will prove effective—method of enforcement. I therefore beg to move that this Bill be now read a second time.

§ Lord Elwyn-Jones

My Lords, the House will be grateful to the noble and learned Lord the Lord Chancellor for so disarmingly guiding us through this Bill. It contains a large number of thickets and, I am afraid, a large number of traps. I must make the position of my noble friends and myself clear: we have grave misgivings about many aspects of the Bill.

There has been public concern for a very long time—and, as the noble and learned Lord has said, that has not diminished—about the fact that in this country the individual has been exposed to serious risks from computerised information systems, against which the laws of our country did very little to protect him. In Britain we have no legal right to privacy. The danger was first authoritatively exposed as long ago as 1970 in a Justice report called Privacy and the Law, with which some noble Lords will be very familiar. The outcome of that initiative after a private Member had endeavoured in another place to introduce a Bill 1538 to deal with it, was that the Labour Government then in office appointed the Younger Committee, whose report two years later endorsed the threat to the individual citizen and his privacy and said that something should be done about it.

During the succeeding years of the Conservative Administration—and I shall endeavour not to be too party political about this—nothing was done about it. But when the last Labour Government took office in 1974 they took up the issues and in 1975 the Home Secretary published the White Paper entitled Computers and Privacy, together with a supplement, Computers: Safeguards for Privacy. The White Paper said: The time has come when those who use computers to handle personal information, however responsible they are, can no longer remain the sole judges of whether their own systems adequately safeguard privacy". In fulfilment of the undertakings given in the White Papers that were then published, there was set up a Data Protection Committee under the chairmanship of Sir Norman Lindop. After two years of intensive work, they reported in July 1978, and their massive report was published in December of that year. The Lindop Committee made the most wide-ranging study of the subject which has ever been undertaken in this country. They faced all the complex issues which it presents, and consulted every interest that seemed to be concerned. They received no fewer than 307 submissions and met no fewer than 50 times and their sub-committee met no fewer than 32 times.

The committee proposed the setting up of a statutory data protection authority with powers to inspect computer systems and to conduct spot checks to ensure that all personal data were handled with due regard for security and for accuracy. They asked for detailed codes of practice to be drafted by the data protection authority for various categories of computer users, and wanted them to take the form of subsidiary legislation and to acquire the force of law. Alas! those major recommendations have been ignored and, indeed, rejected in the Government's Bill, and I greatly doubt—although naturally I have not been able to consult them at all—whether the members of the Lindop Committee will be content with this Bill, which I think they will regard as a pale shadow of their own proposals.

The report having come out at the end of 1978, the recommendations unfortunately fell on stony ground. The new Administration thought it right to consult all the people who had previously been consulted and who were concerned, all over again. Nothing more happened until yet another three years had passed since Lindop reported, when in March 1981 the present Home Secretary announced that the Government intended to introduce legislation.

What at last induced the taking of action? I have no doubt that there was some concern for the privacy of the individual, but the stimulus was a rather different one. While we had been waiting in this country for national protection, the countries of the Council of Europe had not been so inactive. Many of them had legislated and, as the noble and learned Lord, the Lord Chancellor has indicated, in order to harmonise their domestic provisions they entered into an international 1539 convention. It is that convention which has now presented a pistol to the Government's head.

As a result of the convention, there has arisen in this country an unprecedented alliance calling for legislation: industry, commerce, the trade union movement, the entire computing community, the consumers and not least those who are concerned for the liberties of the subject and the interests of the individual man or woman. For the convention contains what, in contemporary parlance, one can only call a "guided missile": it creates a "common market" of data protection within which information about individuals can circulate freely, but whose boundaries are drawn around those who have taken the trouble to legislate responsibly for the protection of the privacy of those individuals. Beyond those boundaries personal data can be inhibited. That could spell economic death almost to any nation that wilfully remains outside those boundaries, for the "common information market" may now legitimately inhibit the flow of personal information to countries that deliberately remain outside it.

In our modern, post-industrial economy, information is the crucial key to survival. Without information, Lloyds, for instance, would go bankrupt tomorrow, for it is no more than an information centre that happens to be situated in the City of London and of course it has its own reputation for integrity as one would suspect. Without information none of our British-based multinationals could survive for even a week. The other nations of the Council of Europe could apply a stranglehold to our economy if they were minded to do so. It was in those circumstances that a reluctant Administration saw the necessity to legislate—and in the nick of time. The question that will have to be considered is whether or not the Bill complies with the terms of the convention or is outwith it, as I fear it will be my task to suggest in a moment or two, at least as regards some of it.

Now we have a Bill which one newspaper has described as "a mouse amid the white tape"—rather an attractive picture, but not a very reassuring one in any circumstances. As the noble and learned Lord has said, first, the Bill creates an independent registrar. As the noble and learned Lord also said, his function will be to adjudicate between the needs of what I agree are unattractively called "data subjects"—namely, the millions of those whose records appear in information systems—and "data users", those who keep the records and use that information for their own particular purposes.

Obviously, the registrar must be independent, both of data subjects and, even more, of data users, who are the stronger parties. But above all, I submit, he must be independent of the Government. The Government are far and away the principal users of computerised information systems holding data about individuals. We, therefore, welcome the fact that the registrar is to be appointed by the Crown.

But how independent will he be? I fear that it is very often in the small print of schedules to Bills that the biggest tigers can be found to lurk. It is, I submit, the case here. In Schedule 2 to the Bill we find at paragraph 4 that the Secretary of State controls the 1540 appointment of the registrar's staff, controls the budget of the registrar's staff and controls his pensions. The appointments that are there referred to are all subject to the approval of the Secretary of State, given with the consent of the Treasury.

