Q
336Mr.
Kidney: In your report with Sir Mark Walport you
recommended a fast track for secondary legislation to repeal the bits
of primary legislation that get in the way. I heard you tell
Mr. Lucas that that is for the Ministers to defend now. You
would expect there to be limits to that power, would you not? You would
not think that the statutory instrument would remove the bits of the
Data Protection Act or the Human Rights Act that got in the
way. Richard
Thomas: That was certainly not in our contemplation.
We are clear, and we said somewhere in the report, that any
data-sharing arrangement would remain subject to human rights
legislation and to the full data protection legislation. It did not
cross our mind that this would be used to amend the Data
Protection
Act. We
are crystal clear that the Act as whole, not least because of European
requirements, would still apply to a data-sharing arrangement. As to
whether that needs to be spelled out, I can see some advantage in
making it absolutely explicit that any data-sharing order should remain
subject to the Data Protection Act. In clause 152, there is
already proposed new section 50A(7), which
says: “Nothing
in this section (or any information-sharing order) is to be taken to
prejudice any power or duty to share information which exists apart
from this
section.” So,
it is safeguarding previous data-sharing powers. That could easily be
complemented by an extra subsection spelling it out clearly that the
full application of the data protection requirements
remains.
Q
337Jenny
Willott: Going on from the point just raised by
Mr. Kidney—an issue I also wanted to
raise—about the impact on the Data Protection Act, given that
the only Act that is free from potential interference by these orders
is the Human Rights Act 1998, do you feel that there is an argument to
have in the Bill a longer list of legislation that could not be amended
by secondary
legislation? Richard
Thomas: Putting my lawyer’s hat on, I think it
would be difficult to start putting a list together of Acts that could
not be amended because you would start dividing the statute book into
first-class and second-class statutes. I have not given serious thought
to the suggestion you are raising. Inasmuch as Parliament cannot bind
its successors, this would look back at Acts and say that that one
cannot be touched but that one could
be. Part
of the rationale for this approach is that situations will arise that
we cannot currently contemplate. As new schemes come forward,
technology changes, the shape of public services changes—that is
when you need to overcome some of the obstacles and hurdles for
beneficial data sharing. By definition, you cannot here and now
anticipate what all those are going to
be. By
the same token, it is difficult to say that there are no Acts whatever
that should not be amendable by this process. As I said to
Mr. Kidney, I can see advantage in spelling out explicitly
that data protection and, if need be, the human rights legislation do
remain applicable. I think we saw it as so self-evident that it never
crossed our minds that it would not be the
case.
Q
338Jenny
Willott: It is a fundamental principle to change, to
introduce the concept that secondary legislation can amend primary
legislation. Richard
Thomas: There are plenty of examples in the
better-regulation area. I know it has been controversial, but it is not
without precedent. There have been a number of quite recent precedents.
It is unusual and we recognised that it would be
controversial.
Q
339Jenny
Willott: If this were on the statute book, you could use
that process to amend this legislation so that all the safeguards in
place to do with codes of practice could then be amended by secondary
legislation. Even the safeguards built into this would then not
necessarily
stand. Richard
Thomas: It may be that the provision that talks of
modifying any enactment—proposed new section
50B(1)(h)—needs to be limited in some way because, again, what
we had in mind were statutes with insufficient clarity, where the power
is not granted in the terms now
needed. I
would not rule out covering an explicit prohibition on sharing, but I
think it would be extremely unlikely that this measure would be
appropriate. For example, in the Taxes and Management Act 1970 there is
an explicit prohibition—I think somebody mentioned it—on
HMRC sharing tax information. I would completely oppose any attempt to
change that. HMRC would not want that change. We need to keep many of
these fundamental prohibitions in place. If it is thought that the
ability to modify any enactment is too wide, I would have no difficulty
in narrowing it down by clarifying the types of situation in which it
was appropriate to modify an
enactment. When we put forward the broad approach, we were looking at
the micro-stumbling blocks in legislation rather than at major
provisions. Q
340Jenny
Willott: It was raised earlier that some data are held
back because they are very sensitive, such as health records. Given
that this is pretty much a blanket measure, which allows any person
access to any information that is held about anybody, and that no
restrictions are built into it, do you think that there is potential to
put data into tiers with some areas requiring more hurdles to be jumped
than
others? It
should be easy to overcome the hurdles for some data sharing because it
would not be seen as hugely controversial. An example would be sharing
information about who is over 65 so that they could access free butter.
