| Previous Section | Index | Home Page |
‘(1) Section 63 of the Data Protection Act 1998 (application to Crown) is amended as follows.
(2) In subsection (5) for “a government department” substitute “the Crown Estate Commissioners”.’.— (Mr. Bellingham.)
Brought up, and read the First time.
Mr. Henry Bellingham (North-West Norfolk) (Con): I beg to move, That the clause be read a Second time.
Mr. Deputy Speaker: With this it will be convenient to discuss the following:
New clause 38— Failure by a government department or public authority to comply with an assessment notice
‘(1) If a government department or public authority has failed to comply with an assessment notice the Commissioner may certify in writing to the court that the public authority has failed to comply with that notice.
(2) Where failure to comply is certified under subsection (1), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the government department or the public authority, and after hearing any statement that may be offered in defence, deal with the failure to comply as if it were a contempt of court.’.
Amendment 23, clause 153, page 98, line 20, leave out ‘within subsection (2)’.
Amendment 78, page 98, line 24, at end insert—
‘(1A) If a data controller has failed to comply with an assessment notice as requires steps to be taken, the Information Commissioner may certify in writing to the court that the government department or public authority has failed to comply with that notice.
(1B) For the purposes of this section, a data controller which, in purported compliance with an information notice—
(a) makes a statement which it knows to be false in a material respect, or
(b) recklessly makes a statement which is false in a material respect,
is to be taken to have failed to comply with the notice.
(1C) Where a failure to comply is certified under subsection (1A), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the public authority, and after hearing any statement that may be offered in defence, deal with the authority as if it had committed a contempt of court.
(1D) In subsections (1A) to (1C), “the court” means the High Court or, in Scotland, the Court of Session.’.
Amendment 24, page 98, leave out lines 25 to 29.
Amendment 133, page 98, line 25, leave out from second ‘is’ to end of line 29 and insert ‘not an excluded body’.
Amendment 79, page 99, line 19, at end insert—
‘(6A) Non-compliance with any assessment notice will be treated as a contempt of court.’.
Amendment 80, page 101, line 6, leave out ‘without the approval of the Secretary of State’ and insert
‘until the code has been approved by a resolution of each House of Parliament’.Amendment 81, clause 155, page 109, leave out lines 7 and 8 and insert—
‘(4) The code must not be issued by the Commissioner until a statutory instrument containing the draft code has been approved by a resolution of each House of Parliament.’.
Amendment 82, page 109, line 10, after ‘must’, insert ‘not’.
Amendment 83, page 109, line 13, after ‘is’, insert ‘not’.
Amendment 84, page 109, leave out lines 21 to 27.
Amendment 85, page 109, line 30, after ‘under’, insert ‘annual’.
Government amendments 152 and 153
Amendment 86, schedule 18, page 183, line 1, leave out sub-paragraph (2) and insert—
‘(2) In subsection (1) for “he may serve” to the end substitute “he may serve the data controller, or a data processor, with a notice (in this Act referred to as an ‘information notice’) requiring the data controller, or data processor, to furnish the Commissioner with specified information relating to the request or to compliance with the principles.”’.
Amendment 87, page 183, line 5, after ‘(1)’, insert
‘“data processor” refers to a third party handling data on behalf of—(a) a government department, or
(b) a public authority designated for the purpose of this section by an order made by the Secretary of State, other than an excluded body, as set out in section 41A(12);’.
Amendment 88, page 185, leave out line 21.
6 pm
Mr. Bellingham: In addition to new clause 19, which stands in my name and those of my hon. and learned Friends the Members for Beaconsfield (Mr. Grieve) and for Harborough (Mr. Garnier) and my hon. Friends the Members for Enfield, Southgate (Mr. Burrowes), for Epping Forest (Mrs. Laing) and for Crewe and Nantwich (Mr. Timpson), I plan to discuss our amendments 78 to 88. I also want to comment on Government amendment 25.
Our new clause 19 would remove the immunity of Government Departments from prosecution, because the Government’s record on handling, storing and transporting confidential data is appalling. I am afraid that the Ministry of Justice is one of the worst offenders. A computer hard drive containing the details of up to 5,000 employees of the National Offender Management Service in England and Wales was lost by the private firm, EDS. Despite the loss having occurred in July 2007, the Justice Secretary was not told until September 2008. In August last year, the names and addresses, details of convictions and even jail release dates of almost 130,000 people were lost when a computer memory stick went missing. It was being used by an employee of a private contractor working for the MOJ. The Information Commissioner said at the time that the data were a “toxic liability”, and described the loss as “deeply worrying”.
