House of Commons Hansard Debates for 2 Jul 1998 (pt 24)

'(13) The relevant Commissioner may--
(a) investigate any procedure which relates to--
(i) the processing of personal data for the purpose of safeguarding national security,

2 Jul 1998 : Column 583

(ii) the application of an exemption which is required for the purpose of safeguarding national security, or
(iii) the signing of a certificate under this section,
(b) make any recommendation which relates to--
(i) an investigation under paragraph (a) of this subsection, or
(ii) safeguarding the interests of data subjects, and
(c) if appropriate--
(i) raise any matter which relates to an investigation in an annual report, or in any other report to the Prime Minister, or
(ii) liaise with the Data Protection Commissioner or another relevant Commissioner on matters which relate to an investigation.
(14) The Data Protection Commissioner may raise with a relevant Commissioner any matter which relates to the processing of personal data for the purpose of safeguarding national security.
(15) In this section, the "relevant Commissioner" means the Commissioner appointed by virtue of--
(a) section 4 of the Security Service Act 1989,
(b) section 8 of the Intelligence Services Act 1994,
(c) section 91 of the Police Act 1997, or
(d) section 8 of the Interception of Communications Act 1985.'.

The idea of the amendment is to introduce some element of accountability to the processing of personal data for the purposes of national security. I find it strange, to say the least, that, in certain respects, the Government are offering more privacy protection to members of the mafia and terrorists under investigation by the security services than they are to ordinary law-abiding members of the public--for instance, a data subject who is being positively vetted.

What is more, I am concerned that the Data Protection Act 1984 is being watered down. That Act placed a duty on the security services, by virtue of section 2(2), to comply with the data protection principles. That duty has been removed by this Bill; an exemption under clause 28(1)(a) removes the obligation to comply with the principles.

Under section 27 of the Data Protection Act 1984, personal data held for safeguarding national security are exempt only from the enforcement regime, registration and rights of data subjects. That means that GCHQ and MI5 and MI6 had a legal duty to apply the data protection principles, even though there was no way for the data protection registrar to test whether the duty was complied with. The 1984 Act therefore places those organisations under a moral duty to comply with the principles, but, under the provisions of clause 28, they are permitted to process personal data insecurely, disclose personal data to unauthorised persons, and even sell it to newspapers by virtue of the exemption from clause 55(4).

It may seem a flippant question, but I ask the Minister whether the fees raised by the sale of such unlawfully procured personal data will go into the Consolidated Fund, and how much revenue he expects to be raised in the next financial year.

The Minister might say that MI5, MI6 and GCHQ will not sell unlawfully procured personal data. If that is his argument, why is the exemption in clause 28(1)(c) so wide as to include exemption from clause 55(4), which makes the selling of such personal data an offence? That shows how unnecessarily wide the exemption is with respect to safeguarding national security. Selling misinformation to

2 Jul 1998 : Column 584

the newspapers about politicians and perhaps even about the Government will be perfectly lawful for the security services.

In support of my amendment, I draw the attention of the House to some of the differences between warrants and certificates under the Bill. In respect of warrants signed by the Secretary of State--for example, for the interception of communications, or burglary--there is a safeguard, in that such a warrant is signed and validated for six months at a time. By contrast, under the provisions of the Bill, a certificate lasts for ever and is never reviewed.

I note that for warrants under the Interception of Communications Act 1985, there is an obligation under section 6(3) of that Act to discard irrelevant personal information that has been intercepted. Under the Bill, however, the negation of the third and fifth data protection principles means that irrelevant personal data obtained by means of a certificate can be kept indefinitely.

The previous Government gave the security services a new role--to assist the police in dealing with serious crime. The obligations of the police in respect of data protection compliance are apparently not to be required of the security services. The Minister should explain why he has come to that conclusion.

The Government seem to be ignoring the advice of the Data Protection Registrar, who asserts in her document "Our Answers":

"The extension of the role of the Security Service into areas of traditional policing should not carry with it an extension of the exemptions provided by section 27"--

the section of the 1984 Act that deals with national security.

There is a significant risk that improper processing of personal data--for example, data obtained by what may be regarded in other circumstances as unlawful means--relating to a serious crime suspect, would not be subject to any data protection rules at all. Such processing can be undertaken by the security services. That could jeopardise the quality of evidence before a court and the subsequent trust placed in it by a jury. If data protection is so thoroughly disregarded, there is a possibility that some serious criminals will not be convicted.

My amendment would go some way towards introducing a smidgen of accountability into the way that the security services process data. It would use the expertise of the commissioners established by section 4 of the Security Services Act 1989, section 8 of the Intelligence Services Act 1994, section 91 of the Police Act 1997 and section 8 of the Interception of Communications Act 1985.

It would be the duty of those commissioners to examine procedures with respect to data protection. They would have powers to investigate any procedure relating to the processing of personal data for the purpose of safeguarding national security; the application of an exemption that is required for the purpose of safeguarding national security; and the signing of a certificate by a Cabinet Minister. The relevant commissioner could make any recommendation relating to that investigation, and make recommendations that were needed to safeguard the interests of data subjects. The proposals in my amendment are no different from the current duties associated with warrants.

2 Jul 1998 : Column 585

The amendment would permit the commissioner, if appropriate, to raise any matter that relates to an investigation in an annual report, or in any other report, to the Prime Minister, and to communicate with the Data Protection Commissioner or any other relevant commissioner. That is a pretty moderate amendment.

On 1 June the Under-Secretary of State for the Home Department, my hon. Friend the Member for Knowsley, North and Sefton, East (Mr. Howarth) replied to me that the Government

"have decided not to depart from the existing policy that the Security Service should not register any of the personal data they hold under the Data Protection Act 1984."

He went on to say:

"I understand similar considerations also apply to the Secret Intelligence Service and GCHQ."--[Official Report, 1 June 1998; Vol. 313, c. 52.]

However, it is a departure from data protection policy when the security services take on a traditional policing role, and that is against the advice of the Data Protection Registrar. I believe that it is an unwise decision. At the very least, the Minister should explain it to the House.

7.45 pm

Mr. Richard Allan (Sheffield, Hallam): We have some sympathy with the spirit of the amendment. My noble Friends in another place also tabled amendments on the issue of the security services exemption, because we are concerned about any blanket exemption, where there is no specific justification for exempting data from the data protection principles. The thrust of the Bill derives from European conferences and conversations in which the Parliamentary Secretary, Lord Chancellor's Department was deeply involved, and which reflected, to some extent, the experiences of the residents of the former East Germany, who had good reason to be suspicious of the way in which their security services held data.

We have been extremely fortunate in this country, in that--apart from the odd rumour that is kicking around--our security services have not generally been held responsible for holding damaging personal data. However, one could argue that the security services hold the most damaging data about individuals. They could leak information about someone, perhaps accusing him of heinous crimes such as being a member of CND or--dare I say it--a socialist. Rumours have circulated only recently that the security services hold information and files on people as prestigious as members of the current Government, and that such information was potentially leakable and potentially damaging.

We applaud the spirit of the amendment, which seeks to ensure that there is some oversight of security services data and that the buck stops with someone who is accountable under the legislation. We look forward to hearing from the Minister how the Bill would cope if damaging, sensitive personal data were revealed and were traced back to a security services source. If a person sought redress for that, we would be interested to hear what channels would be available to him, and how the issue would be resolved.

Next Section

Index

Home Page