§ 8.7 p.m.
§ Viscount Ullswater rose to move, That the draft order laid before the House on 30th January be approved [8th Report from the Joint Committees].
224§ The noble Viscount said: My Lords, the purpose of this order is to qualify slightly the subject access provisions of the Data Protection Act 1984. Although subject access—that is, the right of people to see personal information held about themselves in computerised form—is a central pillar of the Data Protection Act, that Act allows certain exemptions. For example, data held for the purposes of the assessment and collection of taxation are exempt if disclosure to the subject would be likely to prejudice those purposes. Parliament also foresaw that it might be necessary to make further exemptions in the fields of heath, social work and financial services, and data protected from disclosure by other enactments; and it accordingly provided the Secretary of State with order-making powers.
§ Under this power the Data Protection (Regulation of Financial Services etc.) (Subject Access Exemption) Order 1987 was made on 9th November 1987. As your Lordships may remember, it was one of those debated on 5th November 1987 at cols. 1124 to 1132 of the Official Report. The Order designated certain functions conferred by or under statute relating to, among other things, the regulation of financial services. The order prevented data subjects from using subject access to discover what information regulators held about them as it could have prejudiced investigation and prosecution of malpractice.
§ The order now before the House amends the 1987 order in ways which we consider are necessary following the enactment of the Companies Act 1989. First, this Act extends investigatory powers from departmental officials by allowing the Secretary of State to bring in the expertise of other competent persons and this will help him to cope more flexibly with changes in the departmental workload. Secondly, it enables him to assist overseas regulators in the company law, financial services and insurance spheres by investigating in the United Kingdom on their behalf. Regulators need to be able to trace transactions, which may be in breach of a law, to all the countries involved. Markets are increasingly international and complex and the new power will protect United Kingdom investors who may be damaged by those who, undetected, would otherwise be able to continue investment into or in the United Kingdom. At the same time, the new power should help our own investigators secure reciprocal assistance from overseas regulators, especially those who already have compulsory investigation powers which can be used on behalf of foreign regulators; for example, the United States Securities and Exchange Commission.
§ The third set of changes which I wish to mention are the amendments made by the Companies Act 1989 to the Financial Services Act 1986. Most of these relate to the powers of the Securities and Investments Board, and various self-regulating organisations recognised under the Financial Services Act, to regulate the conduct of investment business. All that will provide the primary regulator with more flexibility in regulating the carrying on of investment business. In particular the amendments confer new powers to issue statements of principle and codes of practice, to designate rules as applying 225 directly to members of a self-regulating organisation recognised by the Securities and Investments Board and to use the enforcement powers in the Financial Services Act to assist an overseas regulator.
§ In the case of all these powers brought in by the Companies Act 1989, we consider that the right of subject access to personal data might prejudice the discharge of the functions of the regulatory authority. I therefore recommend to your Lordships that subject access should be denied. This is but a small qualification to the general principle of subject access which derives from the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and is given statutory form in the Data Protection Act. It is, I believe, necessary in the wider public interest.
§ As the Act requires, the Data Protection Registrar has been consulted about the exemptions for which the order provides, and he is content. The order has been approved by affirmative resolution in another place and I commend it to your Lordships. I beg to move.
§ Moved, That the draft order laid before the House on 30th January be approved. [8th Report from the Joint Committee.] —(Viscount Ullswater.)
§ Lord Williams of ElvelMy Lords, the House will be grateful to the noble Viscount for introducing the order which is a matter of substance and importance. I am pleased to be able to address many noble Lords on the opposite Benches and make my points with my customary trenchancy!
The Data Protection Act guarantees certain fundamental freedoms; that is, subject to the exemptions mentioned by the noble Viscount, the ability for individuals to know what information is stored in computer records about their characteristics, qualities and so forth. As the Data Protection Registrar has said on a number of occasions—and most recently in his report—we must try to strike a balance. We accept the fact that there will be exemptions. Nevertheless, we shall grant those exemptions grudgingly. I believe that that is the right balance to strike.
In the order introduced by the noble Viscount there appeared to be two major problems. The first concerns overseas regulatory authorities. We recall that Section 30 of the Data Protection Act limits exemptions to cases in which the proper discharge of certain functions is likely to be prejudiced if no exemption is granted. The question we must ask about overseas regulatory authorities is: in their case is the exemption necessary? After all, the Companies Act 1989 granted extensive facilities to overseas authorities and made available to them privileges which we hoped would be helpful in pursuing international fraud, particularly in securities dealing. However, it goes a little against the grain to say that, in addition, we should prevent private individuals within the United Kingdom jurisdiction from having access to information about them which may be stored in a computer and which may be passed to overseas authorities. I should like the noble Viscount to comment on that problem.
