You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Commons Select Committees > Work and Pensions > Work and Pensions
Select Committee on Work and Pensions Written Evidence

Memorandum submitted by Information Commissioner (CS 14)

INTRODUCTION

  The Information Commissioner is an independent officer appointed by Her Majesty the Queen. He reports directly to Parliament. The Commissioner is responsible for promoting and enforcing the Data Protection Act 1998, the Freedom of Information Act 2000 and associated Regulations.

DATA PROTECTION ACT 1998

  The Act was put in place to regulate the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.

  The Act has two main elements:

RIGHTS FOR INDIVIDUALS WHO ARE THE SUBJECT OF PERSONAL INFORMATION

  These include:

    —  A right of access to personal information

    —  A right to have inaccurate records corrected or erased

    —  A right to prevent the processing of personal information where this is likely to cause damage or distress

    —  A right to seek compensation for any breach of the Act.

RESPONSIBILITIES FOR THOSE PROCESSING PERSONAL INFORMATION

  Those processing information about individuals must comply with the eight Data Protection Principles. These are enforceable rules of good practice that form the backbone of the data protection law. They require that personal information shall be:

    —  processed fairly and lawfully, and only where certain conditions are met

    —  obtained for specified and lawful purposes and not processed for incompatible purposes

    —  adequate, relevant and not excessive.

    —  accurate and up to date

    —  not kept for longer than is necessary

    —  processed in accordance with individuals' rights

    —  protected by appropriate security

    —  not transferred overseas unless there is adequacy of protection

  The Information Commissioner can initiate enforcement action where he finds that the Data Protection Principles are not being complied with.

SCOPE

  The Act applies to personal information that is computerised or which is held in certain structured manual filing systems. The full implementation of the Freedom of Information Act 2000 on 1 January 2005 will amend the Data Protection Act 1998, extending its scope to include all personal information held by public authorities, regardless of its structure. It is clear that the records the Child Support Agency holds about its clients, and about other individuals associated with its clients, will generally fall within the scope of the Data Protection Act 1998.

SHARING PERSONAL DATA BETWEEN GOVERNMENT DEPARTMENTS AND AGENCIES

  It is worth noting that the UK's data protection law is a transposition of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. A primary purpose of the Directive is to safeguard the individual's right to privacy in the face of increasingly prevalent and sophisticated data-processing systems. Data protection law was developed as a response to a fear that state institutions, in particular, would know too much about individuals, and that the increasing collection and sharing of personal information would lead to an unacceptable erosion of the individual's right to privacy.

  Data Protection law does not necessarily prevent organisations sharing or disclosing personal information. It does, though, regulate how this can take place. In terms of data protection law, a disclosure of personal data can be made so long as it is appropriately notified under the Act, and provided that the Data Protection Principles are complied with. The First Principle's requirement of fairness and lawfulness in the processing of personal data is particularly relevant here. The First Principle's requirement of fairness will always be satisfied where personal information is obtained from a person who is authorised or required by law to supply it. This illustrates the need for bodies such as the Child Support Agency to understand their own statutory powers and, in particular, the interface between data protection and other elements of the law. Where an organisation has an express legal power to obtain, share or disclose personal information, the Data Protection Act 1998 will not prevent this. Indeed, as we explain below, there is a specific exemption from the parts of the Act that prevent the disclosure of personal information where the disclosure is required by law.

  The Data Protection Act 1998 provides a general framework regulating the obtaining, holding, use and disclosure of personal information. However, other elements of the law will have a bearing on how, or whether, bodies such as the Child Support Agency can use or share personal information. These include:

    —  The law that governs the actions of public bodies (administrative law);

    —  The Human Rights Act 1998 and the European Convention on Human Rights (ECHR);

    —  The common law tort of breach of confidence; and

    —  European Union Law.

  In assessing the extent to which personal data can be exchanged between government departments and agencies, there needs to be an understanding of all the relevant law, not just data protection law.

CHILD SUPPORT AGENCY AND INFORMATION SHARING

  Section 35 of the Data Protection Act exempts the disclosure of personal information from its non-disclosure provisions where there is a statutory requirement to disclose. In practice, this means that where the Child Support Agency has the power to order a disclosure of personal information from another organisation, that organisation must make the disclosure and will not breach the Data Protection Act's non-disclosure provisions in doing so. Thus the Data Protection Act 1998 is not a barrier to the disclosure of personal information where there is a statutory basis for this.

  The Child Support Agency has extensive statutory powers that it can use to require organisations, including government departments and agencies, to disclose personal data where this is necessary for it to carry out its statutory duties. For example, the Child Support (Information, Evidence and Disclosure) Regulations 1992 give the Child Support Agency wide ranging powers to require the provision of certain information from, amongst others, "relevant parties", their employers and local authorities.

  As another example, the Child Support Act 1991 makes provision for the obtaining and use of information. Section 14(2) states that:-

        "where the Secretary of State has in his possession any information acquired by him in connection with his functions under any benefit act he may make use of that information for the purposes of this Act"

  Section 15 of the same Act gives "Child Support Inspectors" substantial powers of examination and enquiry as well as the authority to receive information from specified individuals.

  In addition, Schedule 2 of the Child Support Act 1991 provides that:

        "no obligation as to secrecy imposed by statute or otherwise on a person employed in relation to the Inland Revenue should prevent any information obtained or held in connection with the assessment or collection of income tax being disclosed to the Secretary of State . . . the Inland Revenue may release information to the Child Support Agency for the purpose of tracing the current address of, or the current employer of, an absent parent"

  These are examples of the extensive legal powers that the Child Support Agency can rely on to obtain personal data in order to carry out its statutory responsibilities.

SUMMARY

  It is important to remember that the Data Protection Act 1998 is not the only piece of legislation that has a bearing on the way the Child Support Agency obtains information. The Data Protection Act 1998 does not exist in isolation, it sits alongside all the other laws of the land. Where a particular law requires the disclosure of personal information, the Data Protection Act 1998 will not prevent this. However, where the obtaining of personal information is unfair or unlawful, or where an organisation exceeds its statutory information gathering powers in requiring the disclosure of information, the Information Commissioner can use his powers to act against that organisation.

  In considering the extent to which personal data can be exchanged between government departments and agencies, it is essential to consider the general legal framework governing a public body's powers to collect, use and share personal information. The exchange of personal data between government departments does not only depend on the provisions of the Data Protection Act 1998.

  The Information Commissioner is committed to working with the Child Support Agency to ensure that it understands how the Data Protection Act 1998 affects its activities. He also encourages the Child Support Agency to develop a full understanding of the statutory information gathering powers it currently enjoys. The joint objective for the Information Commissioner and the Child Support Agency should be to ensure that the Child Support Agency can use properly the powers that Parliament has given it, whilst ensuring the rules of data protection are obeyed in order to respect the right to privacy of those the Child Support Agency keeps records about.

Information Commissioner

October 2004



 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index
© Parliamentary copyright 2005
Prepared 26 January 2005