Personal Data Protection: ECC Report

The noble and learned Lord said

My Lords, the subject of the report referred to in the Motion standing in my name on the Order Paper is one in which I must confess to finding some complexity, but it is of great and 10 growing importance. The importance of the subject can be seen from the number and standing of the bodies which gave evidence to the sub-committee and which are potentially affected by the proposals now being made: the professions, the media, the Stock Exchange, the BBC, the Association of Chief Police Officers, the National Council for Civil Liberties arid others.

The inquiry imposed a special burden on the members of sub-committee E and I am grateful for their assistance, tolerance and help during my baptism of fire as the new Chairman of the sub-committee. All members of the sub-committee are greatly indebted to the witnesses who attended and provided written evidence, but especially to Mrs. Eileen Denza, our legal adviser.

The subject is not a new one. The need to balance the right to privacy and the right to freedom of expression has been recognised for many years and has been the subject of very wide debate, particularly as the use of computerised information has spread. Before the 1970s national legislation existed in a number of states, but in the 1970s it was recognised that international action had to be taken if national laws were not to impose unacceptable barriers to trans-border data flow. That international recognition produced two documents: first, the guidelines of the Organisation for Economic Co-operation and Development which set out principles relating to the collection, use, security and disclosure of personal data. Secondly, it produced the Council of Europe convention on the automatic processing of personal data, which was much supported at the time by British industry. The contracting parties reaffirmed, their commitment to freedom of information regardless of frontiers", and recognised that it was, necessary to reconcile the fundamental values of respect for privacy and the free flow of information between peoples". It was that convention which led to our own Data Protection Act of 1984, which is closely based on it. It created the office of the Data Protection Registrar to maintain a public accessible register and gave data subjects (that is, people about whom the data is recorded) the right of access, rights of compensation and rights to rectification of the data. During the inquiry several of our witnesses paid tribute to the work of the registrar and his staff, as we do for the way in which he assisted us by his evidence.

The 1984 Act was limited to computerised data, but other statutes in the United Kingdom which give rise to rights of individual access to personal data such as the Consumer Credit Act and the Access to Health Records Act are not limited to files held on computer. They, together with a number of other United Kingdom statutes, include manually recorded data.

If the Council of Europe convention had been given full effect, perhaps the present question might not. have arisen at this time. I stress "might not" because the recent report of the Comptroller and Auditor General shows that few data users—a relatively small proportion of data users—in this country have registered so it is difficult to check abuse. The report also shows that the number of complaints of abuse has increased rapidly in the past few years despite the fact. that it appears that many people are unaware of their rights in this matter. 11 I stress "might not at this time" because I think that this question would have arisen for the Community at some time. It has arisen "at this time" because only seven of the member states of the Community have ratified the Council of Europe convention. They have implemented it in different ways. Indeed, four member states of the European Community have no data protection legislation at all.

Accordingly, the Commission produced a draft directive as part of a package of six related measures, including one draft resolution dealing with public sector files outside the strict ambits of Community law. Virtually all our witnesses agreed that there was a need for some form of Community measure on data protection. The Commission produced a first draft and appears to have received a considerable response with many suggestions for change. As a result, in a second draft substantial changes were introduced, many of which your Lordships' committee has approved, but discussion of the second draft still continues in the working group and it is unlikely that a common position will be reached before next year.

The committee hopes that its report will provide a contribution to focusing attention on some of the issues, even though we recognise from the evidence that we have received that many of the items still to be decided are controversial. Your Lordships will not wish me to go into the many detailed provisions of the directive or the many detailed comments which we have made in our report. I limit myself to drawing attention to a number of important points.

The committee accepts the need for a directive. We stress that the task is to strike a balance between the right to privacy and the right to freedom of expression. To that end, we have suggested that there should be prepared a directive that is simpler and less restrictive. We recommend that before the directive is finally adopted more reliable figures should be obtained as to the likely costs to data users of the adoption of the directive. The committee is glad to see in the Government's response to the report that its general approach and its recommendation in that regard are accepted.

We concluded, secondly, after much thought, that the Commission was right to include manually recorded data, as the Council of Europe Convention made optional, and, as I have already said, as a number of United Kingdom statutes already include, but it was on the basis that the directive should not be unduly onerous and should not be made retroactive in its effect. It seemed to the committee, after hearing the evidence and after much discussion, that the alternative of excluding manually recorded data altogether, although favoured by some of our witnesses, was unsatisfactory. We did not feel that it was right or practicable to distinguish between different sectors by including some and excluding other manually recorded data. I stress that our recommendation about manually recorded data was made on the basis that there should be a simplified and less onerous directive, and that the likely costs should be investigated before the directive was finally adopted. That was a much canvassed question, and we observe 12 that in their response the Government do not accept that manually recorded data should be included in the directive.

Thirdly, we believe that the Commission was right, in its revised draft, to remove the distinction which existed initially between public sector and private sector activity. We understand the Government, in their response, to accept that that distinction should go. It seems to the committee that to have maintained that distinction was likely to lead to confusion. We believe it better that there should be one simplified and general scheme with few exceptions and few distinctions.

It was for that reason that the committee also welcomed the inclusion in the revised draft of charities and other non-profit-making bodies. We considered that the directive should apply to Community institutions. We did not consider that there should be a separate regime or provision for the media, but, again, on the basis that there should be adopted a substantially less onerous directive with no excessive demands placed on data users. The committee does not consider that, if those changes are made, the media will be in any way unduly hindered by the provisions of the type of directive we envisage.

Fourthly, your Lordships' committee considered that the requirements in the draft directive for information to be given to the data subject should be reduced substantially. We believe that the provisions of the directive are too complicated and too technical and we agreed with many witnesses who thought them onerous and unworkable, although we believe that it should be a part of the directive that a data subject should be consulted or informed as a rule before data relating to him or her are disclosed to a third party. We believe, on the other hand, that a distinction should be drawn between the categories or principles stated in the directive and that only those such as the fair and lawful processing requirements and the duty to keep data accurate and up-to-date should be enforced, with sanctions for non-compliance. It seems to the committee that the other principles which were stated in the directive are in the nature of principles and do not call for enforcement by sanctions.

Our report came shortly after the publication of Sir David Calcutt's report. We recommend that the directive should provide specifically that the fair obtaining of data should be so defined as to exclude the use of concealed devices such as telephone tapping and bugging. We understand that the Government will reply to that report in due course when our own recommendations will become relevant.

We heard much evidence about the importance of sensitive data (medical records, and information about racial, religious or ethnic origin). We concluded that sensitive data of that kind should not be permitted to be processed without the consent of the data subject, although we do not believe—I understand that the Government accept this—that it is practicable to require a written consent to the disclosure of such sensitive data, as the directive proposes.

Finally, we were impressed by the evidence which we received, in particular from the National Council for Civil Liberties, as to the harm which can result to 13 individuals in some areas outside Community competence; in particular, those that arise from co-operation between police forces and other bodies responsible for countering terrorism. We believe it is important that the Council, when considering the directive, should consider at the same time the resolution to which I referred earlier for the extension of the general directive to public sector files outside Community competence.

When one reads of the incidents which have concerned individuals who have moved from one member state to another, and about whom inaccurate information has been given by one police force to another, and who have been subjected to detention or inconvenience, it seemed to us to be an important matter for the Council to consider. It seemed to us that was an area where the principles of the general directive, as simplified in the way we indicate, and, in particular, the obligation to obtain and to keep accurate information, and to update it, should be considered and adopted.

We note, however, from the government response that the Government consider that that is a matter for individual member states, and not something to be dealt with on a Community basis. Whether it is sufficient for it to be left to member states in that way is obviously a matter for debate. It seemed to the committee that all those matters needed to be aired since the aims and ramifications of the draft directive are of considerable importance to the citizen, to industry, the professions and government. I beg to move.

§ Baroness Elles

My Lords, the report before your Lordships' House contains a valuable and clear analysis of the subject which has been adumbrated by the noble and learned Lord, Lord Slynn. I too wish to congratulate the legal adviser, Mrs. Denza, on her magnificent work in preparing the report. The committee also had assistance from a wide range of witnesses. I also congratulate the noble and learned Lord, Lord Slynn, chairman of sub-committee E, on the presentation of his first report to your Lordships' House.

All noble Lords will probably agree that certain principles exist with regard to the protection of individuals who may face risk as a result of the abuse and misuse of data bases. We have the Data Protection Act 1984, which has served us in good stead. With regard to the witnesses who came before the committee, I wish to add my congratulations and warm thanks to Eric Howe, the registrar appointed under that Act. He was most helpful in assisting us to understand some of the many difficult problems that can arise.

With regard to the principle of balancing the need for the protection of the individual with the right to information and freedom of expression, the European Parliament in its amendments to the original text has got that just about right. I wish to read Amendment No. 11, 14 which is an amendment to Article 1. It was published in the Official Journal of the European Communities on 13th April 1992 and states: The Member States shall therefore reconcile a high level of protection in relation to the processing, collection and communication of personal data with the principle of the free: flow of personal data throughout the Community". We must remember that balance as we deal with the different aspects of the draft directive.

I welcome the fact that, thanks to amendments which were carried in the European Parliament, both manual and computer-based data are included in this new form: of protection. After all, many forms of technology are being introduced which will also cover manual data bases with great facility; not only can computer-based. data spread quickly through the Community or, indeed, anywhere else. The draft directive provides a typical example of the law falling well behind scientific and technological development. It is difficult to produce simple and clear principles which will exist for a decade, without the need for amendment, in order to deal with new developments which are riot covered by such a draft directive. Therefore, I support the noble and learned Lord in pressing for flexible and broadly-based legislation which will not go too much into specifics.