226 The second problem relates to Part II of the schedule in the order. It concerns the amendments to the Financial Services Act 1986, which were passed in the Companies Act 1989, relating to statements of principle and codes of practice. I fail to see, and to be persuaded about, the argument which states that the discharge of the function of determining a statement of principle—and it was defined quite clearly in the Companies Act 1989—and of the function of determining a code of practice would be prejudiced if there were no exemption under Section 30 of the Data Protection Act.
I find that odd not only because I argued at length against the idea of statements of principle and codes of practice in the form in which they now appear in the Act, but also because I was given many assurances during our debates on the Bill that statements of principle and codes of practice would be for guidance and general information, and would not have the same force as rules and regulations made under the Financial Services Act 1986. I find it odd that such an exemption should be given for the purposes of discharging functions under the 1986 Act, as amended by the Companies; Act 1989 in respect of statements of principle and codes of practice.
If I have spoken for longer than I should have it is because I wish to insist that the Data Protection Act 1984 is a fundamental assertion of individual rights. It is for your Lordships' House to consider most carefully any exemption which may be granted to government to derogate from that fundamental right. I hope that the noble Viscount will be able to help with those two problems.
§ 8.15 p.m.
§ Viscount UllswaterMy Lords, I am grateful to the noble Lord, Lord Williams of Elvel, for taking part in the debate at this hour. I shall take up the points that he raised. As regards the foreign regulators, it should be emphasised that discretion to use the power under Section 1 remains unequivocally with the Secretary of State. Before doing so he may take into account whether or not the inquiries involve an unacceptable assertion of jurisdiction. Even when the investigation is complete the Act imposes no obligation to pass any or all of the information to the overseas regulator if it is likely to be used for improper purposes—
§ Lord Williams of ElvelMy Lords, I hope that I shall not continue to interrupt the noble Viscount but I wish to point out that that is not relevant to the present order. The order denies access by an individual to the computer records with which we are dealing. It is not a question of whether the Secretary of State may or may not pass information to an overseas regulatory authority. That is a different question.
§ Viscount UllswaterMy Lords, I should say that the information obtained under the new power to 227 investigate on behalf of overseas regulators will be stored in the first place on behalf of the Secretary of State. I understand what the noble Lord is driving at. However, I believe that it is important to stress that it is the mutual reciprocation which we require with those who are co-signatories of the original convention that this function will assist.
To go on to the noble Lord's second point, he asked me about paragraph 1 of Part II. The power to issue statements of principle will enable the Securities and Investments Board, which will in practice exercise it, to press at a high level of generality the most fundamental terms of good investment practice. They should be more easily understood and detailed rules and therefore be accessible to practitioners and not just their lawyers. The power to issue codes of practice means that the Securities and Investments Board could amplify what is contained in its principles or rules without the amplification having itself to take the form of rules.
I should like to add that the Government and the registrar will continue to keep the Data Protection Act under review. Indeed, an interdepartmental committee on the working of the Act is due to report to my right honourable friend the Home Secretary in a few months. If it is necessary we shall take steps to change procedures to improve the working of the Act although always in a way which is consistent with the European convention.
§ Lord Williams of ElvelMy Lords, I apologise for intervening again. I understand about statements of principle and codes of practice under the amendments to the Financial Services Act 1986 which were passed in the Companies Act 1989. I spent a lot of time studying and debating them. I simply do not see—and the noble Viscount has not answered my question—why there should be exemption under Section 30 of the Data Protection Act in order to allow the SIB to discharge the function of making statements of principle in codes of practice. I very much hope that the noble Viscount will be able to answer my question.
§ Viscount UllswaterMy Lords, I am not certain that I can answer that question. Therefore, I shall need to write to the noble Lord with a detailed answer. He asked me a fairly detailed question and I shall need to write to him.
§ Lord Williams of ElvelMy Lords, again I am sorry to interrupt. I do not regard my question as detailed. It is a question about the principle of Part II of the schedule. Why are the Government coming forward with this order at this point in time when they cannot answer the simplest questions from the Opposition Front Bench? If the noble Viscount says that he would like further time to consider this matter then I suggest that he withdraws the order and we start all over again.
§ Viscount UllswaterMy Lords, the justification for denying access is that disclosure of that data to the individual may prejudice the discharge of the Secretary of State's functions under those two sections because the need for the statement of principle and the code of practice might arise out of a particular case which may be very sensitive.
The Government believe that the order before your Lordships is necessary in order to bring the subject access exemptions into line with the changes made by the Companies Act 1989 and generally to maintain the correct balance between the rights of data subjects and of the public in general. I commend the order to your Lordships and invite the House to approve it.
§ On Question, Motion agreed to.
Viscount LongMy Lords, I beg to move that the House do now adjourn during pleasure until 8.30 p.m.
Moved accordingly, and, on Question, Motion agreed to.
§ [The Sitting was suspended from 8.25 to 8.30 p. m.]
§ 8.30 p.m.
§ [House adjourned during pleasure until 8.40 p.m.]