Mr.
Kidney: Does my right hon. Friend foresee there being a
label saying “public interest contract” and, therefore,
that the assessment notice process would apply, or does he expect there
to be a blanket imposition on all public and private
bodies?
Alun
Michael: There are two points there. First, I am sure that
the Minister will tell us what mechanism will ensure that there is no
way in which information can go outside the ambit of the legislation if
a private body or charity is handling it on behalf of a public body. I
would want some reassurance that that will be dealt with
equitably.
The other
point is that a vast amount of information that affects the public and
individuals is now handled and owned by the private sector, including
financial information and information about the way in which people
take personal, commercial and purchasing decisions. At one time, an
enormous amount of information would have been only in the public
sector because it was gathered by or on behalf of authorities, or
because the public sector undertook surveys and research, but that
information is now very much part of the private sector’s
day-to-day activities.
To put the
other side of the argument back to my hon. Friend, if we feel that
there is a burden on businesses—that we are imposing a
bureaucratic burden that is not productive or proportionate—we
should ask whether it is right to put such a burden on the public
sector, too. There is question of
proportionality.
9.15
am Jenny
Willott (Cardiff, Central) (LD): Does the right hon.
Gentleman agree that the main burden is compliance with the Data
Protection Act 1998? Nobody is querying whether private sector
organisations should comply with the Act when they hold the data to
which he referred. A company or voluntary sector body that complies
will not have to deal with the bureaucracy about which the hon. Member
for Stafford is concerned—it would not be an issue if they were
complying with enforcement
notices.
Alun
Michael: The hon. Lady makes a good point. That is why I
am increasingly concerned about the complexity of the requirement. I
dealt with data protection and criminal justice when local authorities
and the police were not sharing information about, for instance,
disruptive and difficult tenants and people who needed to be relocated,
and their housing requirements. The law was that it was acceptable to
share the information to prevent or reduce crime, but data protection
officers,
and local authority and police lawyers, would say, “If in doubt,
don’t share.” That is not acceptable. It is a simple
principle. People have to make a judgment and balance the requirements.
The problem with increasing the complexity of the requirements is that
it gets people away from the necessity of making such judgments. If
there is a need to have specific requirements, it ought to be equitable
and as simple as possible, and to apply in all circumstances. We should
not pretend that there is a clear line between public and private
bodies. The
Government commissioned work that the Justice Committee looked at with
interest. I want to examine specifically the work by Sir Mark Walport
and Richard Thomas—the hon. Member for Cambridge has already
talked about the views of the Information Commissioner. In his
submission to the Committee, Sir Mark made some telling points. He
said: “There
is no doubt the Information Commissioner’s powers need
strengthening—as we concluded in the Report, ‘there is
strong evidence that his bite needs sharpening’...but I am
concerned that this is not yet achieved in the draft
legislation.” I
hope that the Minister can reassure us about the intentions of the
measure. Of course, there is still time to improve the drafting of the
Bill as it continues its passage. The debate was going on right up to
the publication of the legislation, so I would be grateful if the
Minister could reassure me that the drafting can still be
improved. One
of Sir Mark Walport’s points is in relation to the draft
provisions on assessments. He
said: “As
we stated in the report, distinguishing between public, private and
voluntary sectors makes little sense, especially as more information is
shared across sectors whose boundary lines are forever
shifting.” In
other words, delineating the lines is not only more difficult now, but
it will become more difficult in future. He also said:
“I
would argue that the provisions relating to the Assessment Notice
should be extended to include organisations outside the public
sector...There are also no meaningful sanctions for failure to
comply with the requirements of an Assessment Notice: this needs
strengthening in order for it to be taken
seriously.” His
final point is particularly telling—it relates to the dangers
and the simple principle of balancing the public interest and the
interests of private individuals when it comes to data protection. He
said: “Data
sharing is shrouded in confusion, and public confidence is evaporating.