The Council of Europe convention has provided such protection for some years. That was incorporated into United Kingdom law by the Data Protection Act 1984. We did not take up all the options available under that convention. I believe that that convention could have been extended rather than having the necessity for a new draft directive. Of course it is true that some member states have not signed the convention. But let us face it, there is no guarantee that those member states will observe the draft directive when it is adopted. Therefore, I do not believe that one should be too concerned that some member states have not ratified or signed the convention. In order to extend the Council of Europe convention, it would be helpful to the countries which are members of the Council of Europe and have applied for membership of the Community, which will be granted in the near future, and those countries which may take longer to join the Community. All are countries with which we trade and deal, with whom we have continuing relations and where data bases are in continual use.

We must realise the extent to which data bases enter our lives. I cannot believe that there is an adult in this country who is not concerned in one way or another with a data base. We are concerned with data bases relating to driving licences, medical records, inland revenue accounts and so forth. Considering the opportunities which could arise, there has been little abuse. As regards social work, a vast raft of information is continually processed, both manually and computer based, and individuals need protection. If we are to have the new draft directive, we must be careful about the way in which it is worded because it will cover almost every adult in the United Kingdom. Indeed, that applies to minors as regards entry to primary school and after, welfare benefits and so forth.

I wish to express some anxiety about the draft directive. I followed closely the recommendations adopted by the European Communities Committee and 15 noted that at page 224 of the report appears the Memorandum by UNICEF, which is an experienced organisation representing employers throughout the Community. It is anxious that the draft directive might do more harm than good. It is not satisfied with the financial estimates which have been produced by the Commission. According to the Commission's report, the additional staff are to be only two C-level officials. That is incredible. If the directive is to come into force, it will encourage small businesses to be protected throughout the Community and to benefit from the single market. I find it hard to believe that the monitoring of that activity can be carried out by two such low-level officials and can be so restricted. The CBI has commented on the almost inestimable costs to business as a whole in introducing the measures which are envisaged in the draft directive.

However, as we are probably to have the draft directive, one must ask why the European Commission is so keen to accede to the Council of Europe convention. If the convention is any good, why do we need a draft directive? If it is not good, let the Community accede and let us not have a draft directive. The position is perhaps somewhat incompatible and illogical in that the Commission should wish, first, to accede to the convention and, secondly, to introduce a directive.

I wish to express a second anxiety. I understand that there is a reason for the directive. Indeed, the noble and learned Lord, Lord Slynn, has set out clear reasons why it would be helpful to give better protection to individuals. However, it is curious that the considerable costs have not been estimated. I wish to ask my noble friend a question but have been unable to give him notice because I arrived here only in time for the debate. What opportunities will there be for both Houses to debate the subject and to express their opinions about the effects of the measures in the draft directive? The measures will affect almost every person in the country.

The report before your Lordships' House is excellent and sets out many of the problems. However, I believe that another place should also have the opportunity to debate the subject before the directive is adopted. As we all know, once it is adopted it will become part of United Kingdom law and no one will be able to do anything about it except complain. Perhaps the Government will give serious consideration to how people will be consulted, how there will be an open debate and how people throughout the country who will be affected by the new legislation will be able fully to give their views before it is adopted in Brussels.

§ Lord Reay

My Lords, I must start by declaring an interest as I hold a consultancy brief for the CBI. In that context, I should like to relay to your Lordships some of what I believe are the valid anxieties of industry with regard to the directive.

I feel tempted to question whether the directive is needed at all. Indeed, I am not quite sure that the Government really believe it to be necessary. Very few instances could be cited by witnesses who appeared 16 before the committee of the flow of information between Community member states being impeded as a result of divergencies among member states' data protection legislation or because of the absence of such legislation in some member states. Moreover, as I understand it, one of the arguments for a directive mentioned by the noble and learned Lord, Lord Slynn of Hadley—the absence of legislation in a few member states—has been largely superseded because legislation has followed in Belgium and is on the way in some, if not all, of the other member states which have not had it.

I question whether the directive, even in its revised form, would ever have seen the light of day had the Maastricht Treaty, with its Article 3b on subsidiarity, already been on or near the statute book. At least I cannot believe that it would have incorporated such a high degree of detailed regulation and permitted such a low level of derogation for member states. In any event, I believe that the Government, in the Council of Ministers, should require the directive to be subjected to a test of subsidiarity. Both the need for a directive at all and the need for its more onerous provisions should, I suggest, be looked at again.

Some, if not all, of the difficulties of the directive doubtless derive from the Commission's decision to aim for a high degree of data protection. Like the Government, I believe that the Commission would have done better to aim for the standard of protection achieved by the Council of Europe convention with which we have all learned to live quite satisfactorily.

A case in point is the inclusion of manual files of personal data. The Council of Europe's convention leaves the decision open to the discretion of member states; and in the United Kingdom, the Data Protection Act 1984 excludes manual files. To bring in manual files now would produce a preposterous burden for some industries which have files scattered through thousands of offices which are doing no harm to anyone, which may do future historians some good but which fail to meet, in all the information they contain, the various criteria, relevance, accuracy and so on, set out in modern legislation. Banking and insurance are two such industries.

The committee wisely, ingeniously even, proposes that existing files should be excluded. The committee says—and I agree—that there should be no retroactive application of the legislation to manual files. That would help considerably. I am assured that without such an exemption, some large firms would have no option but to order a bonfire of files, risking the loss of important information in order to comply with the law. Such actions should not be lightly provoked.

But even with retroactivity excluded, the burdens for some industries will be great. In the insurance industry where a great deal of paper passes between firms and their customers, the creation of manual files is unavoidable. At present some 18 million new files are created per year, as the industry informed the committee. The costs of bringing such files within the scope of the legislation would be out of all proportion to any benefit likely to accrue to the user.

17 Therefore, I do not follow the committee in concluding that the protection of privacy should as a matter of principle also be extended to manual files. I should prefer a conclusion based on practicality. The extension to manual files is an onerous requirement. We have lived very well without it. We should not be seeking to amend our legislation in that direction were there no directive. submit that we should resist it now.

One respect in which the directive is plainly defective is as regards the issue of prior consent. The prior consent of the data subject to the collection of data is desirable in principle, as the data collection registrar emphasised in his evidence. However, a way must be found to exclude obvious uses. The prospect of individuals having to be given information perhaps on the telephone and at their own expense, as required by the directive, under six headings before their theatre bookings can be accepted or airline tickets issued is evidently ridiculous.

A definition which needs clarification is that of a third party. What exactly constitutes a third party is not entirely clear in the directive. That is a matter of great importance for firms belonging to large groups which may not know with certainty to whom else in the group they are free to pass on data.

As regards the holding of sensitive data, the directive makes no provision for employers to hold data on criminal convictions of employees—actual, prospective or past—or on policyholders in the case of insurers, although such exemptions, as I understand it, could be provided at national level. As the committee found, such provision should be made in one way or another.

As the committee said at paragraph 139, those matters are of legitimate anxiety to actual and prospective employers as well as to insurers and prospective grantors of credit. Firms also need to be able to hold other forms of sensitive data.

I agree also with the committee that there should be an express statement in any directive that there are to be no limitations on the use or disclosure of material already in the public domain. It is of particular importance to some that access to the electoral roll and the register of county court judgments, which is now available, should not be lost.

One of the most lamentable features of the directive is that it comes without any estimates of the cost of complying with it. There is no fiche d'impact. I believe that the Government should call in the Council of Ministers for a fiche d'impact. As the committee says in paragraph 149, we should know the likely cost to data users of specific operations required by the directive before negotiations proceed further. Meanwhile, I should be interested to hear from my noble friend, when he winds up, what he considers would be the compliance costs for the public purse of this directive. So far as I am aware, that matter is not taken up by the committee.

I am grateful to the committee for paragraph 125. I believe that it is unreasonable to insist that data collected may be used only for the purposes originally intended and not for any other purpose.

I agree also with the recommendation in paragraph 153 that the Commission should not have rule-making 18 powers conferred on it. I agree with the recommendation in paragraph 155 that the transfer of personal data to third countries should always be permissible with the informed consent of the data subject, and in certain other specified instances, where it must be in the subject's interest, even though his consent cannot be obtained.

I was interested that the committee should have contemplated the elimination of registration of data users as required in this country under the Data Protection Act. Like the registrar, the committee would at least like it simplified. It also sees no justification for making even a simplified version compulsory throughout the Community. For once, we are not going to insist that the way that we do things here is necessarily the best for everyone else. I believe that the whole question of registration, whether we have gone too far in this country and, if so, by how much we have gone too far, should be looked into on another occasion, perhaps in a forthcoming deregulation Bill, if we have one.

To sum up, I think that the need for a directive at all is not proven. I am not convinced that it should or would pass a subsidiarity test. The approximation between member states' legislation which has been achieved under the umbrella of the Council of Europe's convention seems, in practice, sufficient to guarantee the single market in information. However, if a qualified majority in the Council cannot be found against the directive, then we need one which is less detailed in its application, and which leaves more latitude to member states, along the lines which the committee has, for the most part, adroitly and comprehensively identified.

The committee has produced in concept a much improved piece of legislation—but to turn even that into reality, if it could be achieved at all, would no doubt require months of negotiation. I should like to thank the committee, under the chairmanship of the noble and learned Lord, Lord Slynn of Hadley, for its work. I should also like to place on record the appreciation which the CBI has expressed to some of us for the responsiveness shown by the Home Office in its consultations with industry. I feel confident that the Government will continue to press for solutions much more acceptable to industry than those envisaged by the Commission, as I hope my noble friend in his winding-up speech will once again prove.

§ Lord Renwick

My Lords, I, too, should like to thank the noble and learned Lord, Lord Slynn, for opening the debate and for bringing the attention of the House to this important subject. It is the culmination of the excellent work undertaken by Sub-Committee E of the European Communities Committee under the noble and learned Lord's chairmanship. Evidence was taken from a wide range of witnesses. The noble and learned Lord, Lord Slynn, and his team should be congratulated on the thoroughness of their work and the excellence of their report which was issued in March of this year.

