Second Standing Committee
on Delegated Legislation
Wednesday 30 October 2002
[Mrs. Marion Roe in the Chair]
Draft Data Protection
(Processing of Sensitive Personal Data)
(Elected Representatives) Order 2002
The Parliamentary Secretary, Lord Chancellor's Department (Yvette Cooper): I beg to move,
That the Committee has considered the draft Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002.
Welcome to the Chair of the Committee, Mrs. Roe.
The draft order deals with a problem arising from the Data Protection Act 1998 that affects elected representatives in their work on behalf of constituents. It has been drawn up in response to a problem that was brought to the Government's attention by my hon. Friend the Member for Cunninghame, South (Mr. Donohoe), who raised his concern during an Adjournment debate. That concern was echoed by other hon. Members on both sides of the House, and the Government are responding.
The Data Protection Act is an important piece of legislation. Its function is to protect individuals' information privacy. In a world in which personal information is a key commodity that can be collected and passed around by ever more sophisticated technological means, it provides increasingly important reassurance for people. Personal data are stored on computer by many organisations: the Data Protection Act does not prevent that information from being collected, stored or disclosed, but sets the rules by which those who do the collecting, storing or disclosing-the processing-must abide.
The rules are not arbitrary. They follow a model established in international law for more than 20 years, which has most recently been endorsed in the 1995 EC data protection directive. Like our European Union partners, the United Kingdom is bound by the directive's requirements. In applying the data protection rules within the constraints imposed by the directive, the Government's aim is to establish the correct balance between the individual's right to have their personal information privacy properly protected and the need of organisations to process that information to provide the services that we all desire and on which our society depends.
As I recall, the problem that my hon. Friend the Member for Cunninghame, South put to the Government was as follows. One of his constituents, who was in prison, asked for assistance to attend the funeral of a relative. When my hon. Friend contacted the prison, he was told that it could not provide any information without his constituent's explicit consent-despite the fact that the constituent had contacted his Member of Parliament requesting assistance. Delay in obtaining confirmation of
Column Number: 004
explicit consent resulted in its being too late for him to attend the funeral.
Other hon. Members have complained that the Act requires them, when dealing with matters raised by their constituents, to return to their constituents to obtain explicit consent before they are able to pass personal data that were given to them by their constituents to the Government Department or organisation that can take the case forward.
Mr. Nick Hawkins (Surrey Heath): I strongly agree with the Minister's comments. She said that a number of hon. Members of all parties played a part in the campaign that has led to the draft order being laid. Does she agree that my hon. Friend the Member for West Worcestershire (Sir Michael Spicer), on behalf of the Opposition in his role as chairman of the 1922 Committee, and my hon. Friend the Member for Rayleigh (Mr. Francois) both played a specific part alongside the hon. Member for Cunninghame, South in drawing the matter to the Government's attention?
Yvette Cooper: I pay tribute to hon. Members on both sides of the House for raising the issue and pointing out the importance of being able to operate as effective representatives on behalf of their constituents. Members of Parliament are keen to do a good job for their constituents, and we are concerned about issues that might impede their providing that service to their constituents. The draft order therefore deals with the problem that several hon. Members have raised.
It is important to recognise that the Data Protection Act, like the directive, distinguishes two sorts of personal data: sensitive data and non-sensitive data. Sensitive data comprise information about race, political opinions, religious beliefs, trade union membership, health, sex life and criminal activity. All other data are treated as non-sensitive for the purposes of the Act.
The Information Commissioner has responsibility for enforcing the Data Protection Act. We discussed hon. Members' concerns with the then commissioner, Elizabeth France, who made it clear that she did not perceive a problem with non-sensitive data. It was her view that in cases involving such data, the Data Protection Act does not require the consent of the individual concerned to be sought specifically in the circumstances that hon. Members had described. A statement that an MP is acting on behalf of a constituent should be sufficient for an organisation to satisfy itself that it can disclose the information-provided, of course, that it does not face other bars or obstacles to disclosure.
Mr. Hawkins: I do not want to delay the Minister unduly, but in the light of the helpful statement that she has just relayed from the then Information Commissioner, it might be helpful if, following the successful implementation of the order, she wrote to all hon. Members, since they are likely at some stage to come across cases in respect of which the Information Commissioner's ruling would be helpful.
Yvette Cooper: I shall certainly take up that helpful suggestion. I shall hold discussions with the incoming Information Commissioner, and it might be helpful to
Column Number: 005
send round a letter from him, so I shall ask him how best to do that. I agree with the hon. Gentleman that many hon. Members will want a clearer understanding of what difference the order makes and of the commissioner's view.
When we first discussed the issue, the then Information Commissioner said that she would take a robust line on non-sensitive data. Similarly, she said that disclosure of non-sensitive personal data by a Member of Parliament-for example in writing to a Minister about a concern that had been raised-was unlikely to be a breach of the Act. However, in her view, different considerations applied to sensitive personal data.
As required by the directive, the Data Protection Act permits sensitive data to be processed if one of a certain number of criteria applies. In practice, the only criterion that is likely to be relevant in the circumstances about which hon. Members are worried is that the constituent has given his or her explicit consent to the processing. If a constituent asks an hon. Member to take up a matter that involves sensitive personal data-perhaps it deals with religious or health matters-and the constituent has not expressly consented to the data being disclosed or otherwise processed, the hon. Member must go back to the constituent to seek explicit consent. In other words, if someone contacts an MP with a problem of which sensitive data forms a part and does not give consent for the MP to pass on that information to the organisation that may be responsible for, or the only route to, solving the problem, issues may arise under the Data Protection Act.
