Previous Section Index Home Page

24 Mar 2009 : Column 214

There is no doubt that there is a serious terrorist threat in this country, but the Government’s response to the 7 July bombings was to announce that they would bring in an ID register—never mind that none of the bombers had ever tried to hide their identities. We obviously have serious problems with crime being out of control, and the Government have to do their best to combat it, but they are going to expand the national DNA database even though the overwhelming majority of crimes are committed by a small proportion of the population who are already on the DNA database.

Only yesterday morning, the Minister of State, Ministry of Justice, the right hon. Member for North Swindon (Mr. Wills), was opining in an extraordinary manner on the Sean Hodgson case. He pointed out that Mr. Hodgson would never have been released or won his freedom if it were not for DNA testing and databases. Of course Mr. Hodgson was released only because of DNA testing, but that had absolutely nothing to do with DNA databases; all that was needed was one DNA sample from him that did not match any of the key exhibits. The right hon. Gentleman was getting completely carried away. The problem is that when it comes to a crisis, the Government’s default position is to react in the only way they know: to announce yet further extensions of databases.

I should like to quote from the former Director of Public Prosecutions, Sir Ken Macdonald, who was referring to the proposed communication database when he said:

Of course we welcome the Government’s withdrawal of clause 154. However, as I mentioned, our joy is tempered and coloured by that appalling catalogue of failings. We need not only a cultural change, but a fundamental change of Government. We welcome what the Government have done, but there is still a long way to go.

David Howarth: As the hon. Member for North-West Norfolk (Mr. Bellingham) intimated, the most important amendment in this group is amendment 25. The hon. Gentleman gloated a little, so perhaps I will be allowed to: I was glad that one of my amendments—the one to remove clause 154—had been signed not only by the representatives of the Joint Committee on Human Rights, but by the Government. I am glad that they have promoted my modest amendment into Government amendment 25.

The Government are entirely right to withdraw the data-sharing proposals, which were far too broad for the problem that they were meant to solve. As Ministers repeatedly said, some data sharing can be beneficial. No one denied that; the question was about the power that had been created to deal with that particular point. The Bill proposed—and continues to propose until amendment 25 goes through—to allow orders from the Secretary of State to permit data sharing between any people anywhere in the world, for the purposes of furthering any Government policy. The orders were capable of overriding the Data Protection Act 1998, the Human Rights Act 1998 and any other relevant legislation. That final point, especially the possibility that the data-sharing orders would override the Data Protection Act, was the key problem and the point at which the Government rightly decided to give way. Clause 154—or clause 152, as it was—was never proportionate and never had adequate safeguards.

24 Mar 2009 : Column 215

The hon. Member for North-West Norfolk is right to point to the context—one in which Governments collect vast amounts of data and then use them badly, incompetently or in many cases, as Ross Anderson from the university of Cambridge observed, illegally. The Government need to be aware of that context when they return to the data-sharing proposal. As I understand it, they intend to do that not in this Bill but at a later point. I urge them to consult properly, not only with the usual suspects but with all the organisations that felt deeply that clause 152—now clause 154—was the wrong way to go, including the British Medical Association and all the Opposition parties. Otherwise, their next attempt to write a clause to do with data sharing may well turn into a colossal waste of time, as this one has proved to be.

With that small amount of gloating over, let me turn to the amendments.

Mr. Edward Garnier (Harborough) (Con): More gloating!

David Howarth: The hon. and learned Gentleman requests more, but I am sure that that is enough for the time being.

I want to speak briefly to amendments 23 and 24, which are similar to amendment 133, tabled by members of the Joint Committee on Human Rights. As the hon. Member for North-West Norfolk said, they seek to extend to the private sector the Information Commissioner’s new inspection powers under the new assessment notice procedure. As things stand, assessment notices have two problems, the first of which—it was mentioned by the hon. Member for Hendon (Mr. Dismore)—is that there is no enforcement mechanism for the new assessment notices. The obvious way to solve that is the application to court route, because that is more challengeable and more open than a warrant route. I therefore support amendments, such as new clause 38, which attempt to change that situation.

The other problem addressed by the amendments is the coverage of the assessment notice system. For reasons that remain obscure, but which might have had something to do with the lobbying by the CBI and business interests that broke out when my hon. Friend the Member for Cardiff, Central (Jenny Willott) and I moved amendments in Committee, the assessment notice procedure is confined to the public sector, and even within that it is confined to directly controlled organisations and does not cover even private organisations carrying out public functions under contract. That is unacceptable. Private organisations control vast amounts of data, and there is constant concern about how they use them. The Information Commissioner is clear that there are more complaints about the use of data by private sector organisations than use of data by the public sector. Sometimes the Government’s defence in response to examples of their incompetence in dealing with data such as those cited by the hon. Member for North-West Norfolk is to say, “Well, the Government are no worse than the private sector at this sort of activity.” That is a somewhat feeble defence, but it illustrates the point that these problems are not confined to the public sector.

