Data Protection Bill [H.L.]

§ Lord Wakeham

My Lords, I rise as chairman of the Press Complaints Commission and it is right therefore that I declare an interest. I wish to speak to this Bill as it affects the privacy of individuals and the freedom of the press.

At the heart of the directive which this Bill implements is the protection of an individual's right to privacy with respect to the processing of personal data. The challenge for the Government has been to construct a Bill which produces safeguards for ordinary citizens, but does so with appropriate exemptions for journalism that will ensure that the right of those same ordinary citizens to know what is going on in the world is not undermined. In other words, they want to achieve that difficult balancing act of safeguarding both personal privacy and freedom of expression.

In doing that the Government have had to face up to two difficulties. The first is that the directive's definition of "personal data" is extremely wide, covering virtually any information relating to an individual, including details of political opinion, trade union membership, racial or ethnic origin and philosophical beliefs. The second is that the definition of processing specifically includes, for the first time, the use of material for journalistic purposes; and in turn journalism, of course, relies on the use of all the information covered by the directive.

The very real danger in the combination of those two points is that the directive could be used to introduce a regime that would gravely damage the freedom of the press, undermine investigative journalism and wound the system of effective self-regulation that we have built up—and that is the point with which I am principally concerned.

The directive recognises that such problems might occur, and allows for member states to grant exemptions from its terms for journalistic purposes or for the purpose of artistic or literary expression. There are some minor points of detail in the Bill which perhaps need ironing out. That said, I have to say that in my view the Bill steers a sensible path which avoids the perils of a privacy law and achieves the crucial balancing act—of privacy and freedom of expression—in a clever and constructive way. There are two points I would commend in particular.

First, in relation to the question of pre-publication injunctions, there was always a danger that the Bill might produce new powers for the rich and the corrupt to take out gagging orders against newspapers preventing publication of material which is true but uncomfortable. That would have been deeply damaging 463 to investigative journalism. The Government dealt with that in an astute way. Clause 31 of the Bill ensures that the powers available in the legislation only bite after the publication of a story, not before. The Government therefore looked at the possibility that the Bill might be used to introduce injunctive powers relating to privacy and rejected the idea.

Secondly, I commend the way in which the Bill deals with the public interest defence, and in particular the way in which it enshrines the pre-eminence of freedom of expression. The exemption in Clause 31(1) specifically points to the special importance of freedom of expression. Again, the Government clearly looked at the dangers inherent in a Bill which might introduce a back-door privacy regime and rejected the idea because of the dangers posed by such a regime to freedom of expression.

If I may, I should like to make one point specifically relating to the Press Complaints Commission. There was always a danger that the implementation of the directive without suitable exemptions would undermine self-regulation, because privacy laws, whether grown here or in Brussels, do not mix with self-regulation. But that has not happened. The Bill itself strengthens individuals' rights. but it does so in a way which complements rather than undermines the dispute resolution service offered to ordinary people by the Press Complaints Commission.

The Bill is therefore a sound one—thanks in no small part to the constructive and thorough consultation process undertaken by the noble Lord, Lord Williams, in advance. It protects the privacy of individuals—which we all believe is vitally important and is indeed an important part of the commission's work—but does so in a way which does not diminish the freedom of the press to report and investigate in the public interest. And it strengthens the rights of ordinary people, but does so in a way which does not undermine press self-regulation. For those reasons alone, it will have my support.

However. I have to say to your Lordships that one thing greatly puzzles me and it should give us all cause for concern. The thing that puzzles me is that the Data Protection Bill and the Human Rights Bill, which this House has been considering, seem to exist almost in different worlds, for the truth is that they present two entirely contradictory sets of policies. The Data Protection Bill does not introduce new powers for the rich and the crooked to gag the press. The Human Rights Bill does the opposite. The Data Protection Bill does not introduce a back-door privacy regime. The Human Rights Bill does. The Data Protection Bill safeguards the position of effective self-regulation. The Human Rights Bill may end up undermining it.

The Government consulted on the Data Protection Bill, listened to the potential problems, analysed them and then produced an excellent piece of legislation which avoids all the perils of a privacy law. It is entirely in line with the Government's stated commitment to self-regulation and their opposition to a privacy law.

The contrast with the Human Rights Bill is dramatic. There was no true consultation or dialogue before the Bill was published, or even since then, while the Bill, at 464 every turn, seems to present new and ever more serious problems, not just for the press but for many other organisations which are involved in some form or other with self regulation.

I think that this piece of legislation is right and the Human Rights Bill is wrong in its consequences. It is my hope that the Government will now reflect on the lessons learnt during the consultation on the data protection directive.

§ Lord Norton

My Lords, I begin by declaring an interest. I play a small part in the world of insurance and loss adjusting. I have received a brief from the ABI and heard representations from the Chartered Institute of Loss Adjusters, although most of what I have to say comes from my own observations.

I welcome this Bill in today's massive data processing world. A Bill that strengthens the rights of individuals against such power is to be welcomed. It incorporates Article 1 of the European directive, which states: Protect the fundamental rights and freedoms of natural persons, and in particular their rights to privacy with respect to the processing of personal data".

