Select Committee on Home Affairs Written Evidence


APPENDIX 53

Memorandum submitted by the Ministry of Justice

SUMMARY

  1.  The Ministry of Justice (MoJ) is responsible for the Government's domestic, European and international policy on data protection and data sharing. This memorandum covers the issues relating to the collection and sharing of personal information and the safeguards provided by the Data Protection Act 1998 (DPA) and other legislation. It also covers the duties and powers of the Information Commissioner to regulate the processing of personal data under the DPA.

  2.  The Government published its "Information Sharing Vision Statement"[250] in September 2006. This highlighted some of the ways information is already being shared effectively within the public sector and stated the Government's intention to continue to share information to deliver better services, fight crime and protect public security. The vision recognises that the sharing of personal information must be carried out transparently and with proper safeguards. Within that context the MoJ works with departments to develop policies and deal with data sharing and data protection issues.

INTRODUCTION

  3.  The social and technological advancements of recent years have given citizens greater expectations and opportunities than ever before. They can expect tailored services from the private sector as well as personalised services from government agencies. In order to achieve this the effective and proper use of personal information is needed.

  4.  Citizens rightly expect that when providing personal information to facilitate the delivery of modern public services and to ensure public safety, that their personal data is secured properly and used appropriately. For example they should expect to see greater individual security through the reduction in crime without unnecessary impingements on their individual privacy or freedoms. The Government's aim is to make sure that information is only shared when there is a benefit to the public and that any information sharing is lawful.

  5.  Responsible information sharing ensures that citizens have a say in how their personal information is shared among service providers. Efficient use of this information will, for example, avoid citizens having to give repeatedly the same information to a range of service providers.

COLLECTION AND SHARING OF PERSONAL INFORMATION

  6.  There is a general recognition across the public sector of the potential to deliver more efficient and effective public services, and bring benefits to society as a whole, through better use and sharing of information, within appropriate legal constraints. A MORI survey[251] conducted in March this year indicated that the public is willing to give out personal information to Government and allow it to be shared if there is a clear benefit to be gained by information sharing.

  7.  For example, earlier this year, the Department for Work and Pensions (DWP), Her Majesty's Revenue and Customs (HMRC) and local authorities in North Tyneside worked jointly in a trial to speed up the processing of benefits and tax credits to customers in North Tyneside. During the trial the time taken to get all benefits into payment when someone lost their job was halved. The payment of tax credit was stopped more quickly, reducing the possibility of overpayments. Additionally, when customers started work and were entitled to tax credits, the information sharing exercise meant that claimants were switched into the tax credit system promptly. In July this year, the trial was extended to a further six local authorities.

  8.  Furthermore, in order to prevent and detect crime effectively, including terrorism, the police and other public services can often benefit from access to a variety of sources of data held by the private sector, public authorities and organisations that deliver public functions.

  9.  Advances in technology have been taken up by the private sector to change the way that commercial services are delivered. As a result, citizens also expect public services to be better tailored to their needs, more joined up, and for their personal information to be better protected. New technologies have made possible innovative developments in the public sector such as the Police National Database which, with proper use, will help tackle crime and build public confidence.

  10.  In Sir David Varney's report[252] on service transformation, he identified that citizens currently have to report a single change of circumstances to Government many times over. In one instance, bereavement, he identified some 44 different public sector agencies that had to be informed. Sir David recommended a service be developed that would enable members of the public to report changes of circumstances such as births, deaths, and changes of address to Government just once. This information would then be stored in and shared between IT systems designed with inbuilt security and with security of physical access, including specialist training and security checks for staff access.

  11.  Research[253] suggests that the public is willing to give out personal information to Government and allow it to be shared if there is a clear benefit to be gained. Improved services are seen as providing a clear benefit but public concerns still remain about the way that information can and should be shared across Government, the wider public sector and with private organisations.

  12.  Society is rightly concerned that these new developments are being used lawfully and appropriately, with due regard for individual privacy, freedoms and rights. The challenge is to achieve the balance between delivering improved services through better information sharing and protecting the privacy of the citizen from unnecessary intrusion.