The Ministry of Defence is another serial offender. Some time ago, the Defence Secretary of the time was forced to revise upwards the estimate of the number of laptops stolen from his Department in the previous four years from 347 to 658. Furthermore, in January last year, the then Defence Secretary revealed that an MOD laptop, which contained the details of 600,000 people, had been stolen from the boot of a naval officer’s car in Birmingham. The computer contained unencrypted lists of names, addresses, bank and driving licence details, national insurance and national health service numbers and so on—an appalling security lapse.
In 2007, Her Majesty’s Revenue and Customs had the so-called discgate scandal, in which 25 million records were lost. In November that year, the Chancellor of the Exchequer admitted that two CDs containing child benefit data had been lost in transit to the National Audit Office. Also in November that year, HMRC lost the personal details of 15,000 Standard Life pension holders, after a CD was lost in transit by an external courier.
Many other Departments have lost data, including the Department of Health, the Department for Work and Pensions and the Department for Communities and Local Government. Many of the subsequent inquiries revealed lax security procedures, confused chains of command and, above all, no proper accountability. Many Departments have a serious cultural problem, which is simply not being addressed.
Last year, the Secretary of State for Energy and Climate Change, who was then the Minister for the Cabinet Office, amid great fanfare launched new guidelines called “Data Handling Procedures”. He promised
“a culture that properly values, protects and uses information”.—[ Official Report, 25 June 2008; Vol. 478, c. 26WS.]
He also announced stronger accountability mechanisms within all Departments, but unfortunately those changes have delivered no substantial improvements. In fact, they have delivered little. Proper sanctions are needed.
The Bill contains no sanctions, and we feel strongly that immunity of Departments from prosecution should be removed. Only by applying such sanctions will permanent secretaries and civil servants make the prevention of loss of data a key priority. We need to send a strong signal to all Departments and agencies that cavalier and unprofessional attitudes to our personal data and privacy will not be tolerated. I hope that the Minister will accept our new clause.
I turn to our amendments 78 and 79. Amendment 78 is almost identical to new clause 38, which was tabled by the hon. Members for Hendon (Mr. Dismore) and for Oxford, West and Abingdon (Dr. Harris). The official Opposition, and particularly my hon. Friend the Member for Epping Forest, have said for some time that it is essential that the Information Commissioner be given more power to control and monitor holders of data. That is why we support the principles behind clause 153. However, the clause has one glaring gap, as it does not provide any enforcement powers. If the assessment notice is made, and its subject refuses to comply, the Bill does not allow for any immediate sanction.
Under our amendments 78 and 79, the Information Commissioner will be able to go to the county court, which must decide whether the assessment notice was properly issued, and whether there was a reasonable excuse for non-compliance. If the court decides for the commissioner, it will order the data controller to comply with the assessment notice. Failure to do so will result in the data controller being in contempt of court. We feel strongly that there is no point having an assessment notice regime without proper sanctions for non-compliance. As Sir Mark Walport and the Information Commissioner, Richard Thomas, said in their submission to the Committee:
“There are also no meaningful sanctions for failure to comply with the requirements of an Assessment Notice: this needs strengthening in order for it to be taken seriously.”
I hope that the Minister will accept amendments 78 and 79.
Mr. Andrew Dismore (Hendon) (Lab): I am grateful to the hon. Gentleman for his comments about new clause 38. As he says, the Information Commissioner recommends such a proposal. The sanction comes at the end of a long chain of warnings and efforts to ensure compliance. If we get to the end of that long chain, something has obviously gone seriously wrong. Some effort is required to make compliance happen, and a contempt of court order can be absolved by compliance.
Mr. Bellingham: I am grateful to the hon. Gentleman for making that point, on which he can expand when he makes his speech.
Amendments 80 to 85 relate to clause 155, which sets up the data-sharing code of practice. They would ensure that there is an affirmative resolution of both Houses before the commissioner issues the data-sharing code. Given that the Secretary of State is removing the key data-sharing provision, clause 154, from the Bill, why is it necessary to have a data-sharing code? Is that not a little suspicious and illogical? Surely the Secretary of Sate’s credibility in the matter would be reinforced if he also withdrew clause 155; otherwise, people will conclude
that if the power to set up a data-sharing code is left in the Bill, the Government will return at some stage with their totally unacceptable data-sharing proposals. However, if the Secretary of State does decide that the data-sharing code proposals must stay in the Bill, surely it makes sense to accept our amendments 80 to 85.
I turn to our amendments 86 to 88. In Committee, we discussed at length the apparent anomaly that the assessment notice regime applied to the public sector only. May I refer again to the submission to the Committee by Sir Mark Walport and Richard Thomas, the Information Commissioner? The submission pointed out:
“As we stated in the report, distinguishing between public, private and voluntary sectors makes little sense, especially as more information is shared across sectors whose boundary lines are forever shifting.”