When we come to examine the registrar's powers and duties we see a remarkable imbalance. He has a wide variety of powers, but he has virtually no duties; no statutory duty is imposed upon him, except to keep accounts and each year to lay before each House of Parliament a general report on the performance of his functions. In the field of data protection, which ought to be the primary cause for concern, no statutory duty is imposed on him, except to instruct his staff and to prepare and maintain the register. For instance, subsection (1) of Clause 10 of the Bill, which deals with enforcement notices, reads: If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may serve him with a notice ("an enforcement notice")". It is left to his discretion whether he does anything about it. If the contraventions are substantial, surely the registrar should be placed under a duty to intervene?

He is given neither a power nor a duty to investigate complaints, whereas we submit that surely he should have both. If anyone complains to the registrar that the provisions of the Bill have not been complied with, the latter need do nothing if he so chooses. For instance, if a member of his staff happens to discover a serious breach of the excellent data protection principles to which the noble and learned Lord has paid tribute—they, of course, come from the Council of Europe's convention—and reports a scandal, the registrar is again free to do nothing if he so chooses. Even if that staff report shows that many people have suffered grievous damage as a result of the breach, there is no duty on the registrar to tell the victims that that has happened. Indeed, if he were to tell them, gratuitously, it might well be that it could be contended that he was exceeding his powers.

Further, one wonders how it is supposed that a single registrar can competently do all the things that will be expected of him. The present Government's White Paper on Data Protection envisaged an advisory committee, and that seems to us to be very sensible. No single person, even with the most competent staff, can, we think, begin to understand all the ins and outs of modern computerised information systems and have expert knowledge on the subjects which are critically important in the most sensitive areas of data protection—prevention and detection of crime, public administration, law and the use, design or manufacture of data equipment.

The advisory committee which was recommended was, it is true, to advise the Government rather than the registrar, which we found a curious order of precedence. I should have thought that it should be for the registrar primarily to receive the advice and to have to listen to the advisory committee. But when we look at the Bill we find that none of these things is provided for. The advisory committee has vanished from the scene, like Banquo's ghost. It is no longer there; not even to advise the Government, let alone the registrar.

1541 The Lindop Committee understood very well that no single individual could perform all the functions that ought to be performed in data protection and, as I have indicated, therefore advised an independent multi-member data protection authority with wide supervisory powers—an entity somewhat like the Parliamentary Commissioner for Administration.

Those omissions are grave, but I now come to what I believe to be the most defective provision in the Bill; namely, Clause 28. Not only are the provisions of that clause strongly opposed by a large number of interests, not least by the medical profession—and we shall be interested to hear the noble Lord, Lord Smith, on this—but, in my view, if it stays in the Bill, it may be thought to be wholly outside the provisions of the convention, particularly the exemption of the assessment or collection of any tax or duty, and even more clearly the control of immigration. If this contention that I make is right, non-compliance—which would be involved in acceptance, as it stands, of Clause 28—would defeat one of the main purposes of the Bill; namely, to secure compliance.

If enacted in its present form, it would mean that highly confidential and sensitive information could be secretly disclosed to the police, the Inland Revenue, the Customs and Excise and the immigration authorities, without any indication on the data protection register that anything of this kind was even possible. The Lindop Committee, in a memorandum which was submitted to the Home Office in June 1982, described this as: palpable fraud on the public"— very strong words indeed.

It may, of course, be contended that these provisions to which I have referred have the authority of Article 9 of the European Convention, and that may conveniently be found at page 9 of the White Paper of April 1982. But, in fact, that article only allows derogations which constitute: a necessary measure in a democratic society in the interests of protecting State security, public safety, the monetary interests of the State, or the suppression of criminal offences. In my submission, immigration control does not come within those exemptions, and it is certainly doubtful, in my submission, whether taxes and customs duties do either. The European Court of Human Rights has always construed the word "necessary" in a very narrow sense. I submit that it would be difficult to argue that in a democratic society it is necessary for the police, let alone the Inland Revenue, the Customs and Excise or the immigration authorities, to have secret access to all computerised personal information systems in this country.

It is, your Lordships may think, striking that just five weeks before this Bill was presented in this House the Home Office presented in another place the Police and Criminal Evidence Bill, which adopts a totally different policy for the same problem. Under Clause 10 of that Bill, the police are also given power to obtain access to confidential records, but only on the order of a circuit judge, to be made only if he is satisfied that a serious arrestable offence has been committed and that evidence about it cannot be obtained in any other way. I submit that that solution is surely just as apt for computerised records as for any 1542 others. In due course, if the Bill proceeds, we shall be putting down amendments to provide for such arrangements in this Bill also.

Clearly a great deal will have to be done to this Bill in its subsequent stages if the House gives it a Second Reading. There are many grave omissions in the Bill, like the lack of any opportunity for the registrar to endorse codes of practice, and, indeed, the lack of provision for codes of practice. There is the lack of opportunity for a data subject to have his record corrected otherwise than by a court order—an expensive and lengthy process. There is the lack of any definition of "research".

Other sins of omission and commission in the Bill will, I apprehend, be raised in all parts of the House. I fear that perhaps the Chief Whip—who, fortunately for his happiness, is not here at the moment—may have to face a long, long, long series of anxious debates upon those matters which are omitted or indeed wrongly included in the Bill. It is regrettable that, in a matter affecting our country's standing in Europe, the Government's approach to this Bill appears to have been to try to get away with as little compliance with the convention as it can. We on this side of the House regard the Bill with serious misgivings.