As the Data Protection Registrar states, the new law, is a partial privacy law".

It seems to me that one of the main methods of ensuring such freedoms is to give the subject greater access to the information; and this the current Bill certainly does. But there is another side to data protection, and that is to protect companies and businesses from false information that individuals can present which then results in a fraud.

Current fraud in this country is estimated to be running at £16 billion a year. A timely headline in today's Independent states: Nigerian Crime Wave Sweeps through Britain".

The article goes on to state that MI5, MI6 and GCHQ are involved, but so are banks, building societies and insurance companies; in fact, the whole of the financial sector. Commerce does not have such powerful resources and so has to co-operate to fight such activity, for it is a fact that the serious fraudster in one sector is frequently involved in many other sectors—be it university applications for grants by fictitious identities or local authority, bank or insurance fraud. In the detection of fraud co-operation between parties is essential and has huge data protection ramifications. In such situations the companies are at the frontiers of the individual's privacy.

Unfortunately, the fighting of fraud cannot be left to the police. They do not have the resources and see such activity as being in the realms of the commercial world to sort out. When the assistance of the police is required there is a current ACPO policy to the effect that insurance companies should receive information only in appropriate cases. The definition of what constitutes an appropriate case is far from clear and frequently results in no co-operation. I have witnessed a case in which the only piece of information required to satisfy the insurance company was the verification of the date that an individual reported a theft of a £5,000 motorcycle; data 465 that was not covered by the Data Protection Act. Nonetheless, the reason for non-disclosure was quoted as being the Data Protection Act. Such lack of co-operation is surprising, given the role that insurance companies play in educating the public on such issues as neighbourhood watch, domestic security and a host of other crime prevention activities. It is my understanding that the police, in the form of the ACPO crime committee, will be reviewing this policy in March.

The Data Protection Act is frequently misunderstood and misquoted by the police. It is therefore important that everyone, including the police, fully understands the provisions of this Bill. For as late as last September the deputy data protection officer from the data protection office of a prominent provincial police force wrote, and I quote: Simply put, the Section"— he was referring to Section 28 of the 1984 Act— permits prosecuting authorities to obtain data from users for the prevention and detection of crime and not for organisations to require the police to disclose".

The officer was quite wrong. It is an enabling provision which allows the exchange of information in defined circumstances to anyone, including the police. The same issue is dealt with in Clause 28 of the Bill. I should like to return to that part of the Bill in a moment.

The first point I should like to make about the Bill is that, because it incorporates the European directive, it has found itself written in legalese. This is a Bill that is concerned with individual rights and freedoms and as such it should be capable, as far as possible, of being read by such people. By contrast the 1984 Act was brilliant for its simple and concise English.

In Schedule 1, principle 1—the paragraph dealing with the fair and lawful processing of information—makes for difficult reading when compared with the 1984 Act. In order to process data two new conditions have to be met—the legitimacy tests in Schedule 2 and the sensitive data test in Schedule 3. The judgment can be a complex matter. What is meant, for instance, by the "vital interests" of the data subject mentioned in Schedule 2? It could be that the whole processing process depended on such interpretation. Many people would say that getting their insurance claim paid in full or their loan agreement granted was a vital matter, but I doubt whether that is the correct interpretation. The interpretation of the first principle, dealing with the fair processing of data, in the 1984 Act took up 15 lines of legislation; in the Bill there are 60. The insurance industry has a concept of fair processing, as understood by the 1984 Act. This concept has not caused the industry problems on claims' handling. Does the Bill alter this concept of fairness?

Under Clause 7 the data user has, for a prescribed fee, the chance to access personal data on a register. At present the fee charged, usually £10, is on the basis of each entry for which the data is used for a different purpose. Thus, if an individual wishes to find out all the information that police files hold on him, it is likely to cost in the region of £220. I am glad to see, reading this Bill, that this will no longer be the case.

466 Under the same section the subject has access to the logic involved in automated decision-making. I can see this causing difficulties. For instance, does it include weighting or scoring factors? What is meant by the logic involved?

I now return to Clause 28, which is the clause which possibly holds the greatest threat to the individual's privacy and yet it provides the essential mechanism that allows commerce to fight crime—for, in the case where data are being processed for the prevention and detection of crime, it allows the collection of data to be exempt from the first principle and to be exempt from the non-disclosure provisions. But the first principle now includes the lawful processing of information. Does the clause, as drafted, now allow the unlawful processing of information? That cannot be right.

Finally, I would like to mention enforced subject access. That is something that the Data Protection Registrar wishes to outlaw and it is not mentioned in the Bill. The only comment that I would make is that at present it is the only available method of obtaining certain personal data legally, although it is fair to say that it is onerous on the individual. I am glad that the Minister is going to include this in the Bill so that each party is aware of its rights.