That is not an efficient way in which to proceed. It causes additional bureaucracy, impedes the work of MPs on behalf of their constituents, and can be confusing to constituents who have written to their MP expecting him or her to take action. Sometimes the answer will be obvious: constituents have worded letters to their MP in way that makes clear their consent to the information being passed on to others, or the MP may be requested to contact a particular organisation on the constituent's behalf. Sometimes it will not be obvious: an MP may receive only a message on an answering machine, or something may be raised as a matter of urgency and it could be difficult in the time allowed to seek explicit consent. Sometimes it is possible to get written consent from someone to release their medical records to an MP, and sometimes that is essential to get the answer that is needed, but sometimes, in areas that are covered by the Data Protection Act, that can slow the process down.
The draft order sets out additional circumstances in which sensitive personal data may be processed without an individual's explicit consent. We consulted the Information Commissioner on it. The directive permits member states to make such provision, provided it is in the substantial public interest to do so and subject to the provision of suitable safeguards. In the Government's view, permitting the efficient and effective discharge of elected representatives' business is in the substantial
Column Number: 006
public interest. The safeguards are set out in the draft order.
The draft order is limited. It permits the processing of sensitive personal data in certain circumstances, but the data protection principles still apply-the processing must still be fair and lawful and in accordance with the other data protection principles. The draft order affects only the restrictions provided by the Data Protection Act. It does not apply where there are other legal obligations on organisations and bodies not to disclose information, or where a duty of confidence applies to the information-for example, in the national health service, most medical information is held under a duty of confidence, and that duty is in addition to the Data Protection Act. The draft order would not in any way undermine the duty of confidence.
The considerations set out in the schedule to the draft order apply not only to Members of Parliament, but to all elected representatives. Paragraph 1 makes it clear that the provisions apply to Members of Parliament, United Kingdom Members of the European Parliament, Members of the devolved Administrations and members of all tiers of local government. I will take the Committee through the main operative provisions of the draft order.
Paragraph 1 of the schedule defines ''elected representative''. Paragraph 2 makes provision for those elected representatives whose status as such ceases before an election to continue to benefit from the provisions until four days after the election. It relates to the period during an election campaign when Members stop being elected representatives. If a Member were trying to solve an urgent case that a constituent had raised, it would not be fair to that constituent if the crucial information were to be withheld suddenly simply because the date for the general election had been set. No provision is needed for those elected representatives who are not mentioned in paragraph 2 because, by law, they continue to retain their status until a period after the election.
Paragraph 3 is the first of the substantive provisions. It deals with the sensitive personal data of people who have themselves approached their elected representatives. It allows elected representatives to receive, hold and disclose their constituents' sensitive personal data without consent, subject to the following safeguards: the processing must be carried out ''pursuant to a request'' from the individual to take action on their behalf; the processing must be necessary for the action taken by the elected representative; and the action must be reasonable.
Paragraph 4 deals with the processing by elected representatives of the sensitive personal data of third parties: for example, if somebody is ill and a relative contacts an MP or councillor on their behalf, similar safeguards to those in paragraph 3 apply. However, there are particular risks associated with the processing of information relating to a person who has not been involved in the contact or the discussions, so there is an additional safeguard. In such circumstances, the processing may take place only
Column Number: 007
when it is necessary for one of the following four reasons: first, the third party involved cannot give explicit consent; secondly, the elected representative
''cannot reasonably be expected to obtain''
the third party's explicit consent; thirdly, seeking the third party's explicit consent would
''prejudice the action taken by the elected representative'';
and, fourthly, the processing is necessary in somebody else's interest and explicit consent has been ''unreasonably withheld'' by the third party.
Paragraphs 5 and 6 cover situations in which elected representatives seek sensitive personal data from other organisations. Paragraph 5 allows such organisations to disclose sensitive personal data in response to communications from elected representatives who are acting at the request of a constituent. There are two further safeguards: the sensitive personal data must be relevant to the subject matter of the communication from the elected representative; and the disclosure must be necessary for the purpose of responding to the communication. That means that if I write to my councillor to complain about the dustbins, they cannot then contact any organisation to find out any personal data about me-it must be relevant to the issue that I have raised. Paragraph 6 allows data controllers to disclose the sensitive personal data of third parties to elected representatives, subject to safeguards similar to those in paragraph 5 and to the additional safeguards for third parties.
The draft order is designed to acknowledge the importance of consent and of ensuring privacy and proper data protection. No matter what the organisation or who the elected representative, constituent or affected third party, it is important that people's privacy and personal information can be protected and that we recognise the importance of consent. When people contact their elected representative wanting something to be done, they are asking for assistance and expect that the elected representative will be able to respond effectively and efficiently to their concerns.
The draft order represents a proportionate and effective response to a tricky problem. However, I must add two caveats. First, the order deals only with the problem caused by the Data Protection Act: it cannot and does not lift any other legal restriction on the disclosure of personal data, such as that under the law of confidence. Secondly, it merely permits the processing of sensitive personal data without explicit consent: it does not prevent elected representatives or organisations from deciding that they need to seek consent first, nor does it prevent organisations from being bound by other legal obligations. It does allow organisations to continue to insist on explicit consent where it is appropriate to do so.
This is a complicated issue and elected representatives find themselves in an unusual situation. We must continue properly to protect the personal data of our constituents, especially those data that are widely regarded as the most sensitive, and we must ensure that constituents are properly represented
Column Number: 008
and that their interests are properly served. Of course, we must ensure that we pay proper regard to the need to comply with our obligations not only under the data protection directive, but under the Human Rights Act 1998 and the European convention on human rights. The draft order strikes a proper balance between the competing interests, and I commend it to the Committee.