§ 3.16 pm.
§ Lord Williams of MostynMy Lords, I beg to move that this Bill be now read a second time.
I recognise that data protection does not sound like a subject to attract obsessive interest; witness the general exodus from your Lordships' House as I start to introduce this Second Reading. Data protection is redolent in many ways of computers and electronic processing: necessary but essentially technical providers of services. In fact it affects our well-being in a much more general way. It shares common ground to that extent with the Human Rights Bill. That Bill will improve the position of citizens of this country by enabling them to rely on the wide range of civil and political rights contained in the European Convention on Human Rights. Those rights include the right to respect for private and family life. The Data Protection Bill also concerns privacy, albeit a specific form of privacy: personal information privacy. The subject matter of the Bill is, therefore, inherently important to our general social welfare.
The scope of the Bill is also a measure of its importance. We inhabit the information age. Information can be gathered, manipulated and disseminated more quickly now than ever in our history. Much of that information is information about individuals. I doubt whether there is a single individual in our country about whom some organisation or another does not have some personal details on record. This Bill is about those individuals and their secrets. It is also about those organisations. It affects virtually every organisation which holds personal information—organisations providing public services, meeting the needs of business customers, and carrying out charitable and other voluntary activities. The Bill seeks to regulate appropriately the way in which organisations collect and use information about individual people who in the jargon of our day are called "data subjects".
We have had data protection law in this country since 1984. The 1984 Act was based on the 1981 Council of Europe Convention on Data Protection. The 1984 Act enabled us to ratify that convention, which we did in 1987. The purpose of the convention was twofold: to protect individuals' privacy in relation to the processing of their data; and, in doing so, to allow personal data to flow freely among the ratifying states in the interests of trade promotion.
The promotion of trade with our European colleagues is, of course, an objective of the single market within the European Union. By 1990, some, but not all, of our 437 EU partners had introduced data protection laws. With the impending introduction of the single market the European Commission decided that a Union-wide approach was essential and introduced a draft data protection directive. Its purpose was to establish common standards of data protection, first, to enhance individuals' personal information privacy and, secondly, to provide a sound basis to permit the free flow of personal data within the single market.
The directive was adopted on 24th October 1995. Member states were given three years from that date to bring it into national law. The pressing purpose of this Bill is to fulfil our obligations by October of this year.
Some organisations using personal data have expressed concerns about the consequences of the directive. They believe that there will be increased costs and therefore adverse effects on viability. Equally, those organisations which cherish and represent individuals' interests welcome the directive since its aim is to establish appropriate levels of protection for individuals' information. In drawing up the Bill we have to give effect and balanced consideration to those two aspects. We want to give proper effect to the directive while recognising the necessity for organisations to hold information about individuals and, equally, individuals' entitlement to have information about them—their information—handled properly. The Bill therefore includes additional protection for individuals. But we wish to ensure as far as humanly possible that the methods of regulation are truly proportionate to the appropriate circumstances and attend to real protection rather than procedure for its own sake.
It is probably asking too much to expect a Bill of this size to be wholly uncontroversial. To a large extent this is a technical measure, but that is our work. The subject matter is particularly intricate. We may not always have got things absolutely right. Within the constraints imposed by the directive and the general approach that we suggest, we wish to be as open-minded as we can to any suggestions to improve the Bill. The brief discussions that I have had with the noble Viscount, Lord Astor, indicate that he also intends to follow that course. There are difficult technical intricacies and a co-operative effort is likely to produce a better-finished Bill in your Lordships' House.
Like the Data Protection Act 1984, the principles of data protection comprise a central element of the regime that we suggest. They provide a kind of statutory code of practice relating to good data protection handling with which all personal information users—known in the Bill as data controllers—will have to comply. They are to be found in Schedule 1. The Bill contains eight principles relating to matters such as the need to process personal data fairly and lawfully; for data to be processed for specified purposes; for them to be accurate; and for there to be proper security arrangements. All of the 1984 Act principles are broadly reproduced, although not in precisely the same phraseology, and we have added a further one to deal with the transfer of data to third countries.
438 There are two other key concepts. The Bill is built around the concept of processing personal data. Essentially, "personal data" means information from which a living person can be identified and "processing" means doing anything at all with such data, from collecting them, right through to destroying them. including merely the holding of the data whether or not anything active is done with them. I single out these expressions from the list of definitions in Clause 1 because they are fundamental to the working of the Bill. One further relevant definition is "relevant filing system". Unlike the 1984 Act, the directive requires the application of data protection law to certain categories of manual record, not simply computer, and this is the definition of the records covered.
This is a difficult area. Some take the strong view. which I recognise and respect, that the Bill should spell out clearly which categories of record are caught. We are presently unable to find a satisfactory way of doing that. It would have been possible had we been able to limit it to manual records in highly structured systems such as card indexes, but that would not have properly met the requirements of the directive. At the other end of the scale, we could have extended the scope to cover all paper records. I do not believe that that would have been generally welcomed or that it would necessarily have achieved a proper balance between the protection of the individual and the imposition of burdens on information users. In the event, we have followed the approach adopted by the directive. The criteria are: that the records must be in a structured set; that the structure must be by reference to individuals; and that particular data relating to particular individuals must be easy of access. We believe that this brings in highly structured sets such as card index systems and excludes collections of papers which only incidentally contain information about individuals. Whether or not other collections are caught will depend upon whether they meet the criteria, and in the first instance it will be for data controllers themselves to decide.