§ The Earl of Northesk

My Lords, we should not be under any illusions as to the need for data protection legislation. As Simon Davies, director of the Washington-based watchdog group, Privacy International, has observed, Surveillance technology has become more powerful and wider ranging than ever. Personal information has come increasingly to cross national boundaries, sidestepping national privacy laws. And the emergence of the Internet has brought with it a whole new dimension for potential intrusion into privacy. Meanwhile, the rules that protect us all from snooping by state and private interests become more meaningless by the day".

At the outset, like my noble friend Lord Wakeham. I should put on record that the Minister deserves much credit. His introduction revealed a most generous approach to the technical aspects of the Bill, which will be enormously beneficial. And, as a recent The Times leader commented, he has shown political courage in framing a broad exemption for journalism, research and literary material, without which this legislation could have introduced a privacy law by a side entrance. At worst, it could have imposed a blanket law of press censorship".

That the Government, in the form of the noble Lord, has sought to reconcile the competing interests of the right of free expression and the freedom of the press, as against an individual's right to privacy, is to be applauded. My noble friend Lord Wakeham has already covered the greater part of this ground much more authoritatively than I can and so I do not wish to dwell on it. Suffice to say that my own impression is that the balance has been struck about right.

467 Lest the Minister feels that I am being unduly deferential, I am bound to say that, in other respects, I have serious reservations about the Bill. Speaking in December 1994 the then commissioner responsible for the single market, Mr. Raniero Vanni D'Archirafi, stated that efforts to create an information society in Europe, will be in jeopardy if there is no co-ordination of rules for the exchange of data".

This concept is enshrined in the directive itself. While acceding to the different approaches that member states may have towards the right of privacy and data processing, it states that these may, constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law".

Clearly, an underlying purpose of the directive is to facilitate data transfer within the European Community to the benefit of commercial, governmental and other interests. It is ironic, therefore, that the Bill carries with it a heavy burden in terms of the costs of compliance. As Ruth Lea of the IoD has stated, However laudable the aims of the legislation, extra costs will be piled on firms".

And from the Local Government Management Board: While we support the aims of this Bill, finding the money to implement it will be yet another burden on authorities whose backs arc already up against the budgetary wall".

I acknowledge that these costs are, in the words of the Minister, "guesstimates", but, especially in the light of current misgivings about the likely financial impact of resolving the millennium bug, my suspicion is that they could well be an under-estimate.

Financial considerations aside, the Bill's apparent lack of acknowledgement of technological advances is disturbing. Simon Davies has commented that: The current British law was already a decade out of date when it was enacted in 1984".

I share that view. The Bill before us today is essentially little more than a re-casting of that legislation with the additional, and more rigorous, requirements of the EU directive thrown in for good measure. In effect, it is almost a quarter of a century past its sell-by date. For example, it makes no attempt to regulate either data-matching or the use of data from public or private CCTV systems. As the Home Office itself has admitted, "The Directive"—and thereby the Bill— does not specifically address new technology. It sets a general framework which will apply irrespective of the technology used".

With this in mind, and at what may be a slightly facetious level, I presume that Rory Bremner's "virtual" Minister without Portfolio is an instance where Clause 31 would apply. There is a serious point here. In so far as it may have administrative or commercial applications, the Bill is singularly lacking in any definition of how the technologies of "morphing" and/or "virtuality" are to be treated.

At a more pressing level, your Lordships will be aware that last year's Social Security Administration (Fraud) Act sanctioned data-matching between 468 government departments for the first time. I note that, during Second Reading, the noble Baroness, Lady Hollis, stated that, We shall want assurance that the Bill provides adequate safeguards for data protection. We believe that that may be best achieved, as the data protection registrar says, through a statutory code of practice".—[O1ficialReport. 17/2/97; col. 465.]

The Bill is an opportunity to enact such a code, but it is curiously silent on the matter.

Of course, the underlying purpose of the measure was the rooting out of fraud. I also acknowledge that, as a generality, data-matching can be interpreted as being at variance with a number of the data principles. It could therefore be argued that the Bill does provide the means to control its use and application, particularly in the light of the prior-checking provisions in Clause 21. But this represents a far from adequate safeguard against such a powerful and potentially misleading analytical tool. This is especially so because, A disturbing aspect of the Bill as a whole is that in no less than seven instances the Secretary of State will be able to introduce additional exemptions from the Act by statutory instrument". Justice, in my view, quite rightly, has described it as "unprecedentedly wide".

More than this, a conspicuous feature of the Bill is the extent to which processes within central government are in any event exempted from its provisions. Little wonder that the cost of compliance for Government is comparatively small. On the surface there may be little cause for complaint for the reasons for the exemptions "safeguarding national security", and so on. But as the Data Protection Registrar has commented there is, no justification for making provision for the blanket exemption for certain types of data for law enforcement and tax raising purposes".

While accepting that it is a difficult balance to strike, people nonetheless fear the innate capacity of the state to overreach itself in data terms; a capacity which is perhaps best encapsulated in Clause 28(4). By way of example, the DfEE's recent proposals for a national computer record of every pupil's social, economic and ethnic background, as well as academic results and special educational needs, was quite rightly criticised by the Data Protection Registrar.