The Select Committee identified several areas of questionable logic in the Commission's proposed directive. But, overall, it seems that the proposal is welcomed. There is a definite risk that certain of the 19 clauses could prove onerous and costly to business and industry, without providing adequate compensatory benefits to the individual. I quote from paragraph 159 of the report: A balance must be struck between the right to privacy and the countervailing right to freedom of information and expression, and the burdens to be imposed on data users must not be disproportionate to the benefits to be enjoyed by individuals. Overall, the committee favours a simpler and less restrictive directive. As chairman of EURIM (a Parliamentary organisation which was formed earlier this year to investigate and report on information and technology matters emanating from the European Commission) I strongly support that view.

To consider the directive, it is necessary, first, to go back to the Council of Europe's Convention of 1981 which laid down a set of guidelines for the protection of personal data. That was welcomed as a step forward and has been ratified by all member states.

The UK was at the forefront of introducing legislation to meet our ratification, and the Data Protection Act 1984 was enacted. The UK approach was to concentrate on computer-related data, meeting the requirements from the convention, but avoiding any excessive restrictions on the use of data.

Not all of the EC member states were as diligent as the UK in meeting their obligations following ratification. Others have introduced legislation which is rather more far reaching than ours, but certain members have failed to follow up with any legislation at all. That has resulted in an imbalance in data protection across the Community. That imbalance has given some anxiety to the European Commission, and is generally agreed as being inconsistent with the need for pan-European movement of information. Faced with the need to bring all members into line, the Commission had two main options: it could either ensure that all members achieved the levels to meet the convention requirements, with some exceeding them; or, it could introduce a set of redefined requirements for all member states to meet. The latter was to be the more debatable, difficult, expensive and time-consuming option. It was of course the path chosen.

The first draft directive was issued over three years ago, and since then there has been intense debate, with considerable lobbying to persuade the Commission and MEPs to modify some of the more onerous clauses. A second draft has now been issued, and is considered to be much more palatable and acceptable to business. It is worth mentioning at this stage that the detailed benefits of the directive are primarily for individuals, with the necessary work and costs falling on businesses. There is undoubtedly a need to protect individuals; but there is also a need to avoid the stifling of legitimate business activities. Unfortunately, there are occasions where what is legitimate is a matter of opinion. A balance needs to be struck between placing a straitjacket on enterprise and allowing too much flexibility leading to varying standards of behaviour.

Much of the debate, particularly regarding the first draft, has circulated around the inclusion of manual data. The first draft aroused considerable objection. The second is rather more open, but could cause additional 20 costs to many businesses. The directive is capable of some interpretation as to what is to be included as manual data; and, if taken literally, it could result in a significant additional burden to many businesses. If it is interpreted in a pragmatic manner—and I am sure that our fellow Europeans in other member states will take that approach—the major excesses can be avoided. The CBI has taken the view that manual data should not be included, if possible, or at least that it should be limited in its content, whereas the report of the Select Committee concluded that they could not justify limiting the protection of the individual and the right of individual access to information by excluding such data.

There is obviously much divergence of opinion on that point. I should like to ask my noble friend the Minister whether it is his opinion that manual files should be included within the scope of the directive, perhaps taking into consideration the fact that it seems it is only automated processing that is seen as a threat to individuals?

Another topic which has aroused considerable comment has been the inclusion of the need for expressed consent from the data subject to the processing of personal data relating to him. That is despite a proposal from the European Parliament that implied consent should be sufficient. Interpretation of the draft has been varied, and some organisations have accepted the draft as reasonable, whereas others consider the requirement to be onerous. The CBI view seems to be that it is wholly impractical and unnecessarily bureaucratic, and will result in significant inconvenience and eventually additional costs for the data subject. In my opinion, the Select Committee rightly concluded that a common-sense approach should be taken regarding the fair obtaining of information. In addition, members of the committee took the view, regarding the disclosure of information to third parties, that they are in general agreement with the EC proposal which set out the conditions under which disclosure may be made. There is some flexibility for national legislation, and we must be careful to ensure that we strike the right balance.

There is one area where the Select Committee concluded that the draft directive has not been sufficiently rigid. This is regarding exemptions, where the proposal is that member states shall prescribe exemptions from the directive in respect of the processing of personal data solely for journalistic purposes by the press, the audio-visual media and journalists. The Select Committee rightly believes that there should be no special exemptions for the media.

There have been changes introduced into the second draft which are welcomed. In particular, the change in the structure of the proposal intended to provide equivalent treatment for the private and public sectors, and the conditions covering transborder data flow, permitting the movement of data to countries without adequate data protection provided that the data subject has consented, that it is necessary for the performance of the contract and the data subject has been made aware of the lack of protection. There are also increased 21 opportunities for member states to adopt procedures appropriate to their needs within the framework of common principles set out in the directive.

The original draft contained a restriction on the holding of information regarding criminal convictions. That would have caused considerable problems to those in the financial sector, leading to increased fraud, including money laundering. That restriction has now been modified by an additional clause permitting member states to lay down exemptions from the restriction by means of a legislative provision, including suitable safeguards.

The proposal places some restriction on the use of automated decision-making techniques. There has been considerable objection to that within the UK, but perhaps we should learn a little from the French. They have had restrictions in this area for some time now and have been able to manipulate their way round the regulations with typical Gallic pragmatism and with little restrictive effect on the use of the automated techniques.

There are further items which are cause for concern to business. It is essential that the major problem areas continue to be addressed as further improvements may be squeezed out of the Commission before the final directive emerges. Considerable activity is going on in this direction and must continue. It is also vital that we ensure the UK legislation which is developed for enactment subsequent to the final version of the directive being issued is in such a form as to maximise the benefits to the individual while at the same time minimising any onerous effects on our business and industry.

The formation of EURIM should help to ensure that UK parliamentarians have the opportunity to be made aware of issues related to information technology, including data protection, coming out of Brussels. EURIM was formed not only to investigate and report on IT matters emanating from the European Commission, but also to enable Members of your Lordships' House and honourable Members from another place better to understand the issues and influence the final outcome on such matters. The data protection directive clearly illustrates the need for such an initiative, and the continued support of Members from both Houses is needed to ensure that EURIM is successful in what it does.

§ Lord Chalfont

My Lords, I follow other noble Lords in congratulating the European Communities Committee and especially the noble and learned Lord, Lord Slynn of Hadley, the chairman of sub-committee E, on this report. It is a comprehensive report. It is generally balanced and meticulously researched, as we have come to expect from the committee now chaired by the noble Lord, Lord Boston of Faversham.

I also wish to congratulate the committee on emphasising the need for a less prescriptive Community directive, if indeed there is to be one at all. However, like the noble Lord, Lord Reay, I question the need for any Community initiative at all in this sphere. The present position, as I understand the situation from the 22 CBI and others who gave evidence to the committee, presents no great difficulties for business and industry. Nor is there any evidence of damage to individuals caused by the processing of personal data. I wonder therefore whether there is any need at all to go beyond the Data Protection Act 1984.

In its evidence to the committee the BBC stated that there is, no public appetite for enhancing the Act"— that is the Data Protection Act— which has shown itself to be adequate to the task". There is no evidence that I can adduce to show that the differences in the level of protection between member states of the Community have inhibited in any way the movement of data across borders. The committee, however, has come to the conclusion that, Virtually all witnesses agreed that there was a need for some form of Community measure on data protection". I wonder whether this need is quite so evident. In the course of the evidence that was given to the committee a number of bodies—including not only the BBC, which I have just mentioned, but also the Home Office, the direct marketing association, the British Medical Association and the Institute of Chartered Accountants—all expressed substantial reservations about this directive and the need for it at all.

Perhaps the most telling quotation is that made by an organisation entitled CHANGE which is concerned with charities and non-profit-making organisations. CHANGE stated in its evidence: We fail to see why it is necessary to have a highly intrusive European Directive in an area where the very nature of the subject calls for national approaches which respect varied cultural circumstances". I have considerable doubts about a directive which is bound to impose costly and unnecessary compliance procedures which will have serious consequences for business operations in Europe. Therefore. I have some difficulty in supporting the committee's welcome for the Commission's initiative. On the other hand, of course, it provides an opportunity to debate this matter. As was stated in the report, and by a number of previous speakers in this debate, this matter concerns the delicate balance between the right to privacy and the countervailing right to freedom of information and expression. In this context I believe that the committee has been quite right to demand that this draft directive should be looked at again in some detail.

I wish to mention one aspect of the directive which I believe was referred to earlier by the noble Lord, Lord Reay; that is, the question of the definition of the term "third party". I believe that this definition is extremely obscure in the draft directive as it stands at the moment. If this directive is to see the light of day, it should make the term "third party" absolutely clear in such a way that all businesses are completely free to communicate within their own organisational structures. That matter is not clear at the moment. There is a real fear in some large multinational groups as well as national groups that the third party definition, as at present formulated, does not leave a business free to communicate within its own structure and does not allow companies to communicate with their branches. their separate locations, and their subsidiary companies. I believe that 23 this definition should certainly make it clear that businesses are free to communicate internally without any inhibitions.