I have seen the Data Protection Registrar's briefing note on manual records. As I understand it, she believes that the Bill catches a very wide range of manual records. This is not the place to enter into a detailed debate about the construction of words in the Bill, but it is not our intention that the Bill should have the wide effect that she suggests. We do not intend that it should catch files about named individuals where a variety of different kinds of documents is stored by date order. We want to focus on much more highly structured files.
I welcome the registrar's note however. The Government are not wedded to the approach that I have outlined. We are perfectly open to all reasonable proposals to improve the Bill. If the view of the House is that the Bill does not go far enough that is a matter that the Government will consider. But such an extension of the coverage of the Bill would not be without cost and that cost could be quite considerable.
Clause 2 defines "sensitive personal data". These relate to such matters as race, ethnic origin, political or religious views, health and so forth. Schedule 3 contains restrictions on the circumstances in which such data may be processed. I mention this because special restrictions 439 on such data are new to our law. Clause 3 defines "special purposes," which are journalistic, artistic and literary purposes. The Bill provides a special regime for those purposes because they are special activities, to which I shall return in a moment when I deal with Clause 31.
Clause 4 introduces the data protection principles in Schedule 1 and the associated provisions in Schedules 2 and 3. It places on data controllers the duty to comply with them. The purpose of the directive is to provide a common level of data protection within the Union and other member states of the European Economic Area which will also be bound by it. The directive contains rules which determine which members state's law applies to particular processing. The purpose of Clause 5 is to do precisely that. Its principal effect is that United Kingdom law applies to any processing done in the context of the establishment of an organisation in the United Kingdom. That applies whether or not the processing is actually done in the United Kingdom. another EU member state or elsewhere. Other member states' laws should be making similar provision.
Finally in Part I. Clause 6 introduces two data protection institutions: the data protection commissioner, which is the new name for the Data Protection Registrar, and the Data Protection Tribunal, which is also preserved from the 1984 Act. I should like to pay tribute to the previous Data Protection Registrar, Mr. Eric Howe, the present registrar, Mrs. Elizabeth France, and her staff, and the chairman and members of the Data Protection Tribunal for the invaluable public work that they have done under the 1984 Act.
I have spent a moment or two longer than I would have wished on the early stages of the Bill because they are critical to its structure. I shall try to traverse the remaining ground a little more quickly. Part II deals with individuals' rights, which are strengthened by the Bill. Clauses 7 and 8 replicate with some amendments the existing right of subject access. They deal with our obligation following the judgment of the ECHR in Gaskin to provide an independent review mechanism for refusal of subject access in certain cases. There is nothing in the Bill yet to meet our undertaking to outlaw the practice of enforced subject access, but we certainly intend to deal with it in the context of the Bill.
Clause 9 provides a new right for individuals to prevent processing which is likely to cause them substantial damage or substantial distress.
Clause 10 provides an express new power for individuals to object to their personal data being used for direct marketing. That is something which will find general approval not just in your Lordships' House but with an increasingly irritated section of the general public. The expression of the right in the body of the statute is new and broadly similar to that already achieved by the application of the data protection principles.
Clause 11 broadens the existing right for individuals to seek compensation. Under the 1984 Act, the right is available only where individuals have suffered damage because of the inaccuracy, loss or unauthorised 440 disclosure of their data. The Bill allows them to seek compensation for damage caused by contravention of any of the provisions of the Bill.
Clause 12 replicates a broadly familiar right for individuals to seek the rectification, blocking, erasure or destruction of inaccurate data.
Clause 13 is new. It relates to decision-making which is carried out solely by automatic means, as, for example, the practice of credit-scoring. Where such decision-taking significantly affects an individual, if the decision goes against the individual, the clause requires there to be safeguards for his or her interests. This might be provision for review of the decision by an individual person. That is again something that causes great public concern to individuals who feel that their cases in respect of credit provision have been inappropriately or thoughtlessly considered. Clause 14 is a procedural provision relating to courts' jurisdiction.
Part III of the Bill deals with the requirement for data controllers to notify the commissioner of the processing which they do. Registration is linked closely to the enforcement of the data protection principles. Notification under the Bill has been wholly decoupled from enforcement. It is solely about transparency and 1 believe that it represents a significant step forward.
Under the 1984 Act, the obligation to comply with the data protection principles applies only when a data user has registered. Those who do not register may only be prosecuted for non-registration; the registrar has no power to compel compliance with the principles. Under the Bill compliance with the principles will be an obligation on all data controllers, whether or not they have complied with the notification requirements.
Subject to some exemptions, we provide for all data controllers to notify the commissioner before processing personal data. An exemption on the face of the Bill is for manual records. Others can be provided by notification regulations. Such regulations may also make other provision relating to notification, including the form in which notifications must be made. Having consulted considerably with the Data Protection Registrar we hope to make the notification arrangements as simple and little burdensome as possible.
A novelty in the Bill is Clause 21 which provides that processing prescribed by order shall be checked by the commissioner before it shall begin. The normal rule is that processing may begin as soon as it is notified. But certain particularly sensitive processing must be checked in advance. The Government believe that the amount of processing needing "prior checking" is likely to be very small. I should also make clear that this is not a requirement for each individual processing operation to be checked on a case-by-case basis. The prior check is carried out at the time of notification and applies to all processing covered by the notification.
Another new provision is the power in Clause 22 for the Secretary of State to set arrangements for organisations to appoint their own data protection supervisors, following the German model. Such appointees monitor the controller's compliance with the law, thereby removing some of the burden from the supervisory authority. Setting up arrangements under 441 this provision will not be a priority since the Government's immediate priority must be to ensure that the core regime is properly in place and working well.
