The
Committee consisted of the following
Members:
Baird,
Vera (Parliamentary Under-Secretary of State for Constitutional
Affairs)
Chaytor,
Mr. David (Bury, North)
(Lab)
Cohen,
Harry (Leyton and Wanstead)
(Lab)
Connarty,
Michael (Linlithgow and East Falkirk)
(Lab) Heath,
Mr. David (Somerton and Frome)
(LD)
Hughes,
Simon (North Southwark and Bermondsey)
(LD)
Linton,
Martin (Battersea)
(Lab) Moran,
Margaret (Luton, South)
(Lab)
Owen,
Albert (Ynys Môn)
(Lab)
Prentice,
Mr. Gordon (Pendle)
(Lab)
Shaw,
Jonathan (Chatham and Aylesford)
(Lab)
Vis,
Dr. Rudi (Finchley and Golders Green)
(Lab) Wallace,
Mr. Ben (Lancaster and Wyre)
(Con) Walter,
Mr. Robert (North Dorset)
(Con)
Watkinson,
Angela (Upminster)
(Con)
Wilson,
Mr. Rob (Reading, East)
(Con)
Wright,
Jeremy (Rugby and Kenilworth)
(Con) Geoffrey Farrar, Committee
Clerk attended the
Committee Fifth
Standing Committee on Delegated
LegislationWednesday
5 July
2006[Janet
Anderson in the
Chair]Draft Data Protection (Processing of Sensitive Personal Data) Order 20062.30
pm
The
Parliamentary Under-Secretary of State for Constitutional Affairs (Vera
Baird): I beg to move,
That the Committee has
considered the draft Data Protection (Processing of Sensitive Personal
Data) Order 2006. It
is a real pleasure for me to serve under your chairpersonship, Mrs.
Anderson. The order, which was laid on 13 June, will facilitate payment
card issuers in processing sensitive personal data provided by law
enforcement authorities on offenders who have been convicted of or
cautioned for crimes relating to child abuse images where a payment
card has been used to commit the offence. The sensitive personal data
are, of course, that they have been convicted of or cautioned about
such an offence. The
order is needed because although card issuers ordinarily have the
power, based on their contracts with customers, to remove any payment
card and close an account that has been used to make an illegal
purchase, they have found it difficult to exercise that right without
details of convictions and cautions, and some have been unsure whether
they can process such data and close
accounts. That is
because, under the Data Protection Act 1998, information on convictions
and cautions, such as data on an individuals racial or ethnic
origin, or their health, is sensitive personal data. As such, that
information can be processed only if one of the conditions in schedule
3 of the Act is
met. Some card
issuers can process that information already, because they have drafted
the terms and conditions of their contracts to ensure that they have
the explicit consent of their customers to process it, which brings
them within schedule 3. However, some card issuers are not sure whether
they can process that information, and it is possible that some cannot
under their terms and
conditions. Consequently,
the order creates a new schedule 3 condition to ensure that all card
issuers can process the facts of convictions and so on for the purposes
of closing down an account, or otherwise administering
it. Simon
Hughes (North Southwark and Bermondsey) (LD): This is
obviously important business. Will the Minister give us the best
communication that she canI am not trying to put her on the
spot, but it would be helpful for this debateof the number of
convictions and cautions in recent years under the five offences listed
in the order? Obviously, that will give the Committee and those who
read the report of our proceedings an indication of the scale of the
important issues with which we are dealing.
Vera
Baird: The best information that I have, and it is not
bad, is that there were 1,579 in
2004. The measures in
the 1998 Act ensure that sensitive data are processed in a manner that
provides the appropriate protection for the individuals whose data are
concerned. Under the power in paragraph 10 of schedule 3 to the Act,
the Secretary of State can make an order to stipulate further
circumstances in which the processing of sensitive personal data can
take place. We have used that power
here. The Association
for Payment Clearing Services, or APACS, which is the UK trade
association for payments and institutions that deliver payment services
to customers and which represents about 98 per cent. of card issuers,
approached the Government about establishing a secure route to freeing
all card issuers of all the doubt that I have mentioned and allowing
them to access and process sensitive personal data for the purposes
that I set out. The
Government are obviously keen to act and to provide the necessary
support to the industry. There has been a cross-governmental project
involving my Department, the Child Exploitation and Online Protection
Centre, which was launched in April this year, law enforcement
officers, specialist childrens charities and the industry to
approach holistically the growing problem of child abuse, focusing on
these high-risk, high-impact offenders. Of course, the Home Office was
also part of
that. The order
facilitates the necessary data sharing and provides the necessary
safeguards under the Act for APACS members to process such information
when it is provided to them. I have here a small diagram that indicates
that information on convictions will come from the law enforcement
agencies to the CEOP and then go directly to the card issuers. The
process will be supported by a memorandum of understanding to add
further safeguards for the card issuers. That is how it will
work. The Information
Commissioner has been asked to comment on that, and is broadly content
with the nature of the order. Clearly, facilitating the removal of
payment cards and closing accounts used to purchase indecent images are
only small steps in tackling paedophile behaviour and protecting
children, but any steps that disrupt such activity and reduce
reoffending can only make a positive
difference.