However, my real concern is with an aspect which does not figure in the draft directive at all, although it was clearly much in the minds of the members of sub-committee E when they took their evidence and arrived at their conclusions. My anxiety concerns the application of data protection principles to areas outside Community competence, such as police, intelligence and counter-terrorism activities. As these matters, by definition, cannot be dealt with by an EEC directive, the European Commission has proposed, as the noble and learned Lord, Lord Slynn of Hadley, said, a resolution by which member states would bind themselves as a matter of international law to apply the principles of the directive to their national activities, including the activities of the police, counter-terrorism, intelligence and defence. As I understand it, the committee welcomes this, subject to certain modifications in the draft directive. This seems to me to be a dangerous proposition. I do not know how many noble Lords will recall what a former Foreign Secretary, Ernest Bevin, once said in the context of other matters concerning the European Community. He said that if one opened that Pandora's Box, one never knew what Trojan horse would jump out. I believe that that comment has a special relevance to this proposition. That there should be some kind of resolution which would bind this Government and other national governments to apply the principles set out in this directive to matters concerning intelligence, defence, the police and other criminal activities seems to me to be setting our feet upon a dangerous path.

The National Council for Civil Liberties gave evidence to the committee upon which the committee evidently placed a great deal of weight. The National Council for Civil Liberties believes that the present Data Protection Act—the 1984 Act—is inadequate to control the exchange of information between government departments. In its evidence to the committee, the National Council for Civil Liberties suggested that the files of intelligence services should be open to inspection by the nation's supervisory authority, overriding the need to safeguard national security. I need hardly emphasise the dangers that this would pose to those responsible for operations against organised crime, terrorism and other threats to public safety.

In its evidence to the committee the Home Office, perhaps predictably, took a very different view from that of the National Council for Civil Liberties. The Home Office representative told the committee that, rather than merely exemption from access by the subject of the data, the Home Office favoured the complete exclusion from the directive of national security, defence, criminal proceedings and public safety. The Government evidently regard those matters as entirely for national competence, and I entirely agree with them.

In conclusion, I have to dissent in some respects from the conclusions of the committee. I am not convinced that there is any need for a Community initiative in this field or that any such need has yet been sufficiently 24 demonstrated. However, even if the directive gains favour and comes into force in some form, I certainly do not believe that Her Majesty's Government should subscribe to any suggestion of a resolution which would require its principles to be applied to matters outside the competence of the Community.

Nonetheless, as, I said at the beginning of my remarks, I congratulate the Committee on bringing these matters to the attention of Parliament. Like the noble Baroness, Lady Flies, I hope that they will become the subject of wide public debate.

§ Baroness Park of Monmouth

My Lords, I have read the report of the Select Committee on the European Communities with great interest and respect. Other noble Lords who are familiar with this important issue of the protection of personal data have commented on its recommendations with knowledge and expertise which I do not possess. Nevertheless, I am well able to recognise and pay tribute to the sterling work of the committee. However, the Government will need to balance the interests of data users with those of data subjects, and that is not easy. I fear that my inclination is to wish to see greater weight given to the needs of users.

First, with due respect to the committee, I must strongly support the view that extending data protection to areas outside Community competence—for example, co-operation on police and counter-terrorist work—must remain an individual government decision. I strongly support the noble Lord, Lord Chalfont, in saying that. Such co-operation should not be inhibited. There are very real threats to order and security on which we need to work closely with other countries. It is wrong to have to work in the dark for lack of such co-operation where it is considered appropriate.

I would also favour sector by sector decisions in the public domain under the present Act. I would also support the provision in Article 8(3) of the existing convention allowing member states to make some exemptions on the grounds of important public interest. Valuable though harmonisation of action throughout the Community in this area of information may be, I agree with the witnesses for the Charities and Non Profit Groups in Europe (CHANGE) who believe that the very nature of the subject calls for national approaches which respect varied cultural circumstances.

I am also concerned about the needs and the problems of data users, and also by the point made by the witness who identified the right to privacy of the collector of information. As the committee was told, to extend the provision for computer data protection to manual records such as files would not only generate very large costs as well as requiring the creation of a vast bureaucracy to handle inquiries, it would also seriously inhibit the creation of records and archives which will one day be needed for research. Some of the most interesting subjects for biographies have led lively and chequered lives. Do we really want to create laws which may encourage institutions such as schools, colleges and universities to destroy files and to reduce their records on past graduates to the public fact that 25 they took a degree in such a year? I do not believe that the memorandum quoted in paragraph 40 is enough to reassure us on that question.

On a different but equally vital point, I agree that it is essential that those writing references should continue to be able to count on the absolute confidentiality of what they write. The committee picks up that point in paragraph 125 in its reference to information obtained in confidence. It evidently shares my concern that the Community directive apparently does not have regard to that point.

My strongest concern is, however, to reiterate my view that it would be seriously against the public interest were the resolutions proposing to widen the scope of the data protection directive so as to include defence, intelligence, justice and home affairs—all matters which, incidentally, are fully protected by the two pillars of the treaty—to be approved by the Council. For the sake of transparency and the perceived needs of the individual we should be putting national interests, which concern us all, at risk.

As the registrar has pointed out, a distinction must also be made between data protection legislation and freedom of information legislation. As the committee itself so wisely says, a balance must be struck between the right to privacy and the countervailing right to freedom of information and expression. The burdens imposed on data users must not be disproportionate to the benefits to be enjoyed by individuals. The need for transparency must surely not override the need for honest assessment and record and the protection of the national interest.

§ Lord Hacking

My Lords, as the noble and learned Lord, Lord Slynn, told us, this was the first inquiry conducted by sub-committee E under the good chairmanship of the noble and learned Lord. It was also the penultimate inquiry in which I was involved during my tenure on the committee. Of all the inquiries during the happy and interesting three years that I have been a member of that committee I would describe this as the most comprehensive and complex. Indeed, I have not held such a heavy report by sub-committee E as this one. Compliments are thus due not only to the noble and learned Lord—and I join in those which have already been paid to him—but also to our legal adviser, Mrs. Eileen Denza, who assisted us greatly in our inquiry and in the writing of our report.

As noble Lords have said, this report is concerned with a directive which in turn was directed to balancing the rights of privacy and freedom of expression. The directive set out one view of that balance. The committee chaired by the noble and learned Lord, Lord Slynn, came to another view. It is clear from the contributions that have been made in this debate that some of your Lordships see the right balance differently.

While this is a very interesting subject, I should like to direct my remarks to some practical points which were taken up by the sub-committee in its report. The first is the need for a simpler directive with fewer restrictions. I believe that the noble Lord, Lord Chalfont, (who unfortunately has now left his place) 26 would be much happier with the directive if it were both simpler in form and contained fewer restrictions. I believe that that would meet some of the specific anxieties which the noble Lord raised in the debate this afternoon.

I turn in particular to Article 6. Any noble Lord who is conscientious enough to have the report to hand may like to turn to Article 6, which deals with the quality of data. Five principles are enshrined in Article 6. However, as we.found in our report, not all are of equal importance. It was the committee's view that Article 6 would be greatly enhanced if it concentrated on only two of the five principles enshrined in the article namely, the principle set out in Article 6(1) (a) that personal data should be processed fairly and lawfully, and in Article 6(1) (d) that data should he accurate and if necessary kept up to date, and that every step must be taken to ensure that data which are inaccurate or incomplete (having regard to the purposes for which they were collected) are erased or rectified. I should like my noble friend on the Front Bench to comment specifically on the committee's view in that regard.

However, under Article 6(1) (c) it is stated that: data must be adequate, relevant and not excessive in relation to the purposes for which they are processed". In the view of the committee and in my submission to your Lordships, that is not language which is helpful in construing the directive.

As mentioned to your Lordships, Article 6(1) (a) provides that personal data must be "processed fairly and lawfully". Under "Definitions" in Article 2, "processing" includes the collection of the data. In a communication from the Commission but not elsewhere there is a statement that the provision for obtaining data fairly would exclude the use of data collected by concealed devices. One of the points that sub-committee E of your Lordships' Select Committee made was that it would be helpful to have a specific definition for this.

Article 7 contains a lengthy list of requirements. It is directed to the principles relating to the processing of data. As sub-committee E stated, such a lengthy list leaves too much room for argument. We refer to that in paragraph 127 of the report.

I advance further the comment that the directive, would be improved if it were simpler in language Article 11 deals with the rules for information to be passed to the data provider at the time of collecting the data. Paragraph 128 of the report states that Article I I contains "a daunting list of six elements". The collection of personal data can arise under many circumstances and in ordinary daily life. For example., when one books a ferry one has to give details of one's passengers and, with younger passengers., their ages, details of one's vehicle, and so forth. For that information to be given lawfully under the directive, the ferry company taking one's booking has to go through that list of elements under Article 11: (a) The purposes of the processing for which the data are intended; (b) the obligatory or voluntary nature of arty reply to the questions to which answers are sought; (c) the consequences for him if he fails to reply; (d) the recipients or categories of recipients of the data; (e) the existence of a right of access to and rectification of the data relating to him; 27 (f) the name and address of the controller and of his representative if any". If the booking for the ferry were being made on the telephone, which is quite likely when one is in a hurry to make one's booking, I fear that time would have run out with British Telecom before all that information could be provided to the ferry company. One can think of a number of examples. We had evidence from British Airways and others on that.

I turn now to a subject that has been raised by several noble Lords, in particular by the noble Lord, Lord Chalfont. I am sorry that he is not in his place now because I wish directly to answer the points that he raised. We commented in our report about instances falling outside Community competence where information of personal data is passed to police authorities; and about the deprivation of personal liberty. The noble Lord, Lord Chalfont, referred to our conclusion in paragraph 116. He also referred to the proposed resolution of the Council under which member states would bind themselves as a matter of international law to apply the principles of the directive to their activities—for example, police, counter-terrorism, intelligence and defence, which are not within Community competence.

We believe that that resolution should form an essential element of any data protection package to be adopted by the Council. The noble Lord, Lord Chalfont, stated that that is a dangerous proposition. He spoke of a Pandora's Box; and of a Trojan horse coming out of Pandora's Box. Quite how a Trojan horse comes out of a Pandora's Box I do not know. The noble Lord spoke of dangers to public security and stated that he was not convinced that the case for such a resolution, had been sufficiently made out.