Finally in this part, Clause 23 provides a requirement on data controllers who do not notify to provide, to anybody who requests it, information about the processing which they do.
Part IV and Schedule 7 deal with exemptions. Many of these are familiar from the 1984 Act, but there are some changes. Clause 27 provides an exemption from, in effect, the whole of the Bill where the exemption is required for the purpose of safeguarding national security. This is broadly familiar from the 1984 provision, but it contains two important changes. First, it allows a certificate confirming the need for the exemption to be expressed in general terms and to be prospective; and, secondly, it allows a limited right of appeal to the Data Protection Tribunal for individuals who are directly affected by such a certificate.
Clause 28(4) has been the subject of some media speculation and critical comment. It allows the making of orders exempting from the subject access and non-disclosure provisions in the Bill information which would assist in the fight against crime and the prevention of tax evasion and fraud. On tax, there are serious Inland Revenue concerns to be addressed: first, protecting the disclosure to the Inland Revenue of bulk, potentially tax relevant, information provided by third parties, which may be used to help identify people cheating on their taxes, and therefore robbing the general body of citizens whose taxes go to pay for essential services; and, secondly, maintaining the confidentiality of systems designed to identify incorrect tax declarations. I know that the Data Protection Registrar has concerns about this clause. I have discussed this with her. We have made no firm decisions about its use. But I believe that there will be general public support for the principle that we need to safeguard existing initiatives to act against the small minority who, alas, cause significant loss to the public purse through tax evasion and tax fraud. We are interested to see what your Lordships may have to say about the principle and detail as the Bill travels through this House.
I pause on one exemption which is of great importance. It is to be found in Clause 31, to which I promised to return. It relates to processing for the special purposes; namely, journalistic, literary and artistic purposes. The media have been concerned about the implications for their work of the EC Data Protection Directive. I am happy to repeat again publicly that the Government recognise the central importance of the work of a free press in a free society. With its broad definition of "processing", not to mention the inclusion of manual records and the range of rights for individuals, the directive, and therefore the Bill, goes considerably further in protecting individuals' personal information than does the present Act of 1984. It therefore inevitably has greater potential to put at risk the media's legitimate use of such personal information.
442 I am happy to see the noble Lord, Lord Wakeham, in his place. He and I and others from the BBC. Channel 4 and the independent television companies, as well as newspapers and newspaper lawyers generally, had discussions throughout the summer and autumn of last year. We have provided for exemptions for the media. We have done that as deliberate policy, not by way of Christmas accident, where they are necessary to reconcile privacy with freedom of expression.
Following the meetings to which I referred, we have included in the Bill an exemption which I believe meets the legitimate expectations and requirements of those engaged in journalism, artistic and literary activity. The key provision is Clause 31. This ensures that provided that certain criteria are met, before publication—I stress "before"—there can be no challenge on data protection grounds to the processing of personal data for the special purposes. The criteria are broadly that the processing is done solely for the special purposes; and that it is done with a view to the publication of unpublished material. Thereafter, there is provision for exemption from the key provisions where the media can show that publication was intended; and that they reasonably believe both that publication would be in the public interest and that compliance with the Bill would have been incompatible with the special purposes.
We have specifically written into the Bill reference to compliance with a code of conduct which is capable of being approved by the Secretary of State. We have deliberately placed upon the face of the Bill. I believe for the first time in an Act of Parliament in this country, that the public interest is not the narrow question of whether this is a public interest story in itself but that it relates to the wider public interest, which is an infinitely subtle and more complicated concept. That is expressed elegantly in Article 10 of the European Convention on Human Rights as regards the transmission of views and opinions by the press and the necessary co-related right on behalf of the public to receive those expressions of views and opinions.
As a safeguard for individuals, the commission has a special power in Clause 42 to seek information from the data controller, pre-publication, to check whether the key criteria are satisfied. There is provision in Clause 43 for her to make a determination where she believes they are not; and Clause 44 provides a limited power for her to take enforcement action against the media where she has made a determination—before or after publication.
The Bill puts the onus for taking enforcement action on the individuals concerned rather than the commissioner; but in Clause 50, it gives the commissioner a power to assist individuals in going to court, but only in cases involving matters of substantial public importance. I hope that your Lordships will feel that we have achieved the right balance in that regard.
We do not wish, and would not want, to inhibit the freedom of expression which is a fundamental and continuing part of the British way of life and which British broadcasters have enjoyed up to now in making programmes in a generally responsible way. It is clearly part of that tradition of information, the dissemination 443 of views and discussion of ideas; for example, historical programmes dealing with analysis of the past. It is not the intention of the Government in implementing the directive that the making of these programmes should be inhibited or prevented by individuals attempting to use its provisions to re-write history or prevent the responsible discussion of historical subjects and documentaries which are an important part of the media's role in informing, educating and stimulating public discussion.
Equally, it is part of the British tradition of freedom of expression that entertainment programmes, such as arts programmes, comedy, satire or dramas, can refer to real events and people. It is not the intention of the Government for the directive to be used to inhibit programme-makers from making programmes as they have up to now. The Government believe that both privacy and freedom of expression are important rights and that the directive is not intended to alter the balance, which is a fine one and always should be, that currently exists between these rights and responsibilities. I believe that the Bill does strike the right note in that respect. It was not until after a good deal of consultation and discussion, and perhaps cross-fertilisation of ideas, that we came to our conclusion. However, I repeat that if there is reasonable room for improvement, our minds are not closed.