The example that the Secretary of State for Justice has used is that
you do not want to have to tell the council tax office and the
electoral register when you move house. Sharing other information is
significantly more complex and without a huge amount of public
consultation it could cause a lot of upset. Do you think that there is
the potential to have a series of different tiers depending on the
sensitivity of the data and who it will be shared with, with different
methods for obtaining each
one? Richard
Thomas: There is already a distinction in European
and UK law between what might be called ordinary personal data and
sensitive personal data. Sensitive data include health information and
information about criminal activities, trade union membership and so
on. My hesitation is that data protection law is already complicated.
That complexity is a major problem in itself. Adding further layers of
complexity would run against the spirit of what we were trying to do,
which was to introduce greater
simplicity. Your
general points are valid. I do not favour more tiers or different
tiers, but I expect the privacy impact assessment to flush out any data
of particular sensitivity. I have no doubt that the Information
Commissioner’s office will look closely at personal data of
particular
sensitivity.
Q
341Jenny
Willott: I would like to link that to the issue of policy
objectives. You have already talked about proposed new section
50A(4)(a) on sharing information to achieve a relevant policy
objective. The procedures laid down for the role of the Information
Commissioner’s office state that you can comment only on whether
the data sharing is proportionate to the policy objective and on the
balance between the public interest and the interests of those
affected. The Bill does not seem to give you the ability to take
account of the right to privacy, public interest or the best interests
of the people involved. You will deal with the proportionate nature of
how the sharing achieves the policy objective rather than with the
policy objective itself. Do you feel that that is appropriate or will
it cramp what you are able to report on to the
Department? Richard
Thomas: This may be another example of the drafting
not mirroring our report closely enough. We said that the opinion from
the commissioner should state the compatibility of the proposed sharing
arrangement with data protection requirements. That is a wide approach
to all aspects of data protection requirements, which
would include reference to the right to privacy, the use limitation and
all the other aspects that we are familiar with. The wording of the
Bill is not exactly the same. Perhaps the parliamentary draftsman took
a slightly different
approach. I
am not sure that an awful lot turns on this because I have no doubt
that in practice, in giving his opinion, the commissioner will examine
all aspects of the proposed data-sharing arrangement. It is our job to
look at schemes all the time and to say whether they are compatible
with data protection. In reality, these matters will be commented
on.
Q
342Jenny
Willott: I have a final question. You commented earlier on
the procedures and were saying that the measures that have gone through
so far have not been debated in Parliament and so on. Given that you
will not be able to amend the proposals and then Parliament will not be
able to amend the proposals either—it is either all or nothing,
which is often quite a clever way to get something through that is 85
per cent. okay, 15 per cent. hideous—do you feel that you have
enough power to tackle any shortcomings, or do you have concerns that
too many unpleasantnesses could sneak
through? Richard
Thomas: An awful lot will turn on the privacy impact
assessment. The statute will say that there is only 21 days for the
office to comment, which is not very long at all, but in practical
terms I would certainly expect any Department wishing to bring forward
a scheme to contact my office many months in advance, to keep us up to
speed as to what is envisaged, to consult us on how it will conduct the
privacy impact assessment, and to share it with us before bringing the
order at the formal stage for our comment. Unless that kind of contact
happens in practice, with many exchanges before the 21 days start to
run, I think that some of your concerns are
justified. You
said that it was all or nothing: well, I would expect many of the
nuances, the changes, the safeguards and the conditions to be built in
during that process of informal exchange. The formal opinion must state
whether it is fully compatible, not at all compatible or in-between.