We received evidence from Liberty of some very serious instances. Paragraph 60 of the report refers to the case of a German woman mistakenly identified as a member of the Baader-Meinhof gang. The evidence was: Over a period of eight years, whenever she went to Italy she got arrested, usually at gunpoint, by the Italian police, usually late at night in her hotel room and dragged to the police station at gunpoint for hours of interrogation. Each time this happened it was admitted a mistake had been made … Although she was able to get this data corrected in Germany, where it originated, she was not able to correct it in Italy, where it had gone to". We were given a number of other instances. I cite two. One relates to a long-serving and loyal employee at Stansted Airport who, five or six years ago, on holiday with his wife, when crossing the border from France into Spain gave a lift to a hitchhiker. It transpired that that hitchhiker may have been a member of the IRA. The consequence upon that employee was quite shattering. Just before Her Majesty the Queen was to visit Stansted Airport, his house was raided early in the morning. He was taken for interrogation by the police for the remainder of that day. Goods in his house were seized and examined by the police.

Another example relates to an English family on holiday in Portugal. The man was mistaken for a terrorist. There were were two young boys and his wife with him. The family were all bundled into a police car at gunpoint. I believe that it is right to say that it was 28 three days before his liberty was returned to him and his holiday resumed. It was not perhaps a holiday that he and his family were able to enjoy any longer.

I suggest to noble Lords that those are examples, as the committee believed, to which attention should be paid. Perhaps I may say to the noble Lord, Lord Chalfont, in his absence from his place, that perhaps he was rather overstating the case when he referred to fears of damage to public security. There was one simple remedy available in all these cases the right to correct inaccurate information. It seems to me that that is in the public interest as well as in the interest of the individual. It can hardly be in the public interest for innocent citizens to be arrested at gunpoint and for the time of the public authorities to be taken up in interrogating them when there would be no grounds for this if the information had been correctly recorded in the personal data held by the state authorities.

In conclusion, perhaps I may refer to personal data which is particularly personal to me. I refer to my name. For the past three or four years I have read newspaper articles which state that "Hacking must be banned". My noble friends on the sub-committee were very sensitive about the matter. At no time in the report did they ever refer either to a "hacker" or "hacking", except to allow me to sign my name at the end of the report. Perhaps I may ask my noble friend on the Front Bench to assume that same sensitivity.

Viscount Chelmsford

My Lords, in 1984 I was an employer. As the director of my company, I was charged with implementing the 1984 Data Protection Act. What I state today is clearly influenced by that experience.

We had then some 3,000 terminals across the UK and a culture of significant employee discretion. If one is to implement that Act, how does one achieve an effective system which controls what employees put into the terminals? One can write all the standard instructions one wishes but there is no way of stopping them from using the terminal for their own ends. Yet the Act holds the controller responsible for all personal data, processed by equipment automatically and which relates to a living individual". Elsewhere, the Act states: Personal data held for any purpose … shall not be kept for longer than is necessary for that purpose". To the extent that such data are held by a department charged with the responsibility, that is fairly easily handled. But to the extent that the odd item exists within the rest of the 3,000 terminals, how does one find it to extract it? And what is the cost of searching for what will certainly be less than 1 per cent. of any one individual annual computer file?

At that time, colleagues told me to stop worrying about what was impossible. From one point of view they were correct there has been no problem to my company since. But from another point of view surely they were wrong, because we should not have legislation which we cannot implement properly.

The EC amended draft directive is even more onerous to employers in this area than the 1984 Act, and 29 thus I must be strongly supportive of the extra tolerance arid common sense in the Select Committee report. I agree with it that registration does not seem to be necessary. I support the statement that the requirements to provide information to the data subject when data are collected should be substantially reduced. In fact, I go much further. Why do we need to include the word "collection" within the definition of "processing"? Surely, it is the dissemination of collected data that causes the anxiety to individuals. Anyway, from what source can the data first be collected except from the individual himself or herself? Incidentally, the UK Act does not include the word "collection" in the definition of processing.

I now turn to Article 6, but not those articles already quoted. I refer to Article 6(e), which follows the UK and requires personal data, to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes in view There are two points here. Of course, companies can do this formally through their personnel departments. However, for example, take negotiations for hire and fire the more important the person being hired or fired, the more the senior company leaders will wish to be involved. They will have notes, letters and files which are informal, untidy and unstructured. Frequently those leaders will resent and try to prevent giving up those papers to some department which is charged with the responsibility for formal filing. They will say that the papers are too confidential to be released.

Up to now, that has not mattered because the files have been manual. But as computer-literate people become our leaders—which is increasingly happening now—that will change. There is a strong probability that such informal files will still be undestroyed long after Article 6(e) says that they are unnecessary.

The second point here has already been touched on by one of the Select Committee witnesses. An exception in Article 6(e) is "stored for historical use". How does one know what will become historical? Personally I am rather fortunate, I find that, having retired, I hold papers on two senior hires in 1979. I am fortunate because, since I hired them, both have risen to even greater things with the company. So the existence of those papers today can be said clearly to form part of company history.

However, by 1980, a year after I had hired the individuals in question, those papers were no longer needed for the purpose for which they were originally created. Had the Data Protection Act been enforced, had it applied to manual files and had I obeyed it, I should have destroyed those papers. Today, we would see that as a great shame.

I cannot understand why either the UK or the EC needs to focus so much on "collection". I repeat my belief that legislation should focus on the area of most concern the dissemination of the data after they are collected. Nor do I think that I can agree with the Select Committee's suggestion that legislation should be extended to manual data. The CBI view has been well put already, but I point out that there is one extra point which the CBI made in its most recent briefing paper. It is that, despite the "no retroactive files" proposal, there 30 is still a great cost to checking the accuracy of past manual data. The CBI points out also that the need for legislation was born from the ability of computers to manipulate data in a manner not possible manually.

I now turn to the EC proposals for dissemination. I suggest that the following comments appear to be less important than those that I have already made, but surely, there must be something about us that we would be happy to see passed on to others without the need for our formal permission.

Good hotels note that we like wide beds and cornflakes for breakfast. Do they really need our consent before they tell other hotels? Can an EC country demand the particulars of my passport without my consent? Perhaps it can claim a special exemption, as proclaimed by a political body. Is my date of birth really that emotive? Are we to understand that, under Article 8, without my special consent no one may be told that my religion is Church of England? Should I really be required to give my consent before information concerning my medical condition can pass between my specialist and my GP?

I note, incidentally, that the UK 1984 Act is far more tolerant in this area. Part IV exemptions extend broadly to data for payrolls and accounts, for recreational purposes, for clubs and associations, for back-up purposes and for educational and/or examination purposes. All those are included, always provided that the data are used only for their authorised purpose.

Article 17 of the amended EC directive states that: controllers must take appropriate measures to protect personal data against unauthorised disclosure or any other unauthorised form of processing". I think that this may be another extension beyond UK common law. I have always understood that it is a legitimate defence for an employer to claim unauthorised actions by an employee where—and only where—it can be shown that the latter acted in contradiction of written standing instructions. A colleague of mine had oversight responsibility for staff in another location which he visited unexpectedly. Not only was the manager absent, but my colleague found to his concern that the staff now had a 12-month computerised record of the manager's absences, and had extended it to include the time taken in his lunch break when he was not absent. The manager was dismissed. The date was prior to 1984, but, if it had been after the Act, I wonder what remedy this grossly negligent manager would have had against his employer for incorrect use of personal data. I repeat that there seems to me to be no way in which employers can control what their employees choose to hold on their terminals.

Article 19 at least refers to simplification measures and the Select Committee calls for simplification in several places. I hope that my comments will add fresh impetus to such statements. I also hope that the Government will look hard at their existing legislation and temper it to be more workable for employers.

Finally, perhaps I may say that, while I quite understand the motives behind the data protection legislation, I remain convinced that the final collapse of civilisation will not be due to any series of nuclear explosions but rather to man's increasing efforts to 31 obtain total fairness for all people at all times. This leads to so much effort being spent on protection of the individual that there will soon be insufficient people and insufficient money to promote the wealth creation needed to pay for it. The problem, of course, is one small extra needle in the whole haystack of costs. But I think that that needle could be much smaller still if the EC and the UK cut out some of the frills surrounding the existing and potential legislation.

§ Lord Holme of Cheltenham

My Lords, I join other noble Lords in thanking the noble and learned Lord, Lord Slynn, for his report and his introduction of the short debate this afternoon. I now have the honour to be a member of sub-committee E, but I was not so at the relevant time and was in no way involved in the production of the report. That means that, unlike the noble Baroness, Lady Elles, and the noble Lord, Lord Hacking, I cannot bask in the reflected glory of the admirable report. However, equally, I suppose that it allows me to sound one or two critical notes which would be more difficult had I been a member of the committee at the relevant time.

One theme throughout the debate this afternoon—the noble Baroness, Lady Elles, first introduced it, but other noble Lords also referred to it—has been the need for a balance between personal privacy on the one hand and freedom of information and a free press on the other. That balance is more difficult constitutionally for this country because we have no specific constitutional guarantees, for instance, of a free press, of incorporation of the European Convention on Human Rights into domestic law, or of a freedom of information Act. On the other side of the equation, when it comes to privacy it is worth reflecting upon how much one can do, as it were, by the back door through data protection and how much needs to be done by the front door. It may be interesting when the noble Earl replies to the debate to know what are the Government's latest intentions on privacy legislation.

I have admitted to having concerns. Perhaps I may take a moment or two of your Lordships' time to talk about them. My first relates to journalism in the press, in television and in the media generally. I am sure that the Select Committee was right to seek a looser directive; but, wrongly in my view, it came down against any special exemptions for the media. Paragraphs 142 to 144 on page 39 deal with that.