Like my noble friend Lord Astor, I am also concerned about how the Bill will interact with the Internet. While it could be argued that the composition of their content is a word-processing function, e-mail programs automatically generate a series of personalised database fields in their headers. By any measure these accord with all three definitions of "data" and with that of "processing" in Clause 1. Accordingly, except in so far as they may be subject to the various exemptions in Part IV, all e-mails could be interpreted as being subject to Clause 16. In effect, individuals—perhaps those of your Lordships who use the Internet services of the PDVN-could be required to notify their data processing activities. This is of a piece with the concern expressed by the CBI, as my noble friend Lord Astor explained. I wonder how proportionate the apparent inclusion of those classes of processing is.

In this context, it is worth considering the provisions relating to the eighth data principle in Schedule 1. To all intents and purposes, the Bill is structured so as to 469 prevent data transfer to third-party countries where the level of data protection is deemed to be inadequate. Quite apart from the difficulties that this creates with respect to transfer by means of home pages on the world wide web, this has very serious implications with respect to e-mail. Notwithstanding Schedule 4, it is entirely possible that the Bill, as drafted, could have the inadvertent effect of blocking the access of UK citizens and businesses to entirely legitimate e-mail communication to certain areas of the world.

Of course, notwithstanding their "public" nature, the same elements of processing apply to Usenet and the world wide web. Specifically, the composition of home pages and newsgroup postings, particularly those that contain statistical information or references to individuals other than the compiler, are almost certain to fall within the remit of the Bill. In this context, it is worth noting that the recent difficulties of the President of the United States owe much to the way in which the Internet currently operates. It was an Internet scandal sheet, the Drudge Report, which broke the story. The content of these web sites—they are frequently referred to as "junk media"—represents neither journalism nor artistic expression in the accepted sense and thereby would lie outside the scope of Clause 31.

Equally, it is "personal data" which are being processed in ways that are inconsistent with the data protection principles. Is it intended that such sites, if they originate within the UK and have UK-based content, should be subject to the Bill? Would they be classified as "in the public interest"? At a more general level, how will the concept of "publication" be interpreted in relation to postings to the Internet? To what extent will Clause 52 be applicable to individuals who innocently download postings on the "net" to their own computers? How is it intended that the Bill will treat closed and/or secure systems, for example, credit card facilities on the net or even the PDVN?

In conclusion, I do not dispute the Data Protection Registrar's description of the Bill as being both "timely" and an "excellent framework", but it is not without its faults. The BMA's eloquent description of previous data protection law as being a load of holes joined together comes to mind. Such leaky sieves assist no one. As the Bill continues its passage we shall need to guard against perpetuating that sort of regime. The generous approach of the noble Lord, Lord Williams of Mostyn, will make our task very much easier.

§ Baroness Turner of Camden

My Lords, I welcome this Bill and thank my noble friend the Minister for his comprehensive introduction to it. There are, however, one or two points that I should like to raise and I should be grateful for the Government's response.

I recently introduced a debate in this House about abuses by the press. I said at that time that I was in favour of an independent ombudsman since I objected to journalism which was invasive of personal privacy, and that although I did not advocate a privacy law, as 470 some have done, I thought that there should be some form of redress for injured citizens. Replying to that d0ebate, the noble Lord, Lord McIntosh. appeared to indicate that this Bill would give the opportunity for further debate on those issues—and so it does.

It is widely recognised that there is a need to reconcile two apparently conflicting rights: the right to personal privacy and the right to freedom of expression. A number of noble Lords have referred to that this afternoon. Broadly speaking, journalists tend to give greater emphasis to the latter freedom whereas those who have been damaged tend to stress the former, the right to privacy. The point that I should like to raise is whether the Bill gives greater weight to the freedom of information and expression to the disadvantage of the right to personal privacy.

Clause 2 sets out what are regarded as sensitive personal data—and I think that most people would agree with them. They include data about racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; physical health and, importantly, sexual life, as well as commission or alleged commission of offences. On the other hand, as we have heard, Clause 31 appears to provide for some exemption for journalists and literature and art where so-called "public interest" is involved. But what constitutes "public interest"? It surely should not be interpreted as public curiosity.

Article 17 of the UN International Covenant on Civil and Political Rights, adopted in 1996, requires that, No-one shall be subjected to arbitrary or unlawful interference with his privacy. family, home and correspondence nor to unlawful attacks on his honour and reputation".

Article 10 of the European Convention on Human Rights, while upholding the right to freedom of expression, states that that freedom may be subject to other conditions and restrictions relating particularly to the interest of national security, the prevention of disorder or crime and for the protection of the reputation or the rights of others.

Article 9 of the directive, on which I think that the Bill is based, says that derogations and exemptions cannot be granted to journalists as such but only to anybody processing data for journalistic purposes. That is what I thought that most journalists did anyway. There would appear to be a let-out under Clause 31 in the event of public interest, but individuals are, so it is said, entitled to adequate forms of redress in the case of violation of their rights.