As I understood it in Committee, the Government’s case for leaving out the private sector is that it collects data voluntarily, which makes it different from the
24 Mar 2009 : Column 216
public sector in that regard. I cannot accept that, for three reasons. First, there are the reasons given by the hon. Member for North-West Norfolk, which are dealt with in amendments 87 and 88. There are many examples of private organisations working under contract to the Government and which have collected information from the Government that the Government got on a non-voluntary basis.

Jenny Willott (Cardiff, Central) (LD): Does my hon. Friend agree that the number of people who are getting caught out by that is increasing? For example, people who are facing unemployment in the current economic crisis have had their information passed to private sector companies for assistance with getting back into work. Given that they number 2 million and rising, every day there are more and more people whose data, not voluntarily given, has been passed to the private sector.

David Howarth: Yes, that is the case. One has to take into account the interaction of different Government policies. The more the Government want to use the private sector and the voluntary sector to a greater extent in the delivery of services, the worse the problem will get.

The second reason I do not accept the Government’s point is illustrated by the recent controversy about Google Street View, where Google supplements its maps with photographs of every house and building in many towns and cities. That demonstrates that private organisations, even when acting purely as such and not working for the Government, do not confine themselves to data they acquire voluntarily. My house is on Street View; Google did not ask me about it, and I am sure that it did not ask anybody else.

Thirdly, what worries people about data is what can be done with them, especially data they gave voluntarily at some point in the past without realising how they could be used at some future point—for example, data about which websites someone has visited or which products they have bought from a shop. Bringing all those forms of data together using sophisticated data-mining techniques and analysis can reveal vast amounts about people that they did not intend to reveal, even though technically they voluntarily allowed the data to be handed over to private organisations.

Liberal Democrat Members think that there is an overwhelming case to extend the scope of the assessment notice system beyond the public sector, as narrowly defined. That view is also taken by the Information Commissioner. After all, the assessment notice system introduced by the Bill is a very gentle form of preventive intervention, not the full panoply of the law. Given that, and given the other options that the Information Commissioner has, there is a strong case for the broader extension of these powers. I urge the Government to resist the lobbying that has been going on and to look at the point of principle from the position of ordinary members of the public who are worried about what is being done with the data they handed over.

Dr. Evan Harris: I rise briefly to speak to the two amendments tabled in my name and those of the hon. Members for Hendon (Mr. Dismore) and for Ealing, Southall (Mr. Sharma), as members of the Joint Committee on Human Rights. As we have heard, amendment 133 is analogous to amendments 23 and 24.

24 Mar 2009 : Column 217

The CBI told the Public Bill Committee that there were not sufficient safeguards to protect the privacy of individual data controllers in the private sector, but we concluded, after examination, that the safeguards already in the Bill are significant; indeed, they provide greater protection than other compulsory powers of entry, search and seizure in the Bill. For instance, an assessment notice must specify the time at which a search or other inspection will take place and the time within which an individual data controller must comply. Rights to appeal against the term of any notice are provided, and there is express protection for legally privileged material. Those are all safeguards that we had called for in respect of other Bills when the Government had said that they would put them only in secondary legislation. In this case, they are in the Bill and yet the CBI is still concerned.

We thought that the CBI’s objections were insufficient, and possibly even invalid, and reinforced the point, which has just been made, that there is a significant amount of contracting out of public functions to private data controllers. There should therefore be no exemption or lower degree of protection in respect of the powers of the Information Commissioner in those cases, at the very least. I would be grateful if the Minister addressed those arguments.

Our other point relates to new clause 38. The Information Commissioner has called for the power of sanction, and we consider the additional powers for the commissioner to be a human rights-enhancing measure. We noted the Government’s view that it would be unusual for a Department or other public body to ignore an assessment notice or fail to comply with its terms, but there is no reassurance in the Bill that that will not be the case, which is why we tabled the new clause. I hope that the Minister will respond to that point.

6.30 pm

Bridget Prentice: I am speaking a little sooner than I expected, but there we are. I begin with Government amendment 25, which is at the heart of this grouping on data sharing and data protection, and the associated consequential amendment 153. They will remove from the Bill the power to establish new information-sharing gateways by secondary legislation. The proposal in clause 154 for information-sharing orders stemmed from a recommendation of the independent data-sharing review, conducted by the commissioner, Richard Thomas, and Sir Mark Walport, the director of the Wellcome Trust. They recommended changes to the legal framework for data sharing, in part to support better public service provision. To counterbalance that power, the review recommended that there should be a transparent and consistent mechanism ensuring greater scrutiny while reducing the scope for confusion.

Following the spirit of those recommendations, clause 154 included a raft of safeguards to ensure an appropriate level of public and parliamentary scrutiny. However, in Committee and elsewhere, we heard and understood the concerns that hon. Members and others expressed about the information-sharing gateway proposal, including that the power was open to misuse. It is important to make it clear that it was never the Government’s intention to allow indiscriminate information sharing, regardless of any protections set up by the Data Protection Act.

