Mr.
Bellingham: I have additional questions on
clauses 154 and 155, but other colleagues may want to come
in on clause 152.
Q
327Mr.
Boswell: I thank my hon. Friend for letting me in, because
I have to leave shortly. I shall raise three quick points. The first is
about what I understand is called field protection. Information may
pass from one Government Department to another or elsewhere. I have
heard criticism in the past that you are either in or out of that
process, and that the whole file is sent. The more common practice in
data security in the private sector is to release the amount of
information that is relevant to the particular inquiry. Should we turn
our attention to that?
Richard
Thomas: Yes, I think that you are raising a very
important point and I entirely agree. Data minimisation is a
fundamental principle of data protection—no more, for no longer
than is needed for a particular purpose. With the broad machinery of a
privacy impact assessment, people can ensure that nothing excessive is
happening, so each action can be justified, by ensuring that no more
data than are needed are used or shared, and there are safeguards about
security and the end use. That is a more transparent way of ensuring
that we are not giving a blank cheque to those who are otherwise
engaged in data
sharing. I
think that the commissioner’s opinion will be important, because
I do not think that it is simply a formality. The commissioner can
insist on a privacy impact assessment under the code of practice to see
the justification for a particular measure. If they still think that it
goes too far and is either wholly unacceptable or does not have
sufficient safeguards or conditions, the commissioner can say so. We
have a robust and responsible approach and I believe that I, and my
successors, would say if a particular measure went too far in the
report to Parliament. Frankly, it would be a brave Department that came
forward and said, “We insist on this particular data-sharing
measure, even though the commissioner has said that it is unacceptable
and does not meet data protection
requirements.”
Q
328Mr.
Boswell: Thank you for that firm statement. Following on
from that thought is the question of what you might call “data
gouging”, in which data are passed for a perfectly defensible
purpose and then employed for other purposes or used more widely. I
notice that you refer to that danger in your memorandum. Can we stop or
restrict that more than we appear to be able to with the provisions in
the Bill? For example, once the data have leapt the wall, it is
difficult to prevent the whole lot being used for other purposes,
whatever undertakings were given at the
time. Richard
Thomas: I understand the point. That is one reason
why Mark Walport and I called for precisely defined circumstances in
our recommendations. We also said that the process would not be
suitable for any large-scale data-sharing initiative that constitutes a
significant change to public policy—for example, identity cards
and the DNA database. There needs to be absolute stringency and
control, and limitations on any data-sharing order brought forward to
meet the sort of concerns that you have
expressed. I
would like to turn to a specific concern, which echoes part of
Mr. Bellingham’s question. We are unhappy
with the definition of sharing in proposed new section 50A
to the Data Protection Act 1998. Proposed new section
50A(3)(a) is fine; that is about data sharing from one organisation to
another. However, we have strong reservations about paragraph (b),
which reads,
“consults
or uses the information for a purpose other than the purpose for which
the information was
obtained.” That
is not data sharing as Mark Walport and I understood it. We were
concerned with sharing from one organisation to another, but that
raises a completely different set of issues where a single
organisation, having collected and gathered information for one
purpose, wishes to use it for another purpose. That goes to the heart
of some of the principles of data protection. Use limitation is the
shorthand for that part of data protection, and we have anxieties about
the drafting of that provision. It may be more than just a drafting
point, because whereas proposed new section 50A(3)(a) deals with
genuine sharing, proposed new paragraph (b) is concerned with a
different situation altogether.
Q
329Mr.
Boswell: In the public sector, there are at least in
principle—albeit they may not work well in practice—a
series of safeguards over and above those available through your
office. For example, there is the Official Secrets Act and in certain
cases, such as cases involving the Taxes Act, it is a criminal offence
to disclose people’s Revenue
files. In
a different context, I expressed some concern about this
extension—where you use contractors who may be located outwith
the jurisdiction, for example. That same point is also of concern in
relation to data that are shared with private sector organisations. How
do we get an equality of responsibility with that sort of
situation?