It seems to me that the key question of "public interest" is now widely interpreted by the media as giving them the right to say what they like and to invade the privacy of anyone who is even slightly "in the public eye". Most people have never heard of some of the Back-Bench parliamentarians about whom stories have been written, but presumably a "public interest" defence would be mounted by the press if taken to task, even if there had been breaches of the press code.

471 It is sometimes suggested that a distinction might be made between ordinary individuals and those who have placed themselves in the public domain, such as politicians. Indeed, the noble Baroness, Lady Nicholson, made a similar point earlier. I do not see it in that way. I do not believe that people sacrifice their human rights simply because they have opted to play some role, at whatever level, in public life. As I said in the debate that I introduced on 14th January, libel action is only a possibility for the very wealthy. The forms of redress open to others are not, with respect to the noble Lord, Lord Wakeham, completely adequate. They do not include compensation. Does the Bill as drafted raise the possibility that compensation will be available? If so, I would be grateful to hear about it.

The intense competitiveness of the media industry and the growth of the use of the Internet (where anything can be made available immediately) mean that the kind of media frenzy that we have seen in the past week or so in the USA is equally possible here. The safeguards against it are not adequate, and although I do not want to see interference with the right to freedom of expression or with genuine investigative journalism, I believe that individuals could still be left dangerously exposed to malice and hurt. I noticed with interest that the highly respected organisation, Justice, makes a similar point in its briefing, which I received today.

My second point may at first glance seem to run counter to what I have just said—and yet it does not. I make a sharp distinction between what most people would regard as genuinely personal, family and sexual matters, and possible fraud or crime.

Your Lordships may be aware that for a long time I have maintained an interest in the financial services industry. I was once employed in insurance, and the union of which I was a senior official has many members employed in the financial services industries. I should like to follow up the remarks of the noble Lord, Lord Norton, in that connection. One of the major problems in the industry is insurance fraud. It is amazing what some people will do to claim on the insurance. According to an article in Post Magazine this week, motor insurance fraud alone accounts for everyone having to pay an additional 3.9 per cent. on premia to cover the cost. Arson cases have more than doubled in the past 10 years. There are now over 80,0(X) cases resulting in £500 million of insurance claims. All of us have to pay for it. It is as anti-social in its way as social security fraud, about which the Government are quite rightly concerned.

Much of the investigation into possible insurance fraud is conducted by people known as loss adjusters. They have their own institute, with whose representatives I recently had discussions. They are concerned about certain clauses of the Bill because they believe that they will make their jobs much more difficult, possibly resulting in even greater losses for which policyholders will ultimately find themselves picking up the tab in increased premia. For example, they say: The Bill states that the data subject … must have freely given agreement to the investigation of himself/herself'.

472 They believe that this could result in a suspect fraudster preventing an investigation which would validate the fraud. They go on to make the cogent point: Unless the initial contract of insurance is accepted as permission by the policyholder to any subsequent investigation, in the event of a claim, the process of fraudulent claims investigation will be thwarted".

The Bill also requires information to he held no longer than is necessary for the purpose for which it is collected. Accordingly, tiles on fraudulent claims, once concluded, must be destroyed. This does not assist the industry in protecting against future fraudulent claims by the same individuals. Apparently some people have a habit of making dubious insurance claims. They go on to say: The data subject will be entitled to request details gathered upon him/her. This must he complied with within 40 days. This will not assist the investigation of fraudulent claims … Personal information/data obtained, for instance, in the investigation of a fraudulent claim, cannot, under the Bill, be sent from any European member state to a country that does not have a Data Protection Act or something similar. In the current world of global insurance and hence fraud, reports cannot therefore be sent to insurance clients in numerous countries, including the USA. Many US insurers operate within the UK with reports on major claims above a certain reserve having to revert hack to the US for instruction. This will be prevented by the Bill".

They also question whether investigators of insurance claims will in future need some form of licence to operate.

I believe that those are legitimate concerns to raise, and I should be very grateful if my noble and learned friend would respond to them.

Viscount Chelmsford

My Lords, I am director of the parliamentary group EURIM, which has been closely involved in data protection for some time. EURIM exists to put corporate and not for profit associations together with MPs and MEPs to debate policy issues arising out of information and communication technology and to lobby Brussels and, if necessary, Whitehall. The very first project in which EURIM was involved in 1994 concerned the second draft of the European Data Protection Directive. We recognised then that the simplicity of the 1981 Council of Europe Convention had been lost in the directive. I believe that others have made that point. We were concerned about bureaucratic rigidity and automated decision-making. We recognised that the second draft allowed cash dispensers to be used satisfactorily but we still had a query about automatic profiling for marketing.

At that time the British Bankers Association was concerned about trans-border data flow. It felt that if that were restricted it would restrict the association in preventing or limiting fraud. We had a query about the interpretation of manual data and worries about the term "consent", express or implied. A year later the Council of Ministers made significant changes to the directive. We looked at it again. It was then that we made our first call for UK primary legislation to implement the directive. We also recommended that the UK made maximum use of the new and significant EU derogations to minimise the adverse effects on us in the UK relative to our 1984 Act.