24 Mar 2009 : Column 218

After a thorough consideration of the views expressed by Members of this House and by such outside organisations as the British Medical Association, which I met to discuss this very point, we have concluded that a more in-depth analysis of the features of an information-sharing power was needed. It is therefore right that we withdraw clause 154 from the Bill while we undertake that further work. That is a good example of how scrutiny in this place works, and although those who spoke for the Opposition parties had a small go at gloating, they did not go overboard. I appreciate that and I am grateful to them. We accept the humble pie that they proffered to us.

The Government are clear that there are many benefits to sharing data, as I said in Committee. To deliver high-quality public services, Departments need to share personal information in a secure and appropriate fashion. Through such data sharing we can improve opportunities for the most disadvantaged, provide customer-focused public services, reduce the burden on businesses, implement policies effectively and detect fraud. We do not underestimate the risks attached to information sharing, nor will we let them blind us to the potential benefits. I assure the House that in taking the matter forward we will consider carefully the views expressed by all interested parties.

The other Government amendment in this group, amendment 152, requires a brief explanation. New section 41A of the Data Protection Act 1998, inserted by clause 153 of the Bill, provides the Secretary of State with the power to designate, by order, those public authorities subject to the assessment notice regime. As our published delegated powers memorandum makes clear, we intended that that order-making power be subject to the negative resolution procedure. However, owing to an oversight we omitted to amend section 67 of the Data Protection Act, which determines the level of parliamentary scrutiny for all delegated powers in that Act. The amendment makes good that omission.

Let me now move on to the other amendments that relate to assessment notices. They deal with three issues: the scope of the assessment notice regime, the sanctions for non-compliance and their relationship with civil penalties under section 55A of the Data Protection Act. Amendments 23 and 24, in the name of the hon. Member for Cambridge (David Howarth), and amendment 133, tabled by my hon. Friend the Member for Hendon (Mr. Dismore), deal with scope. Assessment notices constitute an important step towards improving public trust and confidence in the handling of personal information by public sector data controllers. They will create a formal system based upon the current arrangement of spot checks undertaken on Government Departments by the Information Commissioner, which aim to raise the awareness and compliance of public bodies with data protection principles.

Clause 153 represents the statutory base for the commitment made by the Prime Minister in November 2007, after the loss of the data from Her Majesty’s Revenue and Customs to which the hon. Member for North-West Norfolk (Mr. Bellingham) referred, to provide the Information Commissioner with the power to spot check Departments. That power is therefore a specific answer to a specific issue. As the clause stands, it is already possible to include certain private or third sector data controllers within the scope of assessment notices.
24 Mar 2009 : Column 219
That would be in cases where those data controllers appear to the Secretary of State to exercise functions of a public nature, or are providing, under a contract made with a public authority, any service whose provision is a function of that authority.

There are sound arguments for applying a higher level of scrutiny to public sector bodies. Data controllers in the public sector handle a variety of sensitive personal information that is necessary to fulfil their responsibilities, such as providing health and social services, fighting crime, and detecting fraud. Most of the information handled by public sector data controllers, or those working on their behalf, is vital to determine entitlements, responsibilities, and obligations. That citizens must provide their personal information to access essential services is, in this context, a defining feature of the relationship between the citizen and the public authority.

For the private sector, the ability of the public to choose to go somewhere else is a powerful driver, encouraging businesses to look after personal information. Extending assessment notices to the private sector could, as a result, act as a significant additional regulatory burden. While I remain to be persuaded of the case for applying the assessment notice regime to all data controllers, we will continue to consider the points made by the Information Commissioner and by some Members of this House in support of those amendments. However, any move to include all data controllers within the scope of assessment notices would need to be carefully considered. We consider that clause 153 strikes a fair balance between the need to enhance the Information Commissioner’s powers and the potential impact of those changes in view of the wider regulatory framework.

Amendments 78 and 79 and new clause 38 deal with the issue of non-compliance. Specifically they seek to deal with non-compliance with an assessment notice as if it were a contempt of court. Again, I remain to be persuaded that a bespoke sanction for non-compliance with an assessment notice is needed. In practice, it is difficult to envisage a public sector body refusing to comply with an assessment notice, considering the bad publicity that would ensue from such a notice. That said, the Information Commissioner made it clear that he would like some kind of penalty or sanction for refusal to comply.

Of course, the Information Commissioner already has a range of enforcement powers available to him for a failure to comply with the Data Protection Act. Information notices can be used alongside assessment notices if he reasonably requires information to assess compliance with data protection principles. If he discovers a breach of those principles during an assessment, he can issue an enforcement notice to compel the data controller to comply with data protection obligations. He also has powers to apply for a search warrant under schedule 9 to that Act. Arguably, any greater powers would be disproportionate and inconsistent with broader Government policy about the investigatory powers of regulators. Again, however, I am prepared to reflect carefully on the arguments that have been made as the Bill makes further progress.

Next Section Index Home Page