I hope that, as a Committee, you will be able to ensure that there is a
legislative mechanism that ensures greater scrutiny and allows
beneficial data sharing with appropriate safeguards in a transparent,
consistent and proportionate manner. In particular, I encourage you to
ensure that the Information Commissioner’s powers are fully
strengthened.” The
work of the Information Commissioner has improved immeasurably during
Richard Thomas’s time in office, which still has a few months to
run. He has introduced a degree of balance and clarity. Much of the
lack of confidence in the public domain is due to the confusion in
media coverage rather than being a genuine concern. There have been
improvements in data handling. It is clear that improvement is still
needed in the culture within many Departments, as well as an
understanding from the top to the bottom of how things apply. I suspect
that it is not a high priority for permanent secretaries and director
generals within Departments to understand that their leadership is
important in setting the culture for the whole Department.
My new
clauses, in a way similar to the amendments tabled by the right hon.
Member for Knowsley, North and Sefton, East, aim to probe the question
of how the provision should be enforced; I am sure that the Minister
would agree that it should. I have suggested that an application could
be made to the county court or, alternatively, to the Information
Tribunal, which would mean that non-compliance would become contempt of
court, a suggestion that appears in one of the other Opposition
amendments.
I believe
that the Minister should be in a position to deal with such genuine and
reasonable concerns during the Bill’s passage, and that we
should be able to get back to the principles of keeping it simple and
making clear the necessity for a balanced judgment. The Information
Commissioner, Mr. Richard Thomas, said in his comments on
the Bill:
“We
would prefer it...if the legislation made it clear that
organisations benefiting from an information-sharing order must take
the code of practice into account. As it stands, there is no direct
link between the order and the code of
practice.” That
is my final point of great concern. It should not be the situation that
an information-sharing order can lead an organisation to disregard the
terms and requirements of the code of practice. The code of practice
might be deeply embedded in some organisations’ work, and they
might observe it in pursuing the information-sharing order, but I
suspect that that might not always be the case. It would be of great
benefit to everybody if information-sharing orders also included a
requirement to observe the good practice with which the guidance will
concern itself. Making that link in legislation would greatly
strengthen the
Bill. In
discussing the question of applying the measures beyond the public
sector, I quote the Information
Commissioner: “We
need to be able to serve notices on anyone who may hold relevant
information, sometimes to identify who the responsible data controller
is and sometimes to collect evidence of
breaches.” In
other words, there is a need for greater transparency across the
boundaries between the public, private and voluntary sectors. In his
comments, the Information Commissioner also referred to the danger of
too clear a delineation:
“Private
and third sector bodies frequently carry out work for public sector
ones. It is common for charities, for example, to carry out functions
on behalf of local government. As it stands, we could inspect the local
authority, but not the
charity.” I
am more concerned that he should be able to inspect the private
companies that often hold major contracts. Those are of as much concern
as the data held by public departments. Therefore, I hope that that
power of the Information Commissioner will be
extended. I
do not believe that we can ever turn back the clock and avoid the
complex issues of data retention and data sharing. They are with us for
the future, and they will get ever more complex. We need to keep clear
the principle that the balance must always be between the public
interest and the interest of those individuals whose data might be
shared. It is important that that clear principle is not hidden in a
lot of complexity. People holding data have the responsibility to make
those judgments, and they cannot escape
it.
Mr.
Henry Bellingham (North-West Norfolk) (Con): As the hon.
Member for Cambridge has pointed out, the key to the clause is to give
the commissioner more
power over data controllers to enter premises, to view data and to talk
to key people, all of which will be brought about by assessment
notices. The
Bill relates only to public bodies, and private, charitable or
voluntary bodies are excluded, which is an omission because
private and voluntary bodies collect a great deal of data. In fact,
looking forward to the next clause, which we shall discuss later today,
designated authorities will have the power to share data with other
private bodies and the public sector, and vice versa.