473 We recognised that "express consent" had been altered: it was now called "explicit consent", but our doubt about the scope or meaning of the word remained. We also looked, as indeed is the Minister today, for a balance between the reasonable needs of corporates for marketing opportunities and the reasonable needs of individuals to avoid unwanted mail. We still asked what was "manual data". We suggested that structured files only should represent the manual data brought into the Act, and only such structured files as were set up after the implementation of the directive by the Act.

A year later, in July 1986, we, like many others, responded to the Home Office consultation. We were still concerned about bureaucratic rigidity. We then called for the function of the registrar to be more like that of a parliamentary commissioner and, perhaps because of the knowledge of my fellow director MPs, we recognised that anyway the registrar reported to Parliament, not the Home Office. We were perhaps the first to make that call which the directive will now establish.

We called for the registrar's advisory role to be enhanced and for fees to be delinked from registration and to be variable and work-related—all things that are beginning to happen under the new Bill. We still believed that primary legislation was highly desirable and that attempts to simplify the directive must continue. Our concern about cross-border exchange of data had changed to a concern that the protection arrangements for certain countries would be deemed inadequate.

I believe that the Bill offers four out of the seven changes that we put to the Home Office in July 1996. The areas that still remain open on EURIM's agenda are: bureaucratic rigidity, the fact that the Bill adds complexity rather than simplification, the problem of cross-border data exchange and, from the early EURIM briefings, the question of what is manual data and what is consent.

Before I deal with the detail, I was the third member of the team involved in the briefing by loss adjusters, as the noble Lord, Lord Norton, and the noble Baroness, Lady Turner, have already mentioned. I should like to deal with these matters from a slightly different angle from previous speakers. I begin with personal data which is defined as data whether it is gathered with or without the consent of the data subject. Clearly, investigators will be gathering data without such consent. Can they comply with Schedule 2? Is investigation a legitimate interest of a data controller?

Let us take two examples, the first of which is insurance claims. We have already heard about a proposal form with a box that may be inserted. One may have to put an "X" in the box if one is not prepared to have the insurer investigate the claim. If one puts an "X" in the box perhaps one does not get insurance. Is this a legitimate form of consent under the Bill?

Let us take the divorce courts. Instead of corporates doing the investigation, now it is very likely that individuals will make checks on potentially errant spouses. Are they legal? Clause 28(1) exempts the 474 prevention of the detection of crime, but what happens if there is not a crime in the first place? It is a civil action. What is the position of the police if they investigate a possible crime and find that there is not one? Have they then collected data illegally? If investigators fail under Schedule 2—exemption six—is all investigation short of a crime now illegal? Even if exemption applies and an investigation is lawful, is it ever fair?

How does one define "fair"? Under the 1984 Act which referred to data, manual data or data where equipment is operating automatically, investigators stayed as manual as possible and thought that they had avoided the problem. I support the registrar's determination to have a clearer definition of the manual records covered by the Act. I welcome the Minister's statement that he is open to suggestions. I hope that the insurance and investigative industries will return to us with some thoughts on that. We need the long transition period that has been talked about.

I turn to consent: explicit or implicit? Schedules 2 and 4 require the data subject's consent, but Schedule 3 requires explicit consent. That implies a lower level of consent needed for Schedules 2 and 4. Is the box on the proposal form a consent to investigate claims? Is that a fair consent? Is that consent acceptable?

Let me turn to another example. One of EURIM's members is busy trying to put an electronic directory around the globe. There is concern as to whether it has the right to put up the personal data represented by employees: names, jobs, telephone numbers, fax numbers and E-mail numbers. If that becomes part of the standard employment contract will that be an acceptable form of consent under the Bill? If it were limited, for example, to the fact that anyone becoming an employee agreed that they should put their business details out to countries which otherwise would be excluded by the eighth protection principle, would that be acceptable? Will implied consent in a standard employment contract satisfy the consent required in Schedule 4?

I turn now to data principle five. If UK law requires that insurance liability files are held for 10 years for court purposes, presumably that is a period which is necessary under the terms of the Data Protection Act. Let us go further and look at advice coming out of the USA in respect of US court judgments on liability claims where files are held by UK insurance brokers, which may possibly include personal data about people in the UK. They need not necessarily be UK people but people within the UK. Is that acceptable in terms of the period for which files may legitimately be held? One can be even more extreme and talk about a EU regulator—perhaps a French regulator—requiring files to be held in case they have to return to a French court. What is accepted with regard to explicit or implicit consent? Will the commissioner have the power to decide, in a pragmatic and practical way, when files are no longer needed for the purposes for which data are gathered?

I shall deal finally with complexity and bureaucratic rigidity. The Bill is made complex by its many objectives. Bureaucratic? I have been impressed by the 475 registrar's efforts to implement the 1984 Act through common sense. Agreement to her few remaining points may help to reduce the bureaucracy further and add to the practical simplicity of the Bill.