Two dangers arise. First, a number of provisions may remain which, even in the context of a looser directive, would make the journalist's job more difficult. Second, comments upon media exemption could be taken and used out of the context of a revised directive.

I take the two issues of informed consent, and specially sensitive data. On the question of informed consent, dealt with in paragraphs 127–130, it is stated that the data subject should be informed before his data is disclosed to a third party. It means, for instance, that before including information on anyone in a television programme, that person would have to be informed of the intention to include him. For a news programme that 32 would be clearly impractical. In documentaries the normal practice is to ask people to respond to criticism made of them or of their activities, and that is covered in the ITC code. But there may be many people covered in passing in programmes. I wonder if it really is our wish that anyone referred to in a programme, however fleetingly, would have to be informed before the programme was transmitted. I wonder what useful purpose that would serve. It would certainly increase the costs of the bureaucracy of programme-making; and it would certainly add to the risk of injunctions attempting to delay broadcast. Documentaries are already an endangered species on British television. We do not want to take any risks that might lead to their being killed off.

I turn to the question of specially sensitive data. As noble Lords know, this refers to information on racial origin, political opinions, religious beliefs, health or sexual life, and says that processing such information cannot be carried out without the express consent of the data subject. Mercifully, the committee says that information already in the public domain is excluded from the clause. In other words, a television company would not have to get Mr. Major's express consent to be able to report that he is a member of the Conservative Party. However, there are frequent occasions when someone's political opinions or support for a particular religious group, for example, are not in the public domain but are, rightly, of significant public interest. Let us take, for example, a possible investigative programme into the rise of the BNP in east London. A free press should surely be allowed to report that. I understand from the Government's response that they believe that there should be exemptions or derogations for the media. I should again be interested to hear from the noble Earl, when he replies, on this specific concern.

As well as the balance between privacy and freedom of expression, there is another balance to be struck, referred to by the noble Lord, Lord Renwick. It is the balance between costs and benefits. That is an extremely important point. As the noble Lord rightly said, the benefits are those for the individual and, I believe one could also argue, for the public as a whole—for the general public interest. But in practice the costs will fall on government and particularly on companies, industries and associations of one sort or another. I am sure that, as the CBI very reasonably pointed out, and as the report says in paragraphs 148 and 149, we need more reliable figures of likely costs to data users before a decision is taken on the directive as a whole.

Finally, I come to a question which I do not believe noble Lords have so far addressed; namely, codes of conduct. There may be a case for subsidiarity and minimalism, as the noble Lords, Lord Reay and Lord Chalfont, so eloquently pointed out; or there may be the rather more comprehensive case for the protection of privacy which we would favour on these Benches, in line generally with the recommendations of the committee. Either way, there is a need for codes of conduct. Those codes should be devised sectorally. I do not agree with the noble Lord, Lord Chalfont, when he speculates that there is not much of a pan-European element in data use. Increasingly, in industries such as 33 insurance, financial services, advertising and direct mail marketing, and in charities and NGOs for that matter, there is pan-European manipulation and use of data—perhaps only 10 per cent., but a growing proportion. Account has to be taken of that. But whatever the letter of the directive and the letter of the law locally, I am certain that we should be looking to sectoral codes of conduct to make sure that we have wholehearted action rather than reluctant compliance with the law.

§ Lord McIntosh of Haringey

My Lords, I join with other noble Lords in thanking the noble and learned Lord, Lord Slynn of Hadley, and his colleagues for this excellent report. Indeed I congratulate them. I do not often find myself in quite the position that I am in today. Very often the debates on the European Communities Committee reports are full of adulation of the committee and I find myself, perhaps for psychological reasons which do me no credit, expressing disagreement at the end. On this occasion I have listened to a whole series of speakers, some of whom have made quite severe criticisms of the committee's report. At the end of this exercise, I find myself even more strongly in support of the committee's recommendations than I did when I read the report, the evidence and the appendices over the weekend.

Data protection sounds like a dry subject, but that is a misnomer. We ought to look at this issue in the light of the fact that data protection is a special case of freedom of information. That point was helpfully and wisely made by the noble Lord, Lord Holme of Cheltenham. Unless we look at data protection as being the means by which we provide the proper balance between freedom of information and privacy in our society, first, we shall not understand the importance of data protection and, secondly, we are likely to be tempted to make the wrong judgments.

As I listened to the debate speaker after speaker in effect spoke on behalf of the users—namely, those who produce the data. It is our role, and the role of the party to which I belong, to speak on behalf of the data subjects, the punters. I believe that it is their interests above all that data protection legislation and freedom of information legislation is there to protect. Noble Lords who have spoken with great eloquence and great sincerity, not on behalf of the CBI, but who have expressed views which are shared by the CBI, and those who have spoken, for example, of the interests of the intelligence community, will forgive me if I do not pursue in detail the arguments that they have made. The report raises greater issues than the issues of the cost of collection of individual items of commercial data.

In trying to draw attention to those issues I should like to take as my theme the way in which the noble and learned Lord himself introduced his report. There is only one point where I find myself in disagreement with it. He argued, and the Government supported the argument, in favour of a simpler and less restrictive directive. We should remember that a less restrictive directive is almost by definition less protective in regard to the data subject. Unless it is shown far more clearly that there is no need for the detail into which the 34 directive goes for the purposes of protecting the individual, then the arguments for a less restrictive directive need to be examined more carefully. However, the report goes into a great deal of helpful detail in that regard.

Secondly, the noble and learned Lord next raised the issue of manual data. I agree strongly with the committee that the inclusion of manual data is the right step to take. I was involved in the debates on the Data Protection Act 1984. One of the points that we made as powerfully as we could was that the elimination of manual data was illogical in terms of the purposes of data protection. Manual data are data. The way in which they are collected is neither here nor there. Data protection legislation is not required because of an increase in power relating to information technology; it is required because people have records about us which they can use to our disadvantage. We should be entitled to stop them and correct them.

The noble Lord, Lord Hacking, put his finger on the point when he spoke of the need and ability of the data subject to be able to correct errors in the data collected. The committee made a proper recommendation that the inclusion of manual data should not be retroactive. We would indeed be into collecting tens of millions of records if we were to make it retroactive. The committee also proposed some safeguards for data users which seem to me to be entirely sensible.

Thirdly, I agree strongly with the committee that the distinction between public and private data should not be sustained. In that regard the committee agrees with the directive. The most powerful argument for that is that in 1993 there is no longer a hard and fast distinction between private and public. What are we to make of those bodies like the Next Steps agencies which are not subject to parliamentary scrutiny in the sense that Ministers answer for them, yet they are funded by public money? There is now a whole spectrum running from private to public and it is no longer possible to make a clear distinction. Such a distinction should not be attempted in data protection legislation.

The committee recommends, and I believe rightly, that the demand for disclosure should continue to be based on express consent. It makes the wise proviso that the express consent need not be in writing. It would be found that most of the objections raised on behalf of industry and commerce would be dealt with if the express but not necessarily written formula were used.

The committee's support of the "fair obtaining" provisions in the directive is extremely valuable. In particular it is valuable because its implication is that bugging, telephone tapping and so forth would be covered and outlawed by data protection legislation. I know that the Government have other proposals on that which we may or may not see in the coming Session. If the noble Earl in his response were able to be sufficiently indiscreet to indicate what may happen in the next Session, that would of course be helpful. However, I do not expect it. Clearly the inclusion in data protection legislation of the fair obtaining provisions is a start for the safeguards we need against unfair obtaining of information.

35 The sixth point made by the committee and by the noble and learned Lord in his introduction is perhaps the most important of all and one that drew a great deal of attention in the debate. I refer to the question of whether the directive and data protection legislation generally should cover matters outside the Community competence. What is meant by that—they are matters to which the noble Baroness, Lady Park, referred—are matters of defence, intelligence, justice and so forth. The noble Lord, Lord Chalfont, regarded as dangerous any suggestion that they should be included in data protection legislation. In other words, he regarded that as a dangerous path to take in freedom of information legislation.

There are dangers. There are dangers which we have seen most recently in the Matrix Churchill case which has given rise to the Scott Inquiry. Under British law at present, where Ministers consider that there is an issue of national security, without any argument to the contrary or knowledge of the reasons, it is possible for them to declare it to be a matter of national security and thus exclude it from the purview of the law. Ministers attempted to do that by a certificate of immunity in the Matrix Churchill case which, if it had not been overturned by a judge, would have resulted in a gross injustice to three executives. I must be careful in what I say while the Scott Inquiry is still sitting. But those executives believed themselves to be acting in accordance with government policy as it had been communicated to them.

I suggest to the House that unless data protection and freedom of information legislation covers those matters, and unless those who are responsible for them are capable of being brought to account by the legislation, we will not be doing our job. In all sincerity I suggest to the noble Viscount, Lord Chelmsford, who doubted that it was a threat to him if personal information on him was held by other people, that it is all very well for him; it is all very well for me. It is all very well for white middle class and middle-aged males who are Members of the House of Lords. But ask my children and their friends what it is like to be a young black person on the streets of London today; being hauled into police stations for any or no reason whatever or finding themselves subjected to scrutiny on a profile held on the police national computer to which they have no access, which they have no way of correcting and from which they have no protection. If it is to mean anything, data protection must mean the protection of the individual from the unjustified, uncontrolled and undemocratic power of the state.

§ Lord Chalfont

My Lords, perhaps the noble Lord will give way. I do not want to interrupt him in the middle of his argument. Would he suggest that the files of intelligence agencies, the police and so forth should be opened to inspection by data subjects?

§ Lord McIntosh of Haringey

My Lords, I was about to declare my support for the view taken by the committee and which was proposed to it by Liberty that the files should be open to inspection by the data 36 registrar. I believe that that would be a first and important step in providing accountability for those secret files.

