Third Standing Committee on Delegated Legislation
Thursday 10 February 2000
[Mr. Nicholas Winterton in the Chair]
Draft Data Protection (Subject Access Modification) (Social Work) Order 2000
Draft Data Protection (Subject Access Modification) (Health) Order 2000
Draft Data Protection (Subject Access Modification) (Education) Order 2000
Draft Data Protection (Processing of Sensitive Personal Data) Order 2000
Draft Data Protection (Miscellaneous Subject Access Exemptions) Order 2000
Draft Data Protection (Designated Codes of Practice) Order 2000
Draft Data Protection (Crown Appointments) Order 2000
The Parliamentary Under-Secretary of State for the Home Department (Mr. Mike O'Brien): I beg to move,
That the Committee has considered the draft Data Protection (Subject Access Modification) (Social Work) Order 2000.
The Chairman: With this, we may consider the draft Data Protection (Subject Access Modification) (Health) Order 2000, the draft Data Protection (Subject Access Modification) (Education) Order 2000, the draft Data Protection (Processing of Sensitive Personal Data) Order 2000, the draft Data Protection (Miscellaneous Subject Access Exemptions) Order 2000, the draft Data Protection (Designated Codes of Practice) Order 2000 and the draft Data Protection (Crown Appointments) Order 2000.
Mr. O'Brien: The Data Protection Act 1998 creates a new regime for protecting personal data which applies throughout the United Kingdom. Together with 10 statutory instruments subject to negative resolution that were laid before the House earlier this week, these orders complete that regime. They will come into force on 1 March. The new legislation will discharge the United Kingdom's obligation to implement the 1995 EC data protection directive.
The orders do different things, but broadly, they all modify or complement substantive provisions in the Act.
A key provision of any data protection regime is the right of individuals to have access to personal data held on them. Like the Data Protection Act 1984, which it replaces, the 1998 Act establishes that right. Sometimes, however, there will be a need to restrict it. A number of exemptions were set out in the Act. Five of the orders-those dealing with health, social work, education, miscellaneous subjects and Crown appointments-introduce further modifications. With the exception of the last, all are broadly similar-albeit not identical-to existing provision.
The main thrust of the health, social work and education orders is to modify the right of subject access to health, social work or education records, where necessary, to prevent serious harm to the individual concerned or to another person. The health order requires data controllers who are not health professionals to consult a health professional before granting or withholding such access. The health professional should normally have responsibility for the individual; he may be that person's doctor or dentist. All three orders make other provisions, including the exemption of court reports from subject access, and fulfil the Act's requirement for individuals to be given certain information about the processing of their data.
The miscellaneous order also mirrors existing provision. It provides subject access exemptions for certain information, the disclosure of which is prohibited or restricted by specific statutes. For example, the Human Fertilisation and Embryology Act 1990 places restrictions on the circumstances in which individuals, especially children, may be told whether they were conceived as a result of treatment under that Act. Without the order, subject access right under the 1998 Act would override those restrictions. The provisions ensure that Parliament's original intentions are carried out.
The Crown appointments order makes new provision. It includes exemptions from subject access and the right for individuals to be informed about data processed for assessing their suitability for the appointments specified in the order. The exemptions are needed because the records would typically include communications involving Her Majesty the Queen.
The 1998 Act's mainspring is the requirement for data controllers to comply with the data protection principles, which are set out in a code of practice on good personal data handling. The first data protection principle is a requirement for the processing of personal data to be fair and lawful. The sensitive personal data order relates to that principle.
For the purposes of the 1998 Act, sensitive data comprise information about a person's race, political or religious views, trade union membership, health, sex life or criminal history if appropriate. The processing of such data will be lawful, as required under the first data protection principle, only where an express gateway exists. Schedule 3 to the 1998 Act establishes nine gateways and allows more to be set by order. The sensitive personal data order specifies a further 10 gateways, or access points. As required under the directive, only processing that is in the substantial public interest is permitted. As also required under the directive, safeguards are included, often in the form of a requirement to seek consent where possible.
