Coroners and Justice Bill

[back to previous text]

Q 336Mr. Kidney: In your report with Sir Mark Walport you recommended a fast track for secondary legislation to repeal the bits of primary legislation that get in the way. I heard you tell Mr. Lucas that that is for the Ministers to defend now. You would expect there to be limits to that power, would you not? You would not think that the statutory instrument would remove the bits of the Data Protection Act or the Human Rights Act that got in the way.
Richard Thomas: That was certainly not in our contemplation. We are clear, and we said somewhere in the report, that any data-sharing arrangement would remain subject to human rights legislation and to the full data protection legislation. It did not cross our mind that this would be used to amend the Data Protection Act.
We are crystal clear that the Act as whole, not least because of European requirements, would still apply to a data-sharing arrangement. As to whether that needs to be spelled out, I can see some advantage in making it absolutely explicit that any data-sharing order should remain subject to the Data Protection Act. In clause 152, there is already proposed new section 50A(7), which says:
“Nothing in this section (or any information-sharing order) is to be taken to prejudice any power or duty to share information which exists apart from this section.”
So, it is safeguarding previous data-sharing powers. That could easily be complemented by an extra subsection spelling it out clearly that the full application of the data protection requirements remains.
Q 337Jenny Willott: Going on from the point just raised by Mr. Kidney—an issue I also wanted to raise—about the impact on the Data Protection Act, given that the only Act that is free from potential interference by these orders is the Human Rights Act 1998, do you feel that there is an argument to have in the Bill a longer list of legislation that could not be amended by secondary legislation?
Richard Thomas: Putting my lawyer’s hat on, I think it would be difficult to start putting a list together of Acts that could not be amended because you would start dividing the statute book into first-class and second-class statutes. I have not given serious thought to the suggestion you are raising. Inasmuch as Parliament cannot bind its successors, this would look back at Acts and say that that one cannot be touched but that one could be.
Part of the rationale for this approach is that situations will arise that we cannot currently contemplate. As new schemes come forward, technology changes, the shape of public services changes—that is when you need to overcome some of the obstacles and hurdles for beneficial data sharing. By definition, you cannot here and now anticipate what all those are going to be.
By the same token, it is difficult to say that there are no Acts whatever that should not be amendable by this process. As I said to Mr. Kidney, I can see advantage in spelling out explicitly that data protection and, if need be, the human rights legislation do remain applicable. I think we saw it as so self-evident that it never crossed our minds that it would not be the case.
Q 338Jenny Willott: It is a fundamental principle to change, to introduce the concept that secondary legislation can amend primary legislation.
Richard Thomas: There are plenty of examples in the better-regulation area. I know it has been controversial, but it is not without precedent. There have been a number of quite recent precedents. It is unusual and we recognised that it would be controversial.
Q 339Jenny Willott: If this were on the statute book, you could use that process to amend this legislation so that all the safeguards in place to do with codes of practice could then be amended by secondary legislation. Even the safeguards built into this would then not necessarily stand.
Richard Thomas: It may be that the provision that talks of modifying any enactment—proposed new section 50B(1)(h)—needs to be limited in some way because, again, what we had in mind were statutes with insufficient clarity, where the power is not granted in the terms now needed.
I would not rule out covering an explicit prohibition on sharing, but I think it would be extremely unlikely that this measure would be appropriate. For example, in the Taxes and Management Act 1970 there is an explicit prohibition—I think somebody mentioned it—on HMRC sharing tax information. I would completely oppose any attempt to change that. HMRC would not want that change. We need to keep many of these fundamental prohibitions in place. If it is thought that the ability to modify any enactment is too wide, I would have no difficulty in narrowing it down by clarifying the types of situation in which it was appropriate to modify an enactment. When we put forward the broad approach, we were looking at the micro-stumbling blocks in legislation rather than at major provisions.
Q 340Jenny Willott: It was raised earlier that some data are held back because they are very sensitive, such as health records. Given that this is pretty much a blanket measure, which allows any person access to any information that is held about anybody, and that no restrictions are built into it, do you think that there is potential to put data into tiers with some areas requiring more hurdles to be jumped than others?
It should be easy to overcome the hurdles for some data sharing because it would not be seen as hugely controversial. An example would be sharing information about who is over 65 so that they could access free butter. The example that the Secretary of State for Justice has used is that you do not want to have to tell the council tax office and the electoral register when you move house. Sharing other information is significantly more complex and without a huge amount of public consultation it could cause a lot of upset. Do you think that there is the potential to have a series of different tiers depending on the sensitivity of the data and who it will be shared with, with different methods for obtaining each one?
Richard Thomas: There is already a distinction in European and UK law between what might be called ordinary personal data and sensitive personal data. Sensitive data include health information and information about criminal activities, trade union membership and so on. My hesitation is that data protection law is already complicated. That complexity is a major problem in itself. Adding further layers of complexity would run against the spirit of what we were trying to do, which was to introduce greater simplicity.
Your general points are valid. I do not favour more tiers or different tiers, but I expect the privacy impact assessment to flush out any data of particular sensitivity. I have no doubt that the Information Commissioner’s office will look closely at personal data of particular sensitivity.
Q 341Jenny Willott: I would like to link that to the issue of policy objectives. You have already talked about proposed new section 50A(4)(a) on sharing information to achieve a relevant policy objective. The procedures laid down for the role of the Information Commissioner’s office state that you can comment only on whether the data sharing is proportionate to the policy objective and on the balance between the public interest and the interests of those affected. The Bill does not seem to give you the ability to take account of the right to privacy, public interest or the best interests of the people involved. You will deal with the proportionate nature of how the sharing achieves the policy objective rather than with the policy objective itself. Do you feel that that is appropriate or will it cramp what you are able to report on to the Department?