  13.  The Government is therefore committed to ensuring that information sharing is undertaken in a transparent and controlled manner, with legal and process controls in place to ensure that information is not shared inappropriately or disproportionately. Once information has been collected, the Government is very careful in ensuring that sharing can only take place when it is not incompatible with the original purpose of collection. It is important that the data is adequate, relevant and not excessive for the purposes of sharing and that it is kept only for as long as is necessary for the sharing. These are important protections within the DPA and the European Directive which the DPA implements. The public needs to be satisfied that a proper balance is maintained between the benefits of sharing information and the right to privacy.

  14.  The Government consults widely on its policy and legislative proposals, affording the public and stakeholders the opportunity to voice their opinions and concerns in response. The Government also ensures that frontline practitioners and the public are aware of legislative effects through guidance, public awareness campaigns, and official website postings.

  15.  The Government announced on 25 October that it had invited Richard Thomas, the Information Commissioner and Dr Mark Walport, the Director of the Wellcome Trust to undertake an independent review of the way personal information is shared and protected in the public and private sectors. The review will assess whether in today's society it strikes the right balance between giving people the protection they are entitled to, while allowing them to make the most of the opportunities which are being opened up the by the new information age. The report is expected to be published in the first half of 2008.

THE LEGAL FRAMEWORK

  16.  The current legal framework for information sharing is in our view responsive and robust enough to meet both current and future needs. There is no single source of law that regulates the powers that a public body has to use and share personal information. The collection, use and disclosure of personal information are governed by a number of different areas of law. In domestic law, these include:

    —  the law that governs the actions of public bodies (administrative law);

    —  the Human Rights Act 1998 (HRA) and the European Convention on Human Rights (ECHR);

    —  the common law tort of breach of confidence; and

    —  the DPA.

  17.  The DPA regulates the processing of personal data, which is defined widely and includes the collection, use, storage and distribution of personal data. The DPA implements the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and it is underpinned by the ECHR, particularly the right to respect for a private and family life under Article 8, which has been given direct effect in the UK by the Human Rights Act (HRA). Neither the HRA nor the ECHR prevents the lawful and proportionate sharing of data. Confidentiality is also not an absolute bar to disclosure. At common law, or where there is a statutory discretion to disclose, it may be possible to share confidential information, for example where it is in the public interest to do so.

  18.  Statutory bodies have to rely on express or implied powers to share information while Ministers of the Crown may also be able to rely on common law or prerogative powers. However, where there is a relevant statutory provision occupying the same ground, this may operate so as to exclude these common law or prerogative powers.

  19.  Under the DPA, organisations and individuals must comply with the data protection principles in order to process personal data unless an exemption applies.[254] These principles include ensuring that data processing is fair and lawful, that data are processed only for specified and lawful purposes and that data are accurate.[255] Additionally the processing has to meet certain statutory conditions. In many of these conditions it is a requirement that processing be "necessary" for a particular function or purpose, eg for the performance of a contract or to protect the vital interests of the subject.[256]

  20.  Where sensitive personal data is involved, such as data related to political opinions or health, the processing must also meet a further set of conditions, eg that the processing is necessary for the administration of justice or for medical purposes.[257]

  21.  Under the DPA, the Information Commissioner is the UK's independent regulator.

ROLE OF THE INFORMATION COMMISSIONER

  22.  The Commissioner promotes compliance and good practice, and manages the data protection register and notification by data controllers of details to be held on the register, including the general purposes for which they will be processing personal data. He enforces the DPA and other legislation under which he has powers to act.

  23.  The Government always keeps under review the mechanisms which regulate and protect the use of personal information to ensure that they continue to protect the citizen and help achieve the balance between sharing and protecting. The MoJ and other Government Departments work closely with and consult the Commissioner and have due regard for his views when developing policy and legislative proposals.

  24.  The Commissioner's powers under the DPA allow him to serve enforcement, information and special information notices, and obtain warrants to enter premises to inspect, operate and test equipment used for processing personal information. He can also seize and inspect evidence of offences.

  25.  Under the DPA, the Commissioner presents Parliament with an Annual Report on the exercise of his functions under this Act. The powers of the Commissioner are kept under continuous review and the Government will consider legislative change wherever the case for additional regulatory control is established.