Richard
Thomas: In our report, we looked at the picture at
large, and we explicitly said that it no longer makes sense to draw
sharp dividing lines between the public, private and voluntary sectors.
We have the use of private sector contractors, the involvement of the
private sector in traditional public functions and the use of the
voluntary sector to carry out public functions—I had a meeting
with the Minister last week, and we discussed the example of a
children’s charity carrying out child protection work for a
local authority. It is right to have a global approach. We cannot draw
those sorts of distinctions between the different sectors any more.
That is one fundamental reason why we think that the powers available
to the commissioner’s office need to extend to all data
controllers. It does not make sense to limit the assessment
notice only to Government Departments or other public authorities
designated by the Secretary of State, as clause 152 is currently does.
It needs to apply to all data controllers from the outset, to put right
something that has been wrong for more than 20
years.
Q
330Ian
Lucas (Wrexham) (Lab): Mr. Thomas, earlier you
gave the example of the Transport for London protocol relating to the
sharing of images from congestion charging. I am interested in what
process was used to activate that. Was it a legislative
process?
Richard
Thomas: Yes it was. There is a section of the Data
Protection Act—I forget which number; perhaps David will remind
me—which allows the commissioner to agree that for law
enforcement purposes, a particular arrangement can be made along those
lines. That is a good example. Nobody would ever justify use of the
congestion cameras for anything other than congestion charging or for
very serious matters. Mark Walport and I said that it would be
manifestly unreasonable if a wife
trying to check up on her husband running off with another woman could
somehow have access to the congestion charge cameras. That would be
wholly unacceptable. A proportionate response is required in all these
situations.
Q
331Ian
Lucas: Just to be clear, there was no parliamentary
scrutiny involved in that process?
Richard
Thomas: No, and I think that was a defect. It would
clearly be far better if that sort of arrangement could come before
Parliament as part of a democratic process. Parliament would then say,
“Yes, that is okay,” or “No, that is not
okay.” That is a better way forward than having some of this
done behind closed
doors.
Q
332Ian
Lucas: Do you have any concerns that the affirmative
resolution process is secondary legislation, which will effectively
amend primary
legislation? Richard
Thomas: We understood when we put this forward that
it would be very controversial, and I think that it is for the
Government to defend the precise nature of what is being introduced.
But we also documented the unsatisfactory current state of affairs.
Lawyers are expressing doubt; there is a lot of confusion; and a
specific gateway has been included at the back of a Bill, which just
adds to the general field of confusion. We have said a lot about more
and more layers being put on top of the basic legal framework. That
just creates greater and greater confusion, and there is no scrutiny
whatsoever. So, although I understand that anything that even looks
like a Henry VIII clause will be very controversial—it is for
you to decide whether this is the right way forward—on balance
we thought that that was a better way forward and a better way of
getting more scrutiny, more safeguards and ultimately more certainty
into a very confused area. But, all my support for that is qualified by
the reservations that I am
expressing.
Q
333Mr.
Kidney: Mr. Thomas, it is evident that
discussion is ongoing between you and the Ministry of Justice about why
you feel that the Bill is inadequate on safeguards. May I push you, on
behalf of us all, on that? Do you envisage that the Bill should set out
the kinds of themes that you gave us—law enforcement, public
services improvement and research—and no others, or do you
envisage a set of examples of what is not acceptable, or indeed a
mixture of the
two? Richard
Thomas: Mark and I are not draftsmen; we put forward
broad themes. I was a little surprised when I saw mention in the Bill
of securing a relevant policy objective. We are very clear that there
need to be rationales under those three broad headings—law
enforcement and public protection, improving public services and
research and statistical analysis. I have not come here this afternoon
with specific drafting ideas. Perhaps one could work around that, or
around some sort of public interest justification, but a rationale
based purely on securing a governmental policy objective seems too
wide.
Q
334Mr.