Richard Thomas: This may be another example of the drafting not mirroring our report closely enough. We said that the opinion from the commissioner should state the compatibility of the proposed sharing arrangement with data protection requirements. That is a wide approach to all aspects of data protection requirements, which would include reference to the right to privacy, the use limitation and all the other aspects that we are familiar with. The wording of the Bill is not exactly the same. Perhaps the parliamentary draftsman took a slightly different approach.
I am not sure that an awful lot turns on this because I have no doubt that in practice, in giving his opinion, the commissioner will examine all aspects of the proposed data-sharing arrangement. It is our job to look at schemes all the time and to say whether they are compatible with data protection. In reality, these matters will be commented on.
Q 342Jenny Willott: I have a final question. You commented earlier on the procedures and were saying that the measures that have gone through so far have not been debated in Parliament and so on. Given that you will not be able to amend the proposals and then Parliament will not be able to amend the proposals either—it is either all or nothing, which is often quite a clever way to get something through that is 85 per cent. okay, 15 per cent. hideous—do you feel that you have enough power to tackle any shortcomings, or do you have concerns that too many unpleasantnesses could sneak through?
Richard Thomas: An awful lot will turn on the privacy impact assessment. The statute will say that there is only 21 days for the office to comment, which is not very long at all, but in practical terms I would certainly expect any Department wishing to bring forward a scheme to contact my office many months in advance, to keep us up to speed as to what is envisaged, to consult us on how it will conduct the privacy impact assessment, and to share it with us before bringing the order at the formal stage for our comment. Unless that kind of contact happens in practice, with many exchanges before the 21 days start to run, I think that some of your concerns are justified.
You said that it was all or nothing: well, I would expect many of the nuances, the changes, the safeguards and the conditions to be built in during that process of informal exchange. The formal opinion must state whether it is fully compatible, not at all compatible or in-between. The Department then has to consider whether it wishes to continue and bring the matter to Parliament. You are right that at the moment Parliament can only say yes or no, but there will have been a great deal of transparency before we get to that stage. What I do not know—I am not an expert on parliamentary procedure—is whether this could be amended to allow an affirmative order to be varied. I think that maybe that cannot happen—I see many shaking heads around the table, so I assume that it is not possible—but I think that in reality the Department would have to decide whether it still wishes to go ahead if there was an adverse report from the commissioner. It would then have to subject the matter to parliamentary scrutiny on that basis.
The Chairman: We have relatively little time left and a certain amount to get through. So we need to concentrate some minds.
The other point that to some extent relates to this is that new sections 55A to 55E of the Data Protection Act 1998, which were brought in with the Criminal Justice and Immigration Act 2008, are still not in force. They relate to your power to issue monetary penalties for deliberate and reckless loss of data and, outside of an order, are a pretty vital tool as far as you are concerned. What is you opinion on the first point, and, secondly, what is actually happening on the second point?
Richard Thomas: Could I ask David to respond on the second point? On the first point, I would just say that, with a couple of exceptions, the Data Protection Act is not criminal by nature. Such powers as we have, and such powers as we will have, are of a civil or administrative nature—enforcement notices and the like—and they apply to a Government Departments as to anybody else. For example, I have recently served enforcement notices on HMRC and the Ministry of Defence in relation to the major security losses that took place last year. We have secured an undertaking from the Home Office in relation to a more recent incident that is one step short of a full enforcement notice. There is no question of immunity for a Government Department or anybody else. That really does reinforce what I said earlier, and if I can just labour that point—we need to have these powers of inspection so that we can use our enforcement powers against any data controller: public, private or voluntary. On civil sanctions, perhaps David could update you as to where we stand.
David Smith: Both parts of the question run together in some ways because, as the commissioner said, our primary sanction is through those monetary penalties when they come into effect. At one time, we argued strongly that we should have a criminal sanction for serious breaches of the data protection principles. We were actually persuaded that monetary penalties were more effective, and one of the areas we were conscious of was Government Departments. That was because the responsibility for complying with data protection law lies with the organisation concerned, and not with individuals within the organisation.
The idea of prosecuting the Ministry of Justice, and the Ministry of Justice ending up with a criminal conviction—what does that mean in practice? There is also a difficulty with imposing a monetary penalty on a Ministry, because of the circularity of how the money flows. We collect it as a monetary penalty, surrender it to the Treasury, and maybe it ends up back there. However, someone has to explain all this publicly, which is probably the biggest deterrent of all. We see monetary penalties, particularly with public authorities, as being a more effective deterrent than the criminal sanction.
We are in discussions with the Ministry of Justice about bringing these monetary penalties into effect and would like that to happen as quickly as possible. They can only come into effect once guidance, produced by our office, has been approved by the Secretary of State and is then laid before Parliament in an order. The order also has to set the maximum penalty that can be imposed.
All I can really say, Chairman, is that we are a long way forward on the drafting of that guidance. We are on to, I think, version five. We would be prepared for the legislation to be laid in a month or two, but I think the Ministry’s timetable is a little longer than that. I think there is an element, in terms of the provisions we are talking about here and funding for the office, of it all coming together in one package. It is really up to the Ministry to answer this. However, I think we are all talking about this year—it is just a question of when this year.
Previous Contents Continue
House of Commons 
home page Parliament home page House of 
Lords home page search page enquiries ordering index

©Parliamentary copyright 2009
Prepared 6 February 2009