I have heard the directive criticised for being complicated and imprecise. It takes up the right hand columns—half a page—of 30 pages. It seems to me to be expressed in clear, normally uncontroversial terms. It is short, simple and effective. I believe that the case for a directive of this kind, covering more than one country of the European, Community, has been well made. The agreement of your Lordships' committee with the thrust of that directive is a valuable move in the direction of greater freedom of information and protection of the privacy of the individual.

Earl Ferrers

My Lords, as one would have imagined, this has been an interesting debate. One of the things that has come out of it quite clearly is that the holiday has done the noble Lord, Lord McIntosh of Haringey, a great deal of good. He asked whether I would be indiscreet enough to tell him what would appear in the legislation next year. I can assure the noble Lord that I shall not be indiscreet enough as to say that but there will be plenty in it on which he can have cause to congratulate the Government.

The subject of data and data protection has a somewhat ethereal ring about it, and the size of the report of the committee of the noble and learned Lord, Lord Slynn, is in direct proportion to the complexity of the subject. I must say I admire—and I respect—the assiduity with which the committee has tackled its task. The House will be grateful to it for the work which it did in preparing the report and indeed to the noble and learned Lord, Lord Slynn, for giving us the opportunity to discuss it today.

Data protection is a subject which we debate only infrequently in your Lordships' House, but it is one which affects all of us as individuals. Not many, however, are affected as is my noble friend Lord Hacking. He was fussed about the way in which the word "hacking" is used. He said he hoped that the Government would be a little more sensitive. I would only tell him that "hacking" is bad when it is a verb; "hacking" is bad when it is an adjective, as in hacking cough; but Hacking is good when it is a noun, usually when it refers to my noble friend Lord Hacking.

We are all the subjects of the collection of information, information which is held by some organisation or another. Our banks; our insurance companies; the charities which we support; and, dare one say it, the tax man—they all have a legitimate need to hold information about us. This need, of course, extends right across the public, private and voluntary sectors. It covers every area of human activity. Throughout history, societies have always needed to hold some information about the people who live and work in them. No society would function efficiently without information about its members.

Even the ancient Romans held personal information for the purpose of tax collection—and I dare say that Matthew did too before sainthood overtook him. Maybe it is because of the records which were collected in 37 Domesday Book that the Normans were such efficient rulers. So the collection of personal data is as old as society itself. It may not be the oldest profession, but it is one of the oldest habits.

However, the concept of data protection is of course relatively new. The last 20 or 30 years or so have seen huge development; in computer technology. In the public perception—and indeed it is a perception which I am bound to say that I share—computers appear to have almost limitless powers to manipulate data in any way in which they wish and to do so at great speed, and of course the public have to be protected.

Computers are undoubtedly a wonderful innovation. But every advantage carries with it a disadvantage, and computers retain the capacity for misuse and for abuse of the information which they hold. And of course it is in order to guard against the misuse of computerised information about individuals that data protection laws have been introduced.

As my noble friend Lady Elles reminded us, our own law—the Data Protection Act 1984—was introduced in response to the Council of Europe's Convention on Data Protection, which was produced in 1981. The convention lays down a set of standards for the protection of computerised personal data. Those standards balance the need—a need to which a number of noble Lords have referred—on the one hand, to protect individuals against the misuse of information which is held about them, with the need, on the other hand, to use information for legitimate purposes. The convention gives the individual the confidence to know that his personal information is being properly protected. At the same time, it endeavours not to hamper unnecessarily the proper conduct of business life or of public administration. In other words, the convention tries to get the protection of data about right.

The 1984 Act is closely modelled on the convention and, because of that, the United Kingdom was able to ratify the convention in 1987. By 1990, several of our partners in the European Community had also ratified the convention—but a number of them had not. It is obviously desirable that there should be a consistent level of data protection throughout the Community if free trade is to be properly and fairly carried out between the 12 member states—otherwise those countries which do have data protection laws would be reluctant to pass data to those countries which do not. And countries which do not have adequate data protection might attract business at the expense of those countries where data are properly protected. Therefore there has to be a community of effort.

The European Commission therefore decided to bring forward its own proposals for harmonising data protection laws throughout the Community. In 1990 it published its draft directive on data protection along with a number of other associated instruments. I do not propose to go into the history of the development of the directive since its publication. But the important point is that the first draft of the directive was very heavily criticised. The Commission then brought forward a revised version—a Mark 2—which is still under negotiation in Brussels. Meanwhile, all but two member states have now ratified the convention.

38 The directive, as of course has been mentioned by a number of noble Lords, is a much more intrusive instrument than is the convention. Not only is its scope much wider, since it would apply to manual as well as to computerised data, but it is also much more detailed. It concerns itself with many points of detail which the convention leaves to member states to determine for themselves. For example, it sets very tight criteria on the processing of health and other sensitive data. It requires large amounts of information to be provided to people from whom personal data are collected. And it give countries no option other than to have a system for the registration of data users.

All this means that the directive, as drafted, does not satisfy the principles of subsidiarity—that wonderful word which your Lordships may remember occurred on a number of occasions during the summer and about which we all became so excited.

The requirements of the directive would make member states go far beyond the requirements which are necessary to achieve the stated purpose of enabling personal data to flow freely within the Community in the interest of the single market. And, in the view of the Government, those requirements which are justifiable are far too complex and leave inadequate discretion to member states.

It is for this reason, among others, that the Government have very serious reservations about the directive. The noble and learned Lord, Lord Slynn, said that the Government took the view that this is a matter which is more suitable for individual states than for the European Community to decide about. That is not strictly correct. We believe that there must be Community harmony, but in our view the Council of Europe's convention affords an adequate level of data protection. The noble Lord, Lord Chalfont, saw no reason for us to go beyond the Data Protection Act. My noble friend Lord Reay said that in order to achieve the necessary level of harmonisation within the Community no more was needed than to encourage those countries which do not yet have adequate data protection laws to bring them forward and to ratify the convention. That is the view of the Government too. If that were done, in the Government's view—I agree with my noble friend Lord Reay—we would need no directive at all. And the United Kingdom is not alone in having difficulty in finding the directive welcome.

The European Community has been discussing the directive for nearly three years. And it is still a long way from reaching a common position on it. The directive touches every area of human activity. It tries to apply a single set of detailed rules, and to apply them to infinitely varied areas of human endeavour. It thereby inevitably creates a large number of difficulties both of principle and of practice for almost every member state.

Almost without exception, all member states think that significant changes are needed to the directive in order to make it acceptable. The difficulty, though—and in this of course, it does bear a perverse similarity to the arguments about the reform of your Lordships' House—is that everyone agrees that it should be changed but nobody agrees as to how it should be changed. The Select Committee has made a valiant study of the whole 39 of this complex area. I should like to thank the noble and learned Lord, Lord Slynn, and his colleagues for their quite outstanding work. The directive is far from being an easy document to digest and their efforts were not helped by the fact that the Commission decided to change gear in the middle of their deliberations and put forward a revised text of the document when the committee was part of the way through its inquiry.

In the circumstances, and indeed even in normal circumstances, the committee did magnificently and produced a well-reasoned and readable report. My noble friend Lord Hacking referred to Article 6. He said that it was not in very helpful language. I cannot abide indigestible language. One does not have to go to the European Communities directives to find some fairly indigestible language. Sometimes one finds it also in this country in all sorts of curious places. The words in the draft directive broadly affect the principles of good data protection practice which are contained in the convention and which are reflected in United Kingdom law. We are broadly content therefore with those words although we have argued that they should follow the wording of the convention more precisely.

We feel that the committee did a magnificent job and produced a very good report. But after what I may describe as that charming bouquet to the noble and learned Lord, Lord Slynn, I must tell your Lordships that the Government do not agree with the Select Committee in all of its findings. In general—and it is always dangerous to generalise over anything—when the committee disagrees with the directive, we agree with the committee. When it supports the directive we disagree with it but, like Haydn, there are variations on that particular theme.

We share the Select Committee's view—it is one which the noble and learned Lord, Lord Slynn, emphasised today—that in some respects the directive should be made more simple and less prescriptive. But the Government's own proposals for the modification of the directive, if there is one, go far beyond those which are recommended by the Select Committee. The noble and learned Lord said that the committee accepts the need for a directive, and the noble Lord, Lord McIntosh, said the same. The Government do not share that enthusiasm. My noble friend Lady Elles asked what opportunities would there be to debate the new directive before it is adopted by Parliament. The original version of the directive was debated in another place when it first appeared. This debate is an opportunity for the House to consider the present version. I understand that the Select Committee of another place decided that there was no legal or political reason for further debate in that House. That is a matter for them.

No doubt your Lordships have already seen the Government's response to each of the detailed points in the Select Committee's report, and I shall not attempt to reiterate them all. I would, though, touch on just two important points. First, and most importantly, there is the question of manual data. The Select Committee recommends that manual data should come within the scope of the directive. My noble friend Lord Reay does not want it to do so. The noble Lord, Lord McIntosh, 40 says that he does want it to do so. My noble friend Lord Renwick asked what the Government thought about it. I shall tell him. The Government do not share the committee's enthusiasm about this matter at all. I agree with my noble friend Lord Reay. We believe that the directive should not apply to manual data.

As I mentioned, earlier, manual records have been held since time immemorial. It is only because of the introduction of computers which have the power to manipulate data. at great speed that anxiety about the protection of personal data has been brought about at all. We should ask ourselves—

§ Lord McIntosh of Haringey

My Lords, the Minister has referred again to the fact that manual records have been held since time immemorial. Would he agree that the great virtue of the Domesday Book, to which he did refer, was that it was available to the public and therefore it does not come under any of the censure to which he referred?

Earl Ferrers

My Lords, of course the Domesday Book was of enormous benefit to the public mostly because it was a constant record of what happened years ago. I believe the noble Lord, Lord McIntosh, would also agree that had it not been for the advent of computers, the fuss about data processing would not have come about. Indeed, applying the directive to manual data would actually mean applying a very complicated set of bureaucratic procedures at very great cost and to no significant purpose. Our view is "Don't let us do that".