Simon
Hughes: The Ministers officials were good enough
to tell my office that my reading of the Information
Commissioners initial response was correct. There was,
apparently, originally an objection from the Information Commissioner.
Is it fair to say that he was then persuaded by the arguments put by
the Ministers Department that, on balance, his instinctive
concerns about data transfer should be overridden by the answers that
the order gives? That is why the Minister used the careful phrase that
she did; initially, he was not persuaded, but by the end of the
engagement, he
was.
Vera
Baird: The hon. Gentleman is almost right. I understand
the Information Commissioners position to be that where there
is a clear breach of credit card terms, the contract can be brought to
an end, and that
is that. Where a debit card is involved, the Information Commissioner is
less content that the whole account can be closed. A debit card of
course pays out ofan ordinary current account. The Information
Commissioner thought closing the entire account, as opposed simply to
taking the card away, to be a wider provision than necessary. We do not
agree with that. We
think that if the terms and conditions of the account are broken, which
they would be by someones using the card for an unlawful
purpose, the card issuer is entitled to terminate the account entirely.
It seems likely that it would take such action, because APACS came to
us to ask for help with this power. In those circumstances, I ask that
the order be approved.
2.37
pm Jeremy
Wright (Rugby and Kenilworth) (Con): I, too, welcome you
to the Chair, Mrs. Anderson, and I thank the Minister for the way that
she opened the
debate. Broadly
speaking, the Conservative party welcomes the order. The Committee will
recognise the importance of combating the offences relating to child
pornography that are set out in the order, and to which the order
relates, and of ensuring that we have a range of instruments to combat
those offences and the offenders concerned. One such instrument is the
power to limit the opportunities for offenders to pay for child
pornography with credit or debit cards, and the order will allow that
instrument to be used more
effectively. It is
also right to say at this stage that, as the Minister knows from her
previous working life, and as I know from mine, those who commit the
offences listed in the order often claim that viewing child pornography
is a victimless crime. That, of course, is not so. By seeking out such
material, those people create a market for the terrible abuse and
exploitation that have ruined so many childrens lives, so they
share responsibility for that abuse.
The internet has made it
easier to commit those offences and harder to control them, with images
downloaded, and paid for by credit and debit cards. As the Minister
said, the order will permit card issuers to have the information they
need to cancel cards used in offending or otherwise to prevent
offenders from using accounts to obtain child pornography. In our
judgment, that is a sensible and necessary objective, and we support
it. Against that
background, will the Minister clarify two matters? In her exchanges
with the hon.Member for North Southwark and Bermondsey (Simon
Hughes), she dealt with the Information Commissioners view of
this measure and his particular reservations on the phrase
administering an account. May I ask about another
matter relating to that? Will the Minister help the Committee with
regard to when a credit or debit card account is held jointly by more
than one person and one account holder only has committed a relevant
offence? Article 2(2)
of the order permits a bank or other financial institution to process
information about an offenders conviction or caution for the
purposes of cancelling a payment card or of administering an account to
which that payment card relates.
I see no difficulty with the
cancellation of payment cards; the bank may simply cancel the card used
by the offender without necessarily affecting the service provided to
the other joint account holder. But what of administering the account?
What might that include? If, as the Minister has suggested, it
encompasses a variety of actions up to and including the closure of an
account, administration of the account as a result of one joint account
holders offence might have detrimental consequences for the
other account holder, who might be
uninvolved. A
subsidiary question: what will the bank be obliged to tell the innocent
joint account holder, as its client, of the reasons for closing the
account? Presumably, the bank will not be entitled to tell the innocent
joint account holder of the conviction or caution held by the offending
joint account holder, because in those circumstances the limited
permission for prevention of crime to breach the offenders
right to privacy under article 8 of the European convention on human
rights will not apply, but it might produce difficulties for the bank
or financial institution in dealing with the other joint account
holder. I would be grateful if the Minister addressed
that. Will the
Minister confirm that the Government believe that the order covers the
full range of methods by which downloaded child pornography can be paid
for? For example, items bought on eBay can be paid for through PayPal,
which is administered by a separate organisation, from the bank account
that the card draws on. Will the order cover any similar system that
might be used by a pornography website? I would be grateful for
reassurance on those points, if she can give
it. I believe that it
is our duty as legislators to provide those who attempt to combat child
pornography, whether they be police officers or bank officials, with
the tools that they need to keep our children safe. I do not intend to
invite my colleagues to vote against the
order. 2.42
pm
Simon
Hughes: I am pleased to serve under you,Mrs.
Anderson. I shall be as brief as the hon. Member for Rugby and
Kenilworth (Jeremy Wright), and my points will be similar to his. I
apologise on behalf of my hon. Friend the Member for Somerton and Frome
(Mr. Heath), who cannot be with us, but who shares my view on such
matters. I am sure that there is consensus in the
Committee. There is a
general determination among the public to ensure that we as a country,
and the countries within the UK, do all that we can to prevent the
direct or indirect abuse and exploitation of children. The order will
prevent indirect exploitation. As the hon. Member for Rugby and
Kenilworth said, such crime is not victimless. Anybody who downloads
images of children for sexual gratification or pornographic purposes
can do so only if a child is photographed further up the line, as it
were. It seems to me that one must take all steps necessary to prevent
that either from not being governed by criminal law and prosecuted
orif it is an offence, as this isfrom not being an
offence that can be dealt with effectively.