I take on
board the point made by the right hon. Member for Cardiff, South and
Penarth about the ever-greater involvement of the private sector with
Departments, public agencies and Government bodies. I shall give two
examples of Departments that use the private sector on a significant
scale. First, the Crown Prosecution Service and the Solicitor-General
have a large contract with what was LogicaCMG, covering the provision,
support and maintenance of hardware and software applications used by
the CPS, including management of a number of large databases—for
example, the witness management system and the graduated fee scheme for
counsel. However, Logica is a private sector company, which obviously
handles a great deal of data in that Department—I have mentioned
that example because it is relevant to the Ministry of Justice.
Secondly, the Department for Business, Enterprise and Regulatory Reform
owned 165 databases on 1 June last year, 75 of which were maintained by
departmental staff and 90 of which were maintained by external
companies. Those
examples give us some idea of Her Majesty’s Government’s
view on the private sector, which means that more and more private
sector organisations and businesses are storing our data. The data
belong to taxpayers—our constituents—which is why the
commissioners should have the power to issue assessment notices on
private organisations. In fact, the right hon. Gentleman might have
pointed out that the recent House of Lords Constitutional Affairs
Committee report made that recommendation in paragraph 238. He has put
forward a strong argument for amendments 105 and 107—amendment
106 is consequential. Our amendments achieve almost exactly the same
outcome as those tabled by the Liberal
Democrats. I
know what the CBI note says, and I have read the letter by Matthew Fell
and the head of knowledge economy at the CBI, Sarah Draper. They say
that they are concerned about giving extra powers to the commissioner
to search the private sector without a warrant—to enter premises
where there is no suspicion or evidence of wrongdoing without any need
to justify such intrusive measures. That is going a bit too far, and I
think that they are unnecessarily concerned. They have to trust the
commissioner and his team to use common
sense.
Mr.
Kidney: Will the hon. Gentleman explain why he, as a
Conservative, is not concerned that the notice would permit entry of
premises without a warrant? I have been on many Bills when Conservative
Members have argued that it is important that there should not be entry
without a warrant. In fact, I even saw a Conservative amendment to part
1 of the Bill about senior coroners having to get a warrant before
entering premises.
Mr.
Bellingham: The hon. Gentleman makes a perfectly good
point. I am an arch-deregulator, and I could name a number of Bills on
which I have championed the cause of the CBI. However, when one is
close to an organisation, such as the CBI, which I have been in the
past, that gives one the right from time to time to disagree with
it. David
Howarth: It is worth pointing out that there is no such
suggestion of entry being forced in any way. The assessment notice
process does not allow entry to be made by the commissioner’s
agents; all it does is ask for that entry. We suggest that, if entry is
refused, the commissioner should be able to get a court order, which is
the precise procedure that the Government suggested for the electoral
commissioner when dealing with similar notices under the Political
Parties and Elections Bill. The Government and I think that that system
is more protective of the rights of the individual than the warrant
procedure. 9.30
am
Mr.
Bellingham: In theory, entry could be made without a
warrant, but in practice it would be on a voluntary basis, if the firm
agrees. However, if it did not agree, and insisted on the
commissioner’s personnel not entering, the chances are that the
matter would go to court, as the hon. Gentleman pointed out. I think,
therefore, that safeguards are in place. On this occasion, I must
disagree with the
CBI.
Mr.
Kidney: We have talked a lot about voluntary entry, but
proposed new section 41A(3)
reads: “An
assessment notice is a notice which requires the data controller
to...permit the Commissioner to enter any specified
premises”. That
is not voluntary. I understand the argument that there is no sanction,
but the provision is not
voluntary.
Mr.