Kidney: We have received an angry representation from the
BMA, saying that it would be totally unacceptable, under any
circumstances, for people’s personal health details, on their
sexually transmitted infections or whatever, to be handed over by the
NHS
to some other organisation. Should no-go areas—what should
definitely not be acceptable—be specified in the
Bill? Richard
Thomas: I cannot think of absolute no-go areas. I
have not seen the BMA paper, but to say that under no circumstances
should information be shared seems a little extreme. Sometimes
information needs to be shared for research and statistical purposes.
There is a lot in our report about the need to ensure patient
anonymity, but sometimes you need to study what happened to patient A
in year one, and then go back to the same patient in years five and 10.
You do not need to know who the patient is, but you need to know that
it is the same patient. So, I do not think that you can say no sharing
under any circumstances, but the BMA is absolutely right to say that
you need much stronger safeguards for sensitive data, such as health
data. I do not quarrel with that. I just say that you cannot be black
and
white. David
Smith: The area of health information is very
difficult, and we are often challenged on it. The simple approach,
which has a lot to justify it, is that our health information is
entirely private. We give that data to our doctor, and they must not be
shared more widely. There is a strong public policy argument in that.
If people think that their information will be made widely available,
they will stop going to the doctor and to hospital, and public health
will suffer. However, we already have provisions whereby doctors share
information when there are things such as notifiable diseases, because
the interest in protecting public health is wider than the
confidentiality of the
individual. It
is never simple. I hesitate to go into the area of sexually transmitted
diseases in detail, because that is so sensitive, but the idea that
never under any circumstances should information about a sexually
transmitted disease be shared is perhaps wrong. But the grounds would
have to be extremely strong. Any sharing would have to be extremely
limited and the justification in public interest terms would have to be
high. As the commissioner said, perhaps the real test here is not
whether this supports a policy initiative but whether, weighing up the
pros and cons, it is in the public
interest. I
wonder whether it might help if I gave an example. This one goes back a
little way but shows at the other end of the spectrum what can be
prevented by the restrictions on information sharing. Older members of
the Committee may remember the European Union’s butter mountain.
There was a proposal to distribute that butter mountain free to old age
pensioners. The people who were capable of doing the distribution were
in the local authorities. But they do not have any information on who
are the pensioners in their area. That was held by the Department of
Social Security, but it had no power under the legislative provisions
that it operated under to share information on pensioners with local
authorities, so that they could distribute the butter mountain. That
was a real problem. There are ways around some of these things. The DSS
could have written to individuals and told them to go along to their
local authority with proof of their age to collect their butter. These
things are not impossible, but it was a real hurdle. The legal
restrictions were clearly operating against the public interest and
against people getting free butter.
Q
335Mr.
Kidney: Thank you for that. Can I go back to another
point? You mentioned anonymised information which might be more
acceptable to be released. In fairness to the BMA, it is keen on
releasing information for research but such information is properly
anonymised. Would there be sufficient safeguards in the system that is
proposed in the Bill, however it gets amended and with the impact
assessment, your report to Parliament and so on, for anonymised sharing
of information to be more acceptable than sharing people’s
personal
details? Richard
Thomas: I have always been an optimist in these
matters. When you have statutory requirements to go through certain
procedures, it puts pressure on those concerned to demonstrate that
they are meeting those requirements. As well as being an optimist I am
also a very strong advocate of transparency, which is often the best
regulator of all. So if we have an open process so that we can
scrutinise each scheme as it comes forward, that will serve the public
interest better than a rather bland blanket approval included in
sectoral statute, which then opens the door for anything to happen with
virtually no check or balance at a subsequent stage.
I hope that I
am not sticking my neck out. In five years’ time, I may be
proved wrong on this. Having sat through seven months of evidence on
this and the sorts of examples that David mentions, and many others
besides, I think we need some sort of fast-track provision in precisely
defined circumstances to allow beneficial sharing. It is as much in the
public interest to allow beneficial sharing as it is to stop
undesirable sharing. You cannot generalise and say, “All sharing
bad, all non-sharing good.” You have to look at each situation
on its own merits and then make sure that it is properly
constrained.
| 