I asked the Minister for the
number of offences, and she gave a good answer from the last year for
which figures were available. I understood her to say that 1,500 people
were convicted or cautionedin other words, prosecuted with a
disposal that records that the offence was accepted and was
committedfor one of the five offences listed in the order,
which will govern Northern Ireland, Scotland, England and Wales, or for
conspiracy to commit such an offence.
Sadly, there might be much
more of that activity that has not yet been tracked down and dealt
with. We must close the loophole that, to be honest, is perceived as
one that might be used by more professional and well-off members of
society who have access to credit and debit cards, but that is not
available to others. However, we must be careful when we give power to
any authority to transfer information from one organisation to another.
That is why we are debating the
order. I understand
the proper concern that the Information Commissioner wanted to address
to ensure that the power was appropriate. The hon. Member for Rugby and
Kenilworth raised the one complicating factor, which is that an account
might be held by more than one person. One person might have abused
that account and broken the law. Another person, who might be a partner
or a wife, and who might be a co-holder of the accountit could
be held by more than two people, but that is not normally the
casemight become a perfectly innocent victim. On the one hand,
it is perfectly proper to ensure that their interests are looked after;
on the other, we must ensure that the right to privacy for people who
have a conviction is not broken in the transfer of
information. The last
issue in the original debate, as I understand it, was whether it is
sufficient to confiscate the credit or debit card. It clearly is not
sufficient to confiscate a credit or debit card because nowadays we can
purchase things on the internetwe all know thatby using
a card number, if one has the password. Therefore, the fact that the
card company has taken the card away does not prevent access to the
service. It is
important that there is an ability to deal with the account. What that
effectively means is that the remaining loophole, which could not be
governed by the companys contract saying, You have
abused the account, so we are going to close it, can now be
dealt with automatically on the transfer of that
information. That is
important, and it should mean that people who have funds available and
who are probably the most significant drivers of offences of that
sortpotentially, they can pay significant sums of money to do
thatcan be caught and followed. I hope that the police will be
given the ability to track down more people who are committing those
offences and to caution or prosecute them, and see them convicted as
appropriate. I hope
that this sends out a strong consensual signal from the House of
Commons, and from Parliament as a whole, that we have identified a
serious malaisean evilin our society and that we are
trying to deal with it as best we can, but are mindful of the rights of
individuals and the duty to ensure that information is
passed around only when that is appropriate, compatible with the need
for firm enforcement of the criminal
law. I welcome the
order and am glad that we will have it on the statute book in the very
near
future. 2.47
pm Harry
Cohen (Leyton and Wanstead) (Lab): I want to make a few
points. I understand the wish to strengthen the law and I support it.
The news alert service, Out-Law.com, published by Pinsent Mason,
ran a story, and this is how it
began: The
Information Commissioner advised the Home Office against a key measure
of its recent Data Protection Act amendment giving banks the
power to administer an account without the knowledge of the
account
holders. My
office contacted senior staff at the Office of the Information
Commissioner, who told me that the OIC is not persuaded by the part of
the order that relates to administering the account that that is
necessary. Why keep criminal records for account administration on an
account that is being closed? But that is not quite what the Minister
said, and I would be interested to know just where the difference with
the Information Commissioner is. If an account is closed, what is there
to administer? The Minister needs to explain that
point. Basic data
protection analysis would merely state something such as,
Account closed because of inappropriate use of the
card. That is all that needs to be retained on the record.
After all, the explanatory memorandum says that the contract allows the
bank to take the card
away. I want to tie
that up with the employment aspect. To use an analogy, when employers
vet employees using the Criminal Records Bureau, the CRB code of
practice
says: The
criminal record data should not be retained in employee
files. The reason for
that is that criminal conviction data are relevant to making an
informed decision on whether to employ someone. However, once the
decision is taken to employ a person with a criminal record, the
criminal conviction details become irrelevant and should not be
stored. For example,
a person who declares his offences should not have the detail of those
offences retained in personal data, if the employer decides that the
offences are not a barrier to the employment. However, it is valid for
the employer to retain a measure such as, We checked criminal
records and the CRB certificate number, and there was nothing in that
certificate to bar this person from employment. However, the
content of the criminal record would not be retained in those
circumstances. That is a
contradiction. The
order allows the criminal conviction data to be retained by a bank to
close an account or to administer a closed account, but such data
should not be retained if a bank wants to employ the same person. The
Minister seems to be arguing for a position whereby criminal data are
not needed for employment contracts, but are needed for a contract with
a bank for financial services. I would like to know why. Perhaps she
will explain that apparent contradiction.
I would like to follow up a
point made by other hon. Members about the problem for the co-holder of
a card. Someone who accepts a caution for a relevant offence could find
themselves without financial services, and so could the co-holders of a
card. That could be considered an additional punishment to the one
already agreed in respect of
them.
|