Bellingham: In practice, the Information Commissioner will
not send his personnel into firms in the hon. Gentleman’s, my or
any other constituency, having not held lengthy discussions and gone
through the correct protocol. We must trust the organisation to behave
in a way that is proportional, sensitive and appropriate in the
circumstances, bearing in mind the Government’s commitment to
lessen the burdens on
business. I
shall move on to the next part of the amendment group. The clause needs
proper teeth and sanctions. Amendment 107, tabled by the hon. Member
for Cambridge, which is very similar to our amendment 355,
would establish in the Bill that deliberate non-compliance with any
assessment notice, and refusal to co-operate under any circumstances,
will be treated as “contempt of court”. The Bill needs
teeth, and although his amendment goes slightly further than ours,
amendment 355 would do roughly the same. Will the Minister comment on
that? What is the point of the clause handing the commissioner extra
powers if no sanctions are in place? Under our amendment 373, when, or
if, a data controller knowingly, or recklessly, makes a false
statement, it would be deemed a failure to comply. That is fair enough.
At the moment, the Bill is not clear on that point. We would put that
clarity in the Bill.
Surprisingly,
our amendments 364 and 365, relating to schedule 18 and the power to
require information, are in this group, so I shall quickly deal with
them. Obviously, that relates to section 43 of the Data Protection Act
1998. Amendment 364 would leave out paragraph 6(2) of
schedule 18 and
insert “In
subsection (1)...he may serve the data controller, or a data
processor, with a notice...requiring the data controller, or data
processor, to furnish the Commissioner with specified information
relating to the request or to compliance with the
principles.”
Amendment 365
reads:
“‘data
processor’ refers to a third party handling data on behalf
of...government...or...a public authority designated for
the purpose of this
section”. That
would make it crystal clear that information notices can be served on
anyone storing relevant data, and obviously it would cover third
parties handling data on behalf of Government Departments and public
authorities. I hope that the Minister agrees that those two modest
amendments are sensible. Perhaps she will consider accepting
them. New
clause 32, which we tabled, is important, because it would remove the
immunity from prosecution enjoyed by Government Departments. The Bill
is not sending the right message. The Government do not have a good
record on handling, storing and dealing with confidential data. I will
not go into a huge amount of detail because I do not want to embarrass
the Government, but there is a long list of examples of different
Government Departments that have lost relevant data. We have had
appalling losses of data from the Home Office, the Ministry of Defence,
and not so much from the Ministry of Justice but certainly from the
Department for Communities and Local Government and the Department for
Culture, Media and Sport. Subsequent inquiries often reveal lax
security procedures and a lack of proper chains of command. Those
matters are often dealt with by quite junior civil servants. There is a
lack of any proper sanction in place. The protection of our data should
be taken a lot more seriously. There is a need for proper
accountability. We need to include in the Bill a very strong signal
that cavalier attitudes towards personal privacy will not be
tolerated. There
is a recent precedent in the Corporate Manslaughter and Corporate
Homicide Act 2007, which states that Crown bodies can be prosecuted for
offences of corporate manslaughter. I will not make too direct a
parallel, but that removed Government immunity in one particular area.
There is a need for immunity to be removed in the data protection area
as well. It will send a strong signal.
I am aware
that I might be making a rod for the back of some of my colleagues as
we prepare for government, but I do not mind because we must send a
strong signal. I hope that the Minister agrees that the
Government’s record needs to improve. She can go among her
ministerial colleagues and be a champion of constituents who want their
privacy and data properly looked after. She can say to her colleagues
that if there is a lax situation and cavalier attitudes leading to loss
of data in their Departments, those Departments will have to be
properly
accountable. Mr.
Edward Garnier (Harborough) (Con): My hon. Friend will
remember that during the deliberations on the Criminal Justice and
Immigration Bill—the last
Criminal Justice Bill that the Government brought forward out of a total
of about 64 or 65 that we have had to deal with over the past 10
years—a new clause or amendment was tabled that attempted to
provide a similar sanction for the reckless loss of private data by
Government agents. Unfortunately the Government did not think that that
was an attractive idea. I suspect that my hon. Friend will disagree
with
that.
| 