The Bill is of course just one of three legs, as we have already heard: freedom of information, human rights and data protection. The balance, as the Government have said, is complex. The good news is that it outlaws major injustice; equally, the bad news is that most of us have never been involved in major injustice, and we are all constrained. Costs have been added all around, as other noble Lords have said. I have a Library document which suggests that set-up costs for compliance alone will total £279 million. "Set-up" worries me because it suggests that computers may need altering. EURIM, under a different set of briefs, has been busy advising Ministers to he careful about new legislation which requires computer change. There are insufficient computer skills to handle the year 2000 and changes to EMU at this time, let alone to handle further major legislative changes which require massive computer change.

I have a long-held theory—I do not necessarily expect others to agree with it—that the collapse of civilisation will not occur because of the nuclear bomb, nerve gas or a meteorite striking from space. It is much more likely to occur because of the ever-increasing costs of trying to obtain fairness. Where is the 80/20 rule today? Where is it in our legislation? The theory behind the three Bills is great, but we survived without them. Can we afford their cost? I hope that the Minister will he able to answer some of the points that I have made.

§ The Solicitor-General (Lord Falconer of Thoroton)

My Lords, this has been an interesting and exceptionally well-informed debate, given the complex nature of the subject that we have been debating. I pay a special tribute to the speech of the noble Baroness, Lady Nicholson of Winterbourne, which showed her long experience of the matter in issue. The Government genuinely welcome all the contributions that have been made, and the spirit in which they have been made.

As my noble friend Lord Williams of Mostyn said in his introductory remarks, the Government are open to suggestions for improving the Bill. We shall look carefully at the suggestions that have been made today to see whether any amendments need to be made to deal with the concerns that have been expressed. Any amendments must, of course, be consistent with the directive's requirements and reflect the Government's general approach to proportionate regulation.

In his introductory remarks my noble friend Lord Williams of Mostyn referred to the Human Rights Bill. The noble Baroness, Lady Nicholson, and the noble Lord, Lord Wakeham, also referred to it. My noble friend saw this measure as a sister measure to the Bill. Another related measure, as has been pointed out, which the Government intend to bring forward before too long will be the legislation on freedom of information.

Data protection and freedom of information may not be sisters, but they are at least kissing cousins. In providing for access to government information, we 476 must be careful to ensure that proper regard is paid to the need to protect individuals' personal data. That will be an important consideration as we develop our proposals on freedom of information.

The Bill has received a broad welcome, in principle, from your Lordships. No one has questioned the principle behind the Bill. That principle, which underlay the Data Protection Act 1984, is that proper rules should he laid down for the processing of personal data, and that people should generally know what information is being processed.

When processing information, data processors should be obliged to comply with the data processing principles set out in the Bill. Those principles include processing personal data fairly and lawfully. Those are worthwhile aims to which everyone would subscribe. The difficulties involved in a measure such as this, which have in effect been identified by everyone, relate to trying to find a balance between, for example, what burden should be placed on corporate, charitable and government compliance; a balance as to what exemptions to provide from the scheme; and a balance on how to preserve the freedom of the press. The fulcrum of the debate has revolved around those three matters today.

I shall deal with some of the points that have been raised. I shall not go in detail through all the points that have been mentioned. That is a pleasure in store for us when we reach the Moses Room, I hope. I shall deal with the important principles that have been raised. The first relates to cost. The noble Viscount, Lord Astor, said that one of the themes that he would be pursuing throughout the debate on this matter on behalf of his party would be the burden to be placed upon industry in complying with the Bill. We have seen the estimated costs for start up and compliance with the Bill's provisions. As my noble friend Lord Williams of Mostyn said, they are no more than guesstimates.

A balance must be struck between the size of the burden that is put on industry and the right of people to know what is happening in relation to the processing of personal data. Where the balance is struck depends largely on the extent to which one imposes burdens in respect of personal manual files. Reference was made to the fact that the Data Protection Registrar wonders about the extent to which unstructured files will be exempt from the Act. We must debate that issue further at a later stage. However, the less structured the files which are covered by the provisions of the Bill the greater the cost to industry to comply. That balance must be struck and the Government will listen with interest to all comments made during the debate.

The noble Viscount, Lord Astor, went on to ask why the definition of data processing is so wide. He asked why it is not defined by reference to the data subject, as in the 1984 Act. The answer is that according to the directive to which we are giving effect it cannot be so limited. The noble Viscount raised concerns about insufficient protection for intellectual property. He will see that under Clause 8(5) trade secrets are a reason for refusing to give the information to which he referred.

477 The noble Viscount was also anxious about whether the provision could be used as a base to obtain information which would enable the commission of crime such as fraud. Clause 28(4) gives the Secretary of State the power to grant exemptions in order to avoid the commission of crime and to assist in its detection. That provision could be used if such a problem arose.

The noble Viscount described the Bill as being too prescriptive. In order to avoid a proper debate, he sensibly gave no examples. Unlike the Human Rights Bill, the Data Protection Bill tries to lay down a detailed code. It must do so under the terms of the directive. That is an appropriate and sensible way of dealing with the Bill without saying that it cannot be improved without sensible amendments. On the other hand, the Human Rights Bill intends to lay down general principles. It is more sensible that that aim is achieved in a shorter, less detailed Bill. It attempts to inform the whole of our law with a series of principles rather than seeking to lay down a code which particular individuals can use in order to protect themselves in relation to personal data and its use.

