§ Mr. Proctorasked the Secretary of State for the Home Department whether the Government propose to introduce legislation to safeguard personal information handled automatically; and if he will make a statement.
§ Mr. WhitelawThe Government have decided in principle to introduce legislation for this purpose when an opportunity offers.
The Government are satisfied that developments in information technology make it desirable to provide statutory protection for personal information handled automatically. In reaching this conclusion the Government have had regard to developments internationally and in particular to the guidelines on this subject adopted last autumn by the Organisation for Economic Co-operation and Development and to the convention concluded by the Council of Europe. The legislation will enable the United Kingdom to endorse the OECD guidelines and to ratify this convention. In the meantime, the Government propose to sign the convention at an early date.
The Government accept as a starting point the principles formulated by the Younger committee in its report on privacy—Cmnd. 5012, paras 592–599. Our intention is that the legislation should incorporate and so far as possible give effect to these principles. Consultations following the publication of the report of the 162W Data Protection Committee under the chairmanship of Sir Norman Lindop, Cmnd. 7341, showed broad acceptance of the need for some statutory control but less agreement about the machinery. One of the Government's objectives will be that our arrangements should keep costs down for the private sector and should contain those for the public sector within existing planned totals. We do not therefore propose to set up an independent data protection authority. Another objective will be that the arrangements should be sufficiently flexible to allow for differences between automatic processing methods, the purposes of data systems and the information they contain.
The basis of our proposals will be the establishment of a public register. This will be built up in stages. Users of systems which handle personal information automatically will be required to register and to comply with various other requirements.
The intention is that registration should require, as a minimum, a description of the system and the purposes for which it is used and publication of the code of practice followed by the user. Provision will be made to ensure that adequate security arrangements are observed. There will also be provision for securing access to information by data subjects as appropriate. There will be full consultation with trade associations and other bodies about the progressive implementation of the requirement to register. The legislation will also provide for appropriate sanctions to ensure compliance with these requirements.