Part V of the Bill deals with enforcement. First, the Bill creates a twin-track approach for individuals seeking a remedy for alleged breaches of the law. In the same way as they may now go to the registrar, under Clause 40 they will be able to seek the help of the commissioner. They will also be able to go direct to court where they believe that any of their rights under the Bill have been contravened. This is an important strengthening of individuals' rights. The 1984 Act provides only a very limited right to go direct to court: where subject access has been refused or to seek the correction of inaccurate data.
The enforcement notice, which is the main instrument for enforcing the data protection principles under the 1984 Act, is retained in Clause 38. But because of the restructuring of the data protection principles, it has wider scope under this Bill.
Clause 41 entitles the commissioner to issue information notices seeking the information she may need to carry out her functions. The commissioner takes the view that, in its present draft form, the power is not as useful as it might be. I have discussed it with her, and I will consider whether there is any way in which it could be improved fairly to meet her concerns.
Part VI deals with miscellaneous matters. Clause 49 gives the commissioner a broader duty than now to promote good practice. It includes a strengthened role in relation to the issuing and consideration of codes of practice; and a new power to make assessments of individual data controllers' personal data handling practices, with their consent.
In the context of Clause 49 I might also explain briefly the arrangements for dealing with transfers of data to third countries. The eighth data protection principle in the schedule prohibits the transfer of 444 personal data to countries outside the EEA which do not have an adequate level of data protection. Schedule 4 provides some exemptions. Data controllers will make the initial decisions about adequacy. The commissioner will be able to issue an enforcement notice where she disagrees. Decisions about inadequacy have to be shared with the European Commission and other member states; and there is a mechanism for reaching a common view.
There is concern on the part of some of the EU's major trading partners, particularly the USA, about the implications for trade of these arrangements. I believe that the arrangements made in the Bill provide the maximum flexibility for data controllers, consistent with ensuring proper data protection and meeting the requirements of the directive. I know that this is a matter which is being treated very seriously by colleagues in Brussels and I am confident that a satisfactory way forward can be found.
Clause 51 establishes certain further functions for the commissioner in relation to overseas transfers and other international matters.
Clause 52 creates an offence of unlawful obtaining, disclosure and subsequent sale of personal data without the consent of the data controller. The intention is to re-create and replicate the similar offence in the 1984 Act.
Clause 54 puts a duty of confidentiality, subject to a criminal sanction, on the data protection commissioner and her staff. I know that the registrar is uneasy about attaching a criminal sanction to the duty of confidentiality. Again, this is a matter which I have discussed with her and I have told her that it is a matter on which I am prepared to consider suggestions for alternative approaches.
Finally, I must mention one omission from the Bill. The Bill does not yet make any provision for the transition from the existing data protection regime under the 1984 Act to the new one under the Bill. I recognise, and I am happy to say it now, that those affected by the Bill will need to know as soon as possible what are the Government's intentions. We shall certainly bring forward necessary amendments as soon as we can.
This has been a rather brief overview of what is a long and complex piece of legislation. I have deliberately omitted what I might have covered. I know that noble Lords have particular interests in some of the areas which I have omitted. My noble and learned friend the Solicitor-General will deal with the points which noble Lords raise in the debate.
I am pleased that we have agreement through the usual channels for the Bill to be considered by a Grand Committee in the Moses Room. This seems to be, almost quintessentially, the sort of legislation which needs that calm, informed scrutiny. I repeat that we want the best possible assistance by way of scrutiny by your Lordships who are informed about those matters. I commend the Bill to the House.
Moved, That the Bill be now read a second time.— (Lord Williams of Mostvn.)
§ 3.49 pm.
Viscount AstorMy Lords, I thank the Minister for introducing the Bill. I am afraid that at this stage we can only give it a rather guarded welcome. The main reason for that is because we are concerned about the effects of the Bill; that it might become too great a burden for some of those who may be affected—businesses, data providers, parts of the media and perhaps journalists. It may be more of a burden than is necessary to implement the EU directive designed to protect the rights of individuals. We shall concentrate on that during the Bill's passage through this House.
I realise that the Minister does not speak for other European governments. However, the Bill which implements the directive is designed to improve the free movement of personal data throughout the Community. Therefore, I hope that the Government will ensure that work has started in other EU countries. It would be disappointing if we, like good Europeans, implemented the directive only to find ourselves one of the few to do so. That has happened in the past.
We are anxious about the costs of the Bill. The Government admit that the start-up costs for industry will he £836 million, with annual costs of £630 million. The start-up costs for the voluntary sector is £120 million, with annual costs of £37 million. That will be a great burden, particularly on the voluntary sector.
We support the necessary protection for the rights of the individual. After all, it was the Conservative government which introduced the Data Protection Act 1984. That Act gave individuals rights to access data stored about them; to demand disclosure of that data; and in some circumstances, to demand cessation, rectification and compensation. Therefore, the rights in the Bill are not new, but they have been strengthened. One must ask whether there is any evidence that the current Act is not working. Which parts of the current Act do not comply with the directive? How much further have the Government gone? Have they gone further than necessary to comply with the directive? It is a question of balance and we shall be examining that to see whether the Government have it right.
We need to protect the rights of individuals to privacy, but we do not want a back door privacy law. We are also concerned with the practical needs of business to process information in a cost effective manner for the benefit of consumers. There are two areas in which important changes appear to have been made. Manual records are now included by Clause 1 if those records at some time in the future might be transferred to a processing system. When the Data Protection Registrar examined that issue, she stated:
These include whether it is possible to provide a clearer definition of those manual records that will be covered by the new Act".That is a valid point and I hope that we shall re-examine it during our debates on the Bill.