The Information Commissioner went on to say:
“Private and third sector bodies frequently carry out work for public sector ones. It is common for charities, for example, to carry out functions on behalf of local government. As it stands, we could inspect the local council but not the charity.”
I argued in Committee that as a consequence of the private sector’s ever greater involvement with Government Departments, agencies and local government, there was an increased blurring of the barriers between the public and private sectors. I gave a couple of examples. The Crown Prosecution Service and the Solicitor-General have a large contract with what was LogicaCMG that covers the provision, support and maintenance of hardware and software applications used by the CPS, including the management of a number of large databases such as the witness management system and the graduated fee scheme for counsel.
Another example relates to the Department for Business, Enterprise and Regulatory Reform, which manages a large number of public sector databases but also has a number of private sector contractors. In fact, of its 166 databases, 75 are maintained by the Department but 90 are run by private sector contractors. Obviously, there is substantial blurring between the two sectors. Amendments 23 and 24 would bring the private sector into the assessment notice regime. The Minister has argued that such an extension to the private sector would place extra burdens on business and conflict with the Hampton principles. My party believes passionately in reducing the burdens on business, so it is hard to ignore the Minister’s concerns; she also raised various points about powers of entry. She feels that a more co-operative approach between business and the Information Commissioner would be desirable.
However, I submit that there is a compromise solution. Amendments 86 to 88 would extend the less severe and substantially less burdensome information notice regime to the private sector. Crucially, the information notices in schedule 18 do not confer powers of entry, so why does the Minister not accept the amendments as a way to extend the Information Commissioner’s powers to the private sector in a much less onerous manner? I urge the Minister to accept that argument. She has said clearly that she does not want the assessment notice regime to be extended to the private sector, and she has given her reasons for that, but surely our compromise solution would make a great deal of sense.
I turn to Government amendment 25. We argued in Committee as powerfully as we could that clause 154—it was clause 152 at the time—should be deleted. In response,
the Minister gave numerous reasons why the clause was needed. We had a vote and lost it. Then we heard that the Government were in the process of climbing down—unfortunately, that was announced in the Sunday press, rather than in Committee or on the Floor of the House. The Secretary of State then tabled his amendment.
Bridget Prentice: For the record, and as the hon. Gentleman will know, I said clearly in response to the Committee debate that the clause was too wide and that we would reflect on the debate and look at it again.
Mr. Bellingham: I am grateful to the Minister, and I do not want to be churlish. We had a vote and the clause stood part of the Bill when we came out of Committee, and we felt that we had to vote against it at the time. We are delighted that we helped win the argument and feel vindicated, and we should not be churlish. However, our relief and joy is coloured and tinged by our ongoing and grave concerns about the Government’s record and policy on data.
I mentioned earlier the Government’s appalling record on storing and handling data. We are concerned not only by the Government’s incompetence; of far greater concern are the fundamental flaws in their entire data policy. Only today we heard reports that ContactPoint, the Government’s child protection database, is in disarray. It was designed to help protect Britain’s 11 million children, but its launch has been delayed again after local authorities discovered loopholes in the system that was to hide the details of the most vulnerable young people in this country. ContactPoint has been described as almost entirely illegal by the Joseph Rowntree Reform Trust, and a spokesman for the Department for Children, Schools and Families said that it was working to resolve the problem.
You couldn’t write the script, and it gets worse. A recent report by Ross Anderson, professor of security engineering at Cambridge, concluded that at least 11 of the Government’s databases could be illegal. He went on to point out that the Government are spending a staggering £16 billion a year on data gathering and plan to spend another £105 billion on it in the next five years. Furthermore, almost every one of those database projects has signally failed to remain on budget.
6.15 pm
In 2002, the then Prime Minister Tony Blair launched Connecting for Health, a massive £6.2 billion database for medical records; since then, the costs have more than doubled to £12.7 billion, two of the four contractors have pulled out and the launch has been put back to 2015. At the time, the then PM said:
“If I live in Bradford and fall ill in Birmingham, I want the NHS to be able to treat me”.
However, as Ross Clark, author of “The Road to Southend Pier: One man’s struggle against the surveillance society” said, thank goodness Mr. Blair did not fall ill in Stafford. As the Healthcare Commission made clear in its report, it was the Mid Staffordshire NHS Foundation Trust’s obsession with targets and data that critically undermined clinical judgment and the treatment of patients. The problem is that time and again the Government’s default position when faced with a crisis is to announce yet more databases and more infringements on our civil liberties.
| Next Section | Index | Home Page |