  26.  The Commissioner has other specific or general powers that he can use under other legislation. For example, in some circumstances he can use the "stop now" powers under the Enterprise Act 2002.

A CASE-BY-CASE APPROACH

  27.  Effective and appropriate information sharing is not an end in itself. It is one of the foundations for improving services across the public sector and increasing public safety. Responsibility for developing and delivering individual policies across the whole spectrum of government activity rests with lead departments. The Ministry of Justice has a central role in providing advice on policy and legislative proposals which have an impact upon data protection and data sharing, and to help ensure that all parts of government apply the legal framework consistently.

  28.  The Government considers and introduces new data sharing provisions on a case-by-case basis. The data sharing arrangements, including safeguards to protect the privacy of individuals and their personal information, are designed specifically around each policy, taking into account technological and social issues relevant to that policy.

  29.  An example of these are the data sharing provisions of the Serious Crime Act. The Home Office, in close liaison with MoJ, formulated the data sharing provisions of the Act to create a legal gateway through which public authorities can share data for the purpose of preventing fraud, within a framework of appropriate protections. The sharing enabled by the Act must be compliant with the DPA and the Secretary of State is required to produce a code of practice to cover this sharing of information. The provisions also include criminal penalties for the willful misuse of specified data. The effect of the data sharing provisions will be to allow the public and private sector to share information on those attempting to defraud them and prevent further frauds from taking place.

  30.  Another example is the Order made under the DPA[258] in July 2006. In response to concerns raised, the Secretary of State for the then Department for Constitutional Affairs (now the MoJ) made this Order to facilitate the processing of sensitive personal data provided by law enforcement agencies by payment card issuers in relation to customers who have received convictions or cautions for crimes relating to child abuse images, where their payment card was used to commit the offence.

  31.  This enables credit card companies to exercise their contractual rights to administer the account relating to that payment card or cancel the card. The MoJ consulted the Information Commissioner before making the order, as required by the DPA. In Parliamentary debate, the Government assured both Houses that the action was fair and balanced; the order was justified and that there would be no prejudice to the innocent party in the case of joint accounts.

  32.  The Select Committee on the Merits of Statutory Instruments described the Order as "a good example of an appropriate balance between the rights of the state and the rights of the individual".

  33.  Following the Commissioner's special report What Price Privacy?,[259] the Government is seeking to use the Criminal Justice and Immigration Bill, which was introduced in the House of Commons on 26 June 2007, to amend the DPA to allow custodial sentences where access to personal information has been wilfully or deliberately misused.

  34.  The Ministry is also working with the Information Commissioner's Office and other Government Departments to assess the need, value and potential use of Privacy Impact Assessments.

CONCLUSION

  35.  The Ministry works closely with the rest of Government and with other relevant parties to ensure that the correct balance is maintained between the rights of the individual to privacy and their freedoms and the protection of individuals from terrorism and other crime. Policies and practices are monitored continually by the Government, the Ministry and the Information Commissioner to ensure the balance is in the right place and to prevent abuse. The Ministry welcomes the Committee's inquiry and will respond to issues arising in due course.

November 2007



www.ipsos-mori.com/citizensforum/finalreport.pdf
http://www.ipsos-mori/citizensforum/finalreport.pdf
www.ico.gov.uk/upload/documents/library/corporate/research—and—reports/what—price—privacy.pdf



250   "Information Sharing Vision Statement. http://www.justice.gov.uk/docs/information-sharing.pdf Back

251   See Public Services Policy Review: The Public View, IPSOS MORI, 27 March 2007 Back

252   Sir David Varney's review into service transformation Service Transformation: a Better Service for Citizens and Businesses, a Better Deal for Taxpayers. Back

253   See Public Services Policy Review; The Public View, IPSOS MORI, 27 March 2007 Back

254   DPA. s 4(4). Back

255   DPA Sched 1, Pt 1, paras 1, 2 and 4. Back

256   DPA, Sched 2. Back

257   DPA, Sched 3. Back

258   Link to: The Data Protection (Processing of Sensitive Personal Data) Order 2006 Back

259   Information Commissioner Special Report to Parliament What Price Privacy? published in May 2006 Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008