The Data Protection Registrar was also concerned about Clause 28(4), providing an order-making power which allows the Secretary of State to exempt personal data of a specified description not only from subject access but also from the requirement to process personal 446 data fairly and lawfully. The registrar stated that she saw no justification for making that blanket exception. Perhaps the noble and learned Lord will comment further on that subject.
Another important change is the switch from registration to notification. I acknowledge that there is a gap in the system. At present, someone who is not registered can be prosecuted only for non-registration, but the principles of registration cannot be enforced. Under the Bill, the new system of notification will allow data protection rules to be enforced even if the subject is not registered. That must be an improvement.
The Bill defines the principal terms used in relation to processing information. It is a concern of the CBI that the definition of "processing" will catch any automated processing of personal data even if it is not directly concerned with an individual. An example may be an order or an invoice between two companies which may have a contact name and may be included as part of personal data. We wish to know why the phrase used in the 1984 Act—that is, "by reference to the data subject"—is not used in Clause 1 of the Bill.
Clause 7 is widely drawn. In its attempt to give the right of access to personal data, it allows access to intellectual property rights and confidential business records which may not relate directly to the individual. There is a danger that such rights of access could be abused by the unscrupulous and perhaps for fraudulent purposes. We do not want to give criminals the right to collect information which they can then use to commit further crimes. I am sure that the Minister has considered that and perhaps he will comment further.
I welcome the introduction of the rights of the individual in Clause 10 with regard to direct marketing and I concur with what the Minister said. How much that will stem the flow of useless junk mail which pours through our letterboxes is not clear, but at least it is a valid attempt to try.
Schedule 3 sets out conditions for the processing of sensitive data. Employers are worried that the Bill does not make adequate provision for them to keep certain employment records which is required of them by certain codes of practice. In our view, and in the view of the CBI, the circumstances in which criminal records can be held are not sufficiently extensive. Businesses which have a duty to protect the public and property, or to protect the public from fraud or theft, should be allowed to hold the data that is necessary for that protection.
The role of the data protection commissioner and his or her powers are crucial for the proposed system to work. We will examine those powers closely, including the right to appeal and the right to issue information notices. I note that under the 1984 Act we have a data protection registrar. Now that the Government have gone "Euro", we are to have a commissioner.
The storage and use of data is a technology which is constantly changing. Those who provide on-line services will be affected by the Bill. I believe that there is a problem for them. How can they control what their users do with the data, or what data their users transmit when it is contained within their service? Fundamentally, we are 447 talking about how to control the Internet. Is it possible? It is difficult to see whether the provisions apply to the Internet and to on-line service providers. Will an on-line service provider be responsible, for example, if he offers simple services such as magazine archives which may contain personal data? There is a danger in saying where the line will be drawn. I hope that there will be flexibility within the system so that the new data protection commissioner will be allowed to make sensible judgments.
I note, too, that there is a provision for the data protection commissioner to grant a special form of legal aid to those seeking compensation from the media. How will that be funded? Will there be any cap on the costs? It is a new phenomenon; it was not covered in the 1984 Act. I also understand that every freelance journalist might have to register with the data protection commissioner and that it will be an offence not to do so. At first glance, the consequence of a government body holding a list of all freelance journalists in this country is somewhat Orwellian. Is my interpretation correct? If so—and many journalists have said that they believe they will have to register—how are we to define a journalist? Will one become a journalist if one writes a book review for a magazine? If one of your Lordships writes for the House Magazine will registration be required'? Will he have to register what is in his personal computer, even if it does not contain information about the noble Lord, Lord Williams of Mostyn, or any of the other Ministers on the Front Bench?
Clause 31 is crucial as regards the press. I am pleased to see that my noble friend Lord Wakeham will speak today. The whole House will he interested in his views, particularly in his role with the Press Complaints Commission. Although Clause 31(3) refers to "any code of practice". I believe it to refer to that of the commission. Will the Government confirm that? Paragraph (b) of Clause 31(3) also refers to,
[anything]… designated by the Secretary of State by order for the purposes of this subsection",which I believe must mean that perhaps other codes could be used. If he is not able to do so today, perhaps the Minister will be able to respond to that point by correspondence.As the Minister said, the Bill also provides new rules for the transfer of personal data to countries outside the EU. I am concerned to know how British companies, which currently send raw data to be processed in other countries, will be affected. Will that process be illegal if it contains personal data?
As I am sure your Lordships are aware, there is a large and growing worldwide business where data is often processed in third world countries. India, for example, has software skills that are cheaper, and sometimes better, than our own. Will that trade cease? If a bank or insurance company sends its files to be processed in some way to a third world country so that they can then be returned and put, in a different way, on to a system using the latest software, how will that situation be covered? It would be a great pity if that trade were to cease as it provides business for those countries and, indeed, is very cost-effective for the companies which use it.
448 I wonder whether the Government have studied data protection laws in other countries? For example, America is, I suppose, the country whose technology in this respect has led the world. Do the Government have any plans to introduce similar rights and protections? Will the EU be in step or out of step with the rest of the world?
We have before us a complex Bill. It is a simple subject, but a complex one because the devil is in the detail. We will all have to brace ourselves as we attempt to get to grips with technology, and learn how the rights of the individual can be protected in a reasonable way at a reasonable cost. I worry that the Bill is perhaps more prescriptive than it has to be. In some ways, I should like a shorter Bill which is strong on principle but one which allowed flexibility so as to enable the new commissioner to act in a way that is sensible for both individuals and business.