The Department then has to consider whether it wishes to continue and
bring the matter to Parliament. You are right that at the moment
Parliament can only say yes or no, but there will have been a great
deal of transparency before we get to that stage. What I do not
know—I am not an expert on parliamentary procedure—is
whether this could be amended to allow an affirmative order to be
varied. I think that maybe that cannot happen—I see many shaking
heads around the table, so I assume that it is not possible—but
I think that in reality the Department would have to decide whether it
still wishes to go ahead if there was an adverse report from the
commissioner. It would then have to subject the matter to parliamentary
scrutiny on that
basis.
The
Chairman: We have relatively little time left and a
certain amount to get through. So we need to concentrate some
minds.
Q
343Mr.
Bellingham: I have three quick questions relating to this
part—two are actually more general. In the data protection
legislation it has always been the
case that Government Departments are immune from prosecution. Is that
something we should be having a look at, particularly in light of the
view of many organisations? The current situation gives the Government
carte blanche to pile up more and more data on a need-to-know basis, or
on a just-in-case basis. I would have thought that that needs
changing.
The other
point that to some extent relates to this is that new sections 55A to
55E of the Data Protection Act 1998, which were brought in with the
Criminal Justice and Immigration Act 2008, are still not in force. They
relate to your power to issue monetary penalties for deliberate and
reckless loss of data and, outside of an order, are a pretty vital tool
as far as you are concerned. What is you opinion on the first point,
and, secondly, what is actually happening on the second
point? Richard
Thomas: Could I ask David to respond on the second
point? On the first point, I would just say that, with a couple of
exceptions, the Data Protection Act is not criminal by nature. Such
powers as we have, and such powers as we will have, are of a civil or
administrative nature—enforcement notices and the
like—and they apply to a Government Departments as to anybody
else. For example, I have recently served enforcement notices on HMRC
and the Ministry of Defence in relation to the major security losses
that took place last year. We have secured an undertaking from the Home
Office in relation to a more recent incident that is one step short of
a full enforcement notice. There is no question of immunity for a
Government Department or anybody else. That really does reinforce what
I said earlier, and if I can just labour that point—we need to
have these powers of inspection so that we can use our enforcement
powers against any data controller: public, private or voluntary. On
civil sanctions, perhaps David could update you as to where we
stand.
David
Smith: Both parts of the question run together in
some ways because, as the commissioner said, our primary sanction is
through those monetary penalties when they come into effect. At one
time, we argued strongly that we should have a criminal sanction for
serious breaches of the data protection principles. We were actually
persuaded that monetary penalties were more effective, and one of the
areas we were conscious of was Government Departments. That was because
the responsibility for complying with data protection law lies with the
organisation concerned, and not with individuals within the
organisation.
The idea of
prosecuting the Ministry of Justice, and the Ministry of Justice ending
up with a criminal conviction—what does that mean in practice?
There is also a difficulty with imposing a monetary penalty on
a Ministry, because of the circularity of how the money flows. We
collect it as a monetary penalty, surrender it to the Treasury, and
maybe it ends up back there. However, someone has to explain all this
publicly, which is probably the biggest deterrent of all. We see
monetary penalties, particularly with public authorities, as being a
more effective deterrent than the criminal sanction.
We are in
discussions with the Ministry of Justice about bringing these monetary
penalties into effect and would like that to happen as quickly as
possible. They
can only come into effect once guidance, produced by
our office, has been approved by the Secretary of State and is then
laid before Parliament in an order. The order also has to set the
maximum penalty that can be imposed. All I can
really say, Chairman, is that we are a long way forward on the drafting
of that guidance. We are on to, I think, version five. We would be
prepared for the legislation to be laid in a month or two, but I think
the Ministry’s timetable is a little longer than that. I think
there is an element, in terms of the provisions we are talking about
here and funding for the office, of it all coming together in one
package. It is really up to the Ministry to answer this. However, I
think we are all talking about this year—it is just a question
of when this year.
| 