I could briefly explain each article of that order if the Committee wished; but, if not, I should like to make a general point. I know that the insurance sector, and possibly others, is concerned about being able to process sensitive data on members of groups without having to seek the consent of each individual. An example might be insurance for a group holiday. It is the Government's view that it is possible to rely on the ordinary law of agency. The person who books acts as an agent for the group and, therefore, is able to provide the information. In other words, the organiser can consent as the agent for the other members of the group. Similarly, the requirement to provide information to data subjects can be discharged through the agent. Therefore, it is not necessary for each person to consent separately if the group wants one of its members to arrange insurance. The law of agency will apply, and I shall happily explain that issue further if members of the Committee want me to do so.
The designated codes of practice order designates five media codes of practice. The order complements the exemption from many of the data protection rules on processing for journalistic, artistic or literary purposes provided under section 32 of the 1998 Act. Regard may be had to compliance with the codes designated in the order in determining whether the components of the exemption are met. However, since we started consulting on the order, the Press Complaints Commission has published a revised code of practice on 20 January.
The order refers to the previous code and several other codes, but not to the revised code.
Consultation is required, including consultation with the Data Protection Registrar. Therefore, rather than dispense with the current order because of the publication of a new code, we shall proceed with it as it refers to more than one code-indeed, it refers to five. A reference to four codes would then be in place. In due course, we shall need to make small amendments and introduce another order so that the 20 January code is included in the provisions.
Mr. Oliver Heald (North-East Hertfordshire): The Press Complaints commission code was mentioned in the other place, and I wish ask the Under-Secretary about that. Unlike the four codes that he mentioned, the PCC code does not have a statutory basis. It is a voluntary code produced by an industry body, so is an instrument for self-regulation.
In such circumstances, will the Under-Secretary confirm that the Government has no real control over the contents of the code? What would happen if the Government were not satisfied with a future PCC code? For example, what would happen if they did not agree with the revised code but it was not included in the order? Would it be necessary to change the law?
Mr. O'Brien: We would not designate a code if we did not accept it. Therefore the position would remain as it is at present. However, the existing law would refer to a code no longer applied by the PCC, which would be unsatisfactory for it and us. Consequently, agreement would have to be reached through discussion.
As hon. Members know, the PCC's position has been debated for several years. It would want to ensure that it did not provoke an unnecessary confrontation with Government that put the industry on a collision course with the law and the data protection principles.
The hon. Gentleman is right to say that we cannot de jure stop a code with which we do not agree. De facto, however, we can in practice. I trust that that answers the hon. Gentleman's question.
Mr. Heald rose-
The Chairman: More briefly this time.
Mr. Heald: Yes, Mr. Winterton. I am grateful for your guidance.
In the other place, Lord Bassam gave an assurance that the Government would not interfere with the independent status of the PCC. Does that not conflict with the response that the Under-Secretary has just given?
Mr. O'Brien: No, it does not. Self-regulation is a process whereby an industry satisfies the public and the Government that it is capable of running its own affairs, and that involves consultation with Government and other bodies. It is under no statutory obligation to do that, but does so as a matter of practice. We do not intend to move towards statutory control of the press, but we expect it to maintain effective self-regulation. In doing that, the press wants to maintain public confidence. So there is no conflict with what was said by my noble Friend Lord Bassam in another place.
Indeed, our positions are entirely complementary and accord with our desire not to interfere with the independence of the self-regulation process. Nevertheless, the PCC knows what it has to do to maintain public confidence, and we do not have to tell it what to do.
The orders are essential to the smooth working of the regime created by the 1998 Act. They take account of points made in response to a general consultation exercise and in discussion with many concerned organisations. That process was rather prolonged, and the orders have been available for some time on the internet. The Data Protection Registrar will become the Data Protection Commissioner when the 1998 Act is implemented on 1 March and, in due course, will be called the Information Commissioner. She has been formally consulted about the orders and is content for the 1998 Act to be brought into force with them as they stand. The orders were approved in another place on 7 February, and I commend them to the Committee.