Of course, I recognise that governments like to dot every "i" and cross every "t" and, therefore, that makes Bills much longer than we would all wish. However, because it is such a long and detailed Bill, I fear that, despite careful scrutiny, we may miss something in it which will manifest itself to the detriment of those affected by the Bill.
As the Minister reminded us, the Government announced that they will include measures relating to the "transitional arrangements" in the Bill by way of amendment as the Bill passes through Parliament. The noble Lord kindly informed the House that those amendments will be offered, "as soon as we can". Perhaps the noble Lord could be a little more specific in that respect. Does that mean during the Committee or Report stages or. indeed, while the Bill is actually passing through this House? That is of particular importance because, in a statement made by the Chancellor of the Duchy of Lancaster in December, I noted that the Government announced that they would introduce a freedom of information and data protection Bill and that both would be processed hand in hand. Perhaps I may quote the Chancellor of the Duchy of Lancaster, who said:
Any freedom of information Act must provide adequate protection for an individual from any unwarranted invasion of personal privacy caused by an application from a third party. In practice, for the Freedom of Information Act in the United Kingdom, the new Data Protection Act will provide the basis for this protection".Therefore, transitional arrangements will be most important. I have one question upon which I should really like to hear the Minister's view. Can we actually have a data protection Act in place without a freedom of information Act? In other words, do they go hand in hand? For example, will the transitional arrangements not allow it to come into force until the Government have come forward with a freedom of information Act? Perhaps the Minister could address that point in his response.
I am grateful to the Minister for saying that he will be open-minded about the Bill. Indeed, we shall be critical where necessary but I hope that we shall also be constructive. I am delighted to know that the Minister will listen carefully. I trust that he will be prepared to accept amendments which will improve the Bill.
§ 4.5 pm.
§ Baroness Nicholson of WinterbourneMy Lords, I am grateful to be speaking on behalf of the Liberal Democrats who welcome the Bill. We thank the Minister for his overview and for telling us a little about the genesis of the directive, because it is within the context of the manifesto statement to "bring rights home". There are two other parts of this tripartite mission—the Human Rights Bill and the proposed freedom of information legislation. It is rather nice to think that we will be discussing the detail of the Bill in the Moses Room, as we are not talking about matters on tablets of stone.
There is much work ahead of us. As the Minister said, there are general themes which arise from the directive which are reflected in the Bill. They are social, practical themes such as privacy and personal information; the impact on society of this novel legislation; the legislative changes that will flow; and the detailed points of overlap and possible conflict and possible inexactitudes with the other two parts of this tripartite effort.
There are some people who should be thanked in the context of the Bill. I refer first to Geoffrey Hoon, the Minister, who was rapporteur in Brussels in the European Parliament. When the government here were hostile—indeed, fully and totally hostile—to this legislation, we had a British voice who spoke up most clearly and who was also the rapporteur. Secondly, I refer to my noble friend Lord Lester of Herne Hill with his human rights legislation and, indeed, the noble and learned Lord the Lord Chancellor.
There were also people who blocked the Bill, both in the House of Commons and in your Lordships' House, on the government side. That was perhaps partly due to ignorance of the development of information technology, partly due to an inborn desire in terms of historical British governmental attitudes to control information on British citizens and partly due to a desire not to share that knowledge for mistaken reasons of freedom of trading. I should also mention the very early support for this frame of thinking by Lord Kilmuir, who, in the philosophy of the noble Lord, Lord Alport, took a "one nation" view; in other words, a respect for each other's views, which inevitably leads to respect for personal privacy data.
The kernel of the legislation—that is, the meat of the Bill—seems to me a fresh attempt to create an oasis of individual privacy for each European Union citizen or resident in face of the octopus of largely electronic knowledge which so many others from so many walks of life now have on each and every one of us, while not lessening the flow of knowledge, one of our essential European Union freedoms.
The Minister mentioned the fact that many people have knowledge about us; indeed, all of us are on at least 137 different computer systems. There is also the difficulty and expense of accessing that information. But the knowledge that someone has such information about you is possibly the most difficult thing to accept. So this is an important piece of legislation.
450 On the down side, there is our obligation as a European Union member state within the Treaty of Rome and the single market Act not to inhibit the free flow of knowledge. That is just as important—or is it?—as privacy of the individual. I shall return to the fact that it is a difficult balance to strike, but perhaps I may just congratulate the Government on their efforts as regards human rights, freedom of information and data protection.
The latter is, of course, an inherited piece of legislation. It emerged in October 1990 when it was clearly stated why it was being created. The European Parliament was consulted by the Council on whether or not there should be a directive on the protection of individuals in relation to the processing of personal data. The mission statement was endorsed by the European Parliament in 1992 when it said that it would adopt a directive on the protection of individuals with regard to the processing of personal data and the free movement of such data. How does the much modified directive look today, eight years on from 1990? That is not eight years old in computer terms but octogenarian because the free flow of information technology has outstripped all of the initial proposals.