The Government have conducted a very wide consultation exercise, covering all sectors of activity, about the directive. The great majority of those who replied have had some problem or another with the directive. But the greatest area of difficulty is over manual data. The one change which almost all should like to see made is that manual data should be taken outside the scope of the directive.

Another important issue relates to the way in which the directive requires health and other sensitive data to be dealt with. The directive introduces a particularly tough set of restrictions on the use of these sensitive data. The Select Committee recommends that these restrictions should be eased in some respects. The Government welcome that suggestion, but we do not believe that the Select Committee's recommendations go far enough.

By far the largest single set of replies to the consultation exercise has been about this. Those who responded—namely, doctors, other health service professionals and medical researchers—are all very concerned about the implications that this would have for their work. We in this country have a proud and excellent record of medical research. For instance, important medical advances in what is called epidemiology, have occurred where researchers have been able to link information which has been gathered and stored years before about particular individuals, with the subsequent health records of these people. This helps to identify the contributory factors to health problems.

41 Under the directive, though, it would be necessary to determine the uses to which data can be used at the time when the data are initially stored. It would prevent researchers from using material which had been stored for one purpose, for research which had not been identified at the time when the data were stored unless the researchers were to contact each individual. That would clearly be an absurdity.

For example, if researchers wanted to survey the population to see whether cancer was prevalent in particular areas, they would have to write to everyone whose record they planned to look at and they would have to get their consent in writing. I believe that most of your Lordships would think that that was wildly impractical and simply was not on. In addition, much of the information which could be available to researchers would, under the directive, be not now available as there would be a requirement to destroy the data once the purposes for which the data had been collected had been accomplished. But some of the possible side-effects of some drugs—and one thinks, for example, of the early contraceptive pills and drugs which are taken during pregnancy—are often not apparent for many years.

If access to these data were to be prevented, or if the data were not to be preserved at all, the consequences for individual and public health would be very serious indeed. The directive would also make it very much more difficult to manage the health service effectively—and Heaven help us from adding to these problems.

The restrictions on the use of medical data would impose severe additional bureaucratic burdens on doctors and health service managers. The cost of running the health service would increase enormously. Resources which should be devoted to patient care would need to go into bureaucracy—and Heaven help us from that too.

The directive would actually prohibit the use of administrative procedures which have been used in connection with the treatment of millions of patients in the health service over many years. Substantial changes will be needed to the directive if these important and legitimate anxieties are to be met. In our view, provided that the general level of data protection is satisfactory (and we believe that it is in this country) it is questionable whether any special provisions are needed for sensitive data at all. The noble and learned Lord, Lord Slynn, referred to the fact that the directive would be retroactive. I believe that the noble Lord, Lord McIntosh, did not want that.

§ Lord McIntosh of Haringey

No!

Earl Ferrers

My Lords, I am wrong. The noble Lord did. I am sorry. I must remember to write the word "not" in the appropriate place in my notes.

We have been concerned about this matter. In our view the Commission wrongly believe that it is not possible to run an effective data protection regime under the directive unless that directive applies to all existing data. Here I believe that I can agree with the noble Lord, Lord McIntosh, although I hesitate to do so in case he says that I have got it wrong again. I believe that the provision would impose very heavy burdens on very many organisations. For example, the Law Society 42 holds data going back for over 100 years and the directive would apply to that data. The noble and learned Lord, Lord Slynn, will know the Law Society well. It would have to register data, state the purposes for which they were held, and so on. It is clearly ridiculous for all these bureaucratic provisions to be applied to this data.

My noble friend Lord Reay was concerned that the directive does not allow employers to hold records of employees' criminal convictions. He thought that it should. The position is that the directive restricts those organisations which may hold criminal convictions data. It excludes the holding of such data by employers but allows member states to provide exceptions to that general restriction. One exception could be for employers.

My noble friend Lord Reay was also anxious about costs. The United Kingdom has consistently argued that the directive would add major costs to many areas in both the private and public sectors. We have argued that the Community must address those factors before negotiations on the directive are concluded. So far, there has been no comprehensive fiche d'impact, and we believe that there should be one. It is difficult and costly to produce accurate figures for the costs of the directive. The Commission has not even attempted any costing, but some information is available on the basis of which some estimates can be made. It is estimated that in the banking sector alone, for example, the directive would mean initial costs of £80 million to £100 million, with annual running costs of between £60 million and £100 million. We estimate that the cost for the public sector would be similarly high. Economists in the Department of Health are working out how much the directive would cost the National Health Service.

The noble Lord, Lord Chalfont, was concerned about third parties. The directive defines "third party" very broadly. In effect, it is anybody other than the data subject, the data controller and anybody authorised to process data directly for him. Some respondents to our consultation think that that is too broad. It would mean, for example, that companies within the same group could be third parties. That would mean that they would have to meet the bureaucratic requirements of the directive before they could pass data to each other. We are pressing for a much narrower definition.

My noble friend Lord Renwick was anxious about transborder data flows. The convention provides for the free flow of data between convention countries unless the level of protection is not equivalent in any other country. United Kingdom law reflects the provision by giving the Data Protection Registrar the power to prohibit the transfer of data in those circumstances. The Select Committee broadly endorses that approach, making the point that the transfer should always be permissible with the informed consent of the data subject. We agree.

I recognise the anxiety of my noble friend Lord Chelmsford on the occasional need to keep data for extended periods. I think that we have got the balance right on this in United Kingdom law; but we are not satisfied that the directive would have the same effect. 43 I have already referred to the problems in the area of medical research, and we are seeking to modify the directive to reflect those anxieties.

The noble Lord, Lord Holme of Cheltenham, was concerned about privacy. He will be aware of the consultative document on privacy law that was recently published by my noble and learned friend the Lord Chancellor. The Government have asked for comments by 15th October on the possibility of a new privacy tort. In the light of the responses to that exercise, we shall indicate our intentions on this matter and on the related question of the behaviour of the press which was raised by the reports by Sir David Calcutt and the Select Committee on National Heritage.

As the noble Lord, Lord Chalfont, would expect, I am glad that he agrees with the view of the Home Office that data affecting national security should be exempt from the obligations in the directive, especially those requiring disclosure for the data subject. That is entirely right. I like to think that our representations were correct, and I am glad that the noble Lord agrees with them.

This is a complicated and technical area. It is one to which the noble and learned Lord, Lord Slynn of Hadley, and his committee have directed their minds to the great benefit of the rest of us. We appreciate all that they have done. The Government agree with much of what the committee suggests, but not with it all. With that happy compromise, if I might say so, I thank the noble and learned Lord and his committee for the substantial and public work which they have undertaken and for the masterly report which they have provided. Ideally, the Government would like to see the directive abandoned. I know that that would please my noble friend Lord Reay, and in this I know that we would part company with the Select Committee. We do, though, agree with the committee that if there is to be a directive, then some changes—and very substantial changes—are essential. We shall continue to argue within the European Community for the improvement of the directive—and we shall not be alone in that. I can assure your Lordships that the Government will study carefully all the points that have been made in today's debate as we proceed with the negotiations on this draft directive.

§ Lord Slynn of Hadley

My Lords, I opened the debate by saying that this is a subject that is both important and complex and that some of the issues raised by the directive are controversial. The debate which has followed has established each of those three adjectives. I am most grateful to all noble Lords who have participated and attended the debate and I thank the noble Earl for his reply. I am grateful, on behalf of my committee, for the nice things that have been said about the report, but that does not mean that I do not appreciate the criticisms that have been made of it. The object of the exercise was to allow those various important issues to be raised. In the light of the Minister's robust if not total rejection of the recommendations of the report, I take some comfort from the fact that I read this morning that the 44 Confederation of British Industry welcomed our detailed and balanced conclusions, subject to one or two points on which it obviously disagreed.

It would be inappropriate for me now to reply to all of the various criticisms that have been made. The answer to those criticisms is to be found in the report itself, to which I direct your Lordships' attention. I should, however, like to make three short points. First, our object was to seek a balance between the data user and the data subject, between freedom of information and the right to privacy. It was inevitable in reaching a conclusion that some of your Lordships would fall on one side of the balance and some on the other.

On the question of whether there should be a directive at all, I should like to mention two matters. The Data Registrar, who might be thought to have some experience in these matters, told us in his evidence: 1 think you would need at least a Directive which set in place this mechanism"— that is the mechanism of the convention— of ensuring there was commonality between approaches and, having gone that far, perhaps it is worth getting a commonality through the directive". We have also received evidence from the CBI stating that although the convention was perhaps the better document, We believe that a directive is the only means of achieving such implemention". My second point relates to manually recorded data. That has been a difficult question. With respect to the noble Earl the Minister, the committee did not express enthusiasm for the inclusion of manually recorded data. We looked at existing British legislation; we looked at the convention and we considered what, on balance, was the proper course. We had to fall off on one side of the line and we fell off in favour of including manually recorded data. With great respect to the noble Earl, I do not think that I can detect a great deal of enthusiasm in that paragraph of the report—rather, there is informed resignation.

Finally, the noble Lord, Lord Hacking, referred to the importance of protecting people who move around the Community from the use of inaccurate and wrongful information suggesting a past criminal record. With great respect to the noble Lord, Lord Chalfont, I do not think that that aspect can be brushed aside quite so firmly or so easily—I use the word "easily" in a non-pejorative sense—as he would do. As the noble Lord, Lord Hacking, pointed out, there have been some serious cases requiring serious attention.

Having said that, I shall not do what I said I would not do and reply to all the other criticisms. I merely refer your Lordships to the report. I hope that what we have done has at least provoked and will continue to provoke a certain amount of discussion.