Perhaps I may move from the, "it's too heavy" line, used by the noble Viscount, Lord Astor, to the, "there are too many exemptions" line, adopted by a number of other noble Lords. The noble Lord, Lord Wakeham, eloquently expressed the "sensibleness" of press exemption. No one could have expressed the arguments in favour more eloquently. The only criticism that has been made during the debate came from my noble friend Lady Turner who expressed concern about the public interest exemption. Without wearying your Lordships with reference to detail, perhaps I may indicate the requirements of the clause before the exemption applies. Three rules must be complied with. First, the processing must be undertaken for journalistic, literary or artistic material. Secondly, the person undertaking the processing must reasonably believe, having regard in particular to the special importance of freedom of expression. that publication would be in the public interest. Thirdly. he must reasonably believe that in all the circumstances compliance with the provision in question is incompatible with journalism. I draw attention to the phrase "reasonably believe, having regard to the special importance of freedom of expression". In my view, in such circumstances "public interest" does not mean that the public are interested. It means something wider than that; namely, that there is a public interest having regard to the special importance of freedom of expression, but in relation to a particular story the press should be free to express it. I hope that that explanation goes some way to allay my noble friend's fears.

Three other issues were referred to. First, enforced subject access means someone compelling someone else to use his rights in order to obtain information pursuant to his rights under the data protection provisions. The Data Protection Registrar has indicated that she believes such an activity to be extremely bad. The Government, in their White Paper, stated that they would do something about that because they, too, believed it to be 478 bad. Provision is not yet in the Bill, but we have indicated that we will bring forward amendments to do so.

Secondly, there is nothing in the Bill to deal with data matching. I emphasise that the first data protection principle provided in the Bill is that data should be used fairly and lawfully. We believe that that will deal with data matching to a large extent. Moreover, whenever data matching has been permitted it has been explicitly by statute. Although we shall give anxious consideration as to whether anything else needs to be done in relation to data matching, we believe that to a large extent the matter is dealt with under the existing Act.

Finally, it was said that close circuit TV was not dealt with in the Bill. We do not believe that it is necessary to do so. It is a form of data processing which in certain circumstances will contain personal data on individuals. In those circumstances, it is covered by the Bill.

Important points that we must consider were made about the insurance industry and the extent to which the Bill could be used to deal with or perpetuate insurance fraud. It is difficult to believe that anyone would regard it as possible or sensible to enter into an insurance policy as the insured, but at the same time refuse consent in any meaningful way to the investigation of an insurance claim. I believe that everyone will agree that if a claim is made under a policy the insurer is entitled to investigate it. Moreover, such a requirement is on the face of most insurance policies. No sensible person would regard that as an unfair or unreasonable consent to give. However, the appropriate course to take in relation to those questions about insurance is that we shall consider them and write to noble Lords.

There is a difference in relation to employees who give consent to their details being given to countries which do not have the same data protection rules as we do. That will require further consideration, but one can see that in those circumstances one would more readily give an unreal consent than one would in relation to an insurance policy. However, perhaps I may make arrangements for a letter to be written to deal with that point.

I hope that I have dealt with the main and important points in relation to the Bill. The introduction to Parliament of the Data Protection Bill can be regarded as the beginning of the end of a very long process. That process started as long ago as 1990 when the Data Protection Directive was first brought forward by the European Commission. There followed a long period of negotiations leading to the adoption of the directive by the member states of the European Parliament on 24th October 1995. The subsequent period has been taken up by consultation about the implementation of the directive within the United Kingdom and preparation, in the light of responses to that consultation, of the Bill which your Lordships have before you.

Although this whole process may be drawing to an end, we have a long way to go yet. In some senses, getting the Bill through Parliament is only the first stage. Even when the Bill is passed, as I hope it will be, much will remain to be done. It has been pointed out that the Bill provides a large number of powers to be made in 479 subordinate legislation. Much of that will need to be in place before we have a new coherent data protection regime.

We also need to ensure that all those affected by the Bill understand its effects for them. Data subjects will need to know what are their new rights and data controllers will need to know what are their new responsibilities. That suggests the need for guidance of some kind.

Each year in her annual report the Data Protection Registrar includes some information about awareness of the Data Protection Act 1984 by data users and subjects. Her most recent report for 1997 stated, if I have read it properly, that awareness of the legislation increased to its highest level in the period covered by the report. That is a very welcome finding. We must ensure that when the Bill becomes law, we build on the already high awareness of the 1984 Act and make sure that all those affected become aware of their new responsibilities and rights under the Bill. In that way, we shall have taken an important step towards ensuring that as we venture further into the information age, we do so within an effective legislative framework for the protection of information about you and me and all our citizens which will last well into the 21st century.

§ Lord Williams of Mostyn

My Lords, I beg to move that the Bill be committed to a Grand Committee.

Moved, That the Bill be committed to a Grand Committee.—(Lord Williams of Mostyn.)