Indeed the 1984 convention, stemming as it rightly did from the Council of Europe convention of 1981, has stood the test of time remarkably well. However, we look at it differently now in the light of the Government's new efforts to take Europe seriously and to bring rights home. I suggest that privacy is a novelty for United Kingdom citizens. The noble and learned Lord the Lord Chancellor in his speech on Bringing Rights Home stated:
The Government is not introducing a privacy statute".He went on to say, with regard to the media, that,
strong and effective self-regulation is the best way forward in the interests of the press and the public. Lord Wakeham has begun the task of strengthening self-regulation".On the Second Reading of the Human Rights Bill on 3rd November the noble and learned Lord, Lord Simon, commented that that Bill,
nevertheless introduces into English law for the first time a right to privacy-.—[Official Report, 3/I 1/97: col. 1259.]With his great knowledge the noble and learned Lord added—I do not suppose that he could resist it—that in 1351 it was an offence to eavesdrop and that,
listening under the eaves of your neighbour's house was considered an infringement of his privacy".The noble Lord, Lord Lester, perhaps summed up the matter when he commented in the same Second Reading debate on the Human Rights Bill, in the context of privacy versus public interest, that,
the right to free speech, like the right to respect for one's private life, is not absolute".He went on to say that the,
European Court has also emphasised the importance of ensuring respect for the personal privacy of oneself and one's home".—[Official Report, 3/11/97: col. 1241.]As a result of incorporation, the noble Lord said, the UK has a positive obligation under the convention to secure the right to privacy in domestic law. Our courts are likely to create it if we do not in Parliament. In other 451 words, a common law of privacy will be developed if we do not do so in Parliament ourselves. I wish to set a marker here that we must consider which concept we put first in the United Kingdom. As I understand it, under our European Union obligation we must put personal privacy first. That point was clearly stated in one of the debates in the European Parliament which I can quote if necessary.
Be that as it may, the Data Protection Registrar sees the Bill as a partial privacy law. I suggest that as such it is a new initiative. I repeat that it was strongly opposed and with great hostility by the previous government. Why is a partial privacy law, or something stronger, needed? I refer again to the Second Reading of the Human Rights Bill. I believe it was the noble Lord, Lord Waddington, who stated that he thought that as a free born citizen, if his home were invaded by a public authority without just cause, he had a remedy but that his rights would be weakened under the new convention where he might be told it was allowed to happen for the economic well-being of the country or for the protection of his own or someone else's health. However, it is curious to note that those considerations already apply and have nothing to do with a new European convention.
In a few moments I shall mention health records. This country, with its National Health Service, has a unique stance on health. In my view it is all too unique in the sense that the Secretary of State for Health owns the health records of all those who use the National Health Service, presumably 99 per cent. of the whole population. That is a distinctive position indeed in the context of European Union citizenry legislation.
The noble and learned Lord, Lord Bingham, in talking about the balance of the right to privacy versus freedom of expression, asked, at col. 1247, why,
this country—alone among European nations—should fail to reconcile these competing principles in an acceptable manner?".I suggest that it is because our situation in law is historically different. We have no written constitution and our citizens have not had the right to privacy that perhaps they assumed they had. Common law gave no right to protect one's reputation. Even the Swiss constitution of the 1720s gave the citizen a right to protect his or her reputation. Virtually all the developed economies including the US—I emphasise that to the noble Viscount, Lord Astor—have a right to privacy. The United Kingdom has stood alone in that we have not developed that right to privacy, possibly because of the lack of a written constitution.
I seek to prove my point further. Let us consider what happened during the early days of the directive. It was considered by Standing Committee B in the House of Commons. I was a Member at the time and I believe that the government were either ignorant or misleading on the material they put before the committee. The directive was considered again by Standing Committee B in the House of Commons in 1994 when again the government deliberately misled the committee, or had a lack of understanding of what the directive sought to achieve. As I understand the position, the Minister at that time talked about the free movement of all data. We are discussing only the free movement of personal data 452 in this case. It is not a matter of hampering the free market by preventing the movement of all data; this is purely a question of the privacy of individuals and their personal data. The directive was considered twice in the European Parliament in 1992 and 1995. 1 am sorry to say that the United Kingdom abstained in 1995. The Times said that we opposed the directive. That was not the case; we abstained. I refer to related legislation, the Human Rights Bill and the Data Protection Act 1984.
During that period, some of us in the United Kingdom worked to construct a mosaic of personal privacy legislation without the relevant legislative underpinning. A little of that was included in the copyright Act. I created the computer hacking legislation and co-sponsored the access to medical records Bill. I submitted an access to employee records Bill. Others submitted similar material in both Houses of Parliament. However, those attempts were not successful because there was no underpinning of a right to privacy on the part of the British Parliament. Why is privacy now needed? I shall take a moment to consider that. If we have left it aside since 1351. why do we need to return to it in 1998? We are now all members of the global village. As I see it, homo habilis turned rapidly into homo mobilis. With the development of speech it is tempting to suggest that he turned into "homo chatterbox" and even "homo eavesdropper" and "homo gossiper". It is almost as if the need to know about each other's lives and actions in the finest detail forms an essential part of human understanding. Perhaps it reinforces our identities. Or, in the pre-paper, pre-radio and pre-electronics era, perhaps it was virtually the only realistic way of gathering immediate topical knowledge rapidly.
For whatever reason, today the global village mimics the pre-industrial era way of life so closely that we now know all, or nearly all, there is to know about each other. Remorseless electronic scrutiny by government, the media, security, or insecurity, forces, expose our every facet of behaviour. The difference lies not in what is known about us but by whom. Today it is not the neighbours, the schoolmistress, the doctor, the vicar, the postman, the milklady or the village shopkeeper who collect and store knowledge on us and share it with others. It is strangers, even potential enemies such as blackmailers, thieves, murderers, paedophiles or rapists. Potential threats also come from government and government servants.
I return to health and social services records. The data collection in which government and government agents now indulge is dramatic and far-reaching, and is unknown to most citizens. A free society owes its citizens a duty to try to stem that invasion of the privacy that we in the United Kingdom have effectively never had.
When one talks about data collection, one is immediately challenged that one is trying to protect politicians. I am not interested in privacy for public figures. My interest lies in privacy for ordinary citizens. A public figure is not a private person. One sacrifices privacy for a cause when one chooses to take up the banner of politics, religion, and so on. Questions may still arise regarding the treatment of public figures; however, I suggest that they do not relate to the public 453 figures themselves. I ask whether or not a person's family should not be sacrosanct, particularly the children.
What about accuracy? All those of us who have been used to media coverage, in this Chamber and elsewhere, know full well how many times we get close to a story and find out how inaccurate it is. I speak particularly of the print media, not of radio and television. Radio and television came later into our world and have light legislative straitjackets. They have a duty of accuracy inbuilt. The print media do not—I wish that they did.
And what about the right to reply? It is supposed to be there. It is mostly not exercised. The privacy of private citizens concerns me deeply. Their privacy can be destroyed regularly. and is, by the intervention of the media or from outside sources, even from government.
How has the European Union protected its citizens? There, again, lies a point of difficulty between ourselves and other European Union states. There are extreme variations between the national laws of member states on data protection. Greece is still shaking from the aftermath of the use of military files on its citizens. It has no legislation at all. Denmark has a fully thought-through system and has had a register for a long time. Germany has a federal spread of difference. Indeed, I believe that the current directive stems from Stuttgart—and Stuttgart is a city whose citizens really like to be private. Perhaps too much flexibility, rather than too little, has been put in place to allow the directive to function. However, European Union fundamental principles are at stake.
Then, of course, there is the great spread of knowledge. To take the example of surveillance, of those who can watch us, there are advertisements for equipment that is freely available. It can be purchased with no legal hampering at all. It calls itself "equipment to end uncertainty". It may end the uncertainty of the person who listens; it creates multiple uncertainty for those who are listened to. There are room and telephone transmitters; body wires; wire taps; radio and computer controlled systems; specialist receivers and recorders; recording and transmitting equipment; and counter-surveillance equipment. Those examples represent a very small fraction of the material that is on offer. Is there a means to protect yourself if your opponent is extremely complex and sophisticated? What about encryption? The US is indeed a superpower in that field with its investment in global permanent listening and recording sweeps of telephone calls, faxes and E-mails permanently and internationally. Is privacy possible at all today?
Realistically, the answer is no—not with the big brotherhood of global satellites in operation. But practically, on the ground and in most circumstances, the answer is yes—if we can work at it, as a determined element of a nation's culture. We cannot look to the IT industry, for example, to protect us. Staff loyalty is not there. In the computer field there is negligible loyalty to the employer; and negligible loyalty, therefore, to employer records, because 20 per cent. to 30 per cent. of employees in the computer industry move every year. There are 50,000 vacancies which are very highly priced. The rapidly growing demand in quickly outdated skills means that computer people are 454 highly skilled, always restless, always looking for something new, some way in which to exercise their skills more efficiently, and therefore they do better to move on. There is no practical reason for them not to do so. Let us think of that for a moment in terms of government, particularly in relation to health and social security records. UK citizens have enjoyed no similar privacy rights to those of other citizens. That is the novelty of this legislation.
Perhaps I may turn for a moment to public access to personal files. Access has been offered to us as a palliative instead of privacy. It is not a nirvana; it is a second best. If we look at access to personal files in Russia and East Germany, we look at people going to see their KGB and Stasi-held files. There is a Pandora's Box of suspicion.
However, I do not believe that such horror stories strengthen the case for government secrecy. They demolish it. Trust is the basis of civil and family life, as are openness and transparency. The informer society destroys the bond on which society is built.
So there are some areas of conflict in this piece of legislation. I turn to data-matching. We may feel that our records are safe within individual public service sector departments. We are wrong on two counts. First, matching takes place interdepartmentally; and secondly. there is inadequacy of control against invaders from outside. All are against incompetencies within the system, where the duty of accuracy may not be understood and there are insufficient funds in government to put the matter right.
In relation to data-matching, we should possibly talk about database linkage. We held a statutory instrument debate on that subject on 18th December. There may be a need for government departments to put together a working group. An example is DTI work on British standards. The Home Office, the Department of Trade and Industry and other departments all have IT work flowing through which will be impacted by current legislation.
The best defender of the individual's interest is the individual. The problem is that, against government, the individual has no weapons at all. Ownership should be the key. Perhaps Britain could take a leadership role and explore the possibility of European Union citizens having ownership of records that government hold on them—except, of course, in cases of security, such as the United Kingdom police computer, and, in cases of tax-gathering; namely, the Inland Revenue. In that way we could give back to the citizen that which the Government have on him or her. That would fit very well indeed in terms of health records with the smart-card genesis.
I suggest that we examine ownership of records. that we explore with the media codes of conduct—which are no substitute for legislation. If media intrusion on the lives of private citizens is to be allowed by means of an exemption from the Government, I suggest that we put those codes of conduct before this House in order to examine them. I suggest also that exemptions in secondary legislation should be examined closely, since semi-governmental bodies are also affected.
455 The Government have talked about bringing rights home. But they have not yet answered the question, "To whom?". I suggest that within this Bill we can explore the possibility of those rights coming home to the individual citizen.