Mr.
Bellingham: I am grateful to my hon. and learned
Friend—he is absolutely right. At the eleventh hour, in the
House of Lords, the Government agreed with some changes to that Bill.
My hon. and learned Friend pushed it very hard in Committee. Their
lordships introduced amendments to the Data Protection Act 1998 that
gave the Information Commissioner the power to issue monetary penalties
for deliberate and reckless loss of data. That is an important tool in
data security, but the provisions have not yet come into force. Before
they come into force, the Information Commissioner needs to issue
guidance on how to use the power. There also needs to be secondary
legislation detailing the maximum fines and the issues about
procedure. Will
the Minister tell us when those orders will be laid before Parliament?
The House of Lords changed the Data Protection Act 1998 in response to
widespread public concern and yet little has happened. Will the
Minister update us on what is happening? It may be that the combination
of our new clause, plus the implementation of those changes, will lead
to the culture change that we are keen to bring about. Will the
Minister also tell us what discussions she has had with the Information
Commissioner to amend section 60(3) by order to increase the penalties
for section 55, which refers to the unlawful obtaining of data. In the
past, she has pledged that she would make those changes. Will she give
an update on exactly what is happening?
As I pointed
out—I do not want to delay the Committee any longer—we
feel that the Government have a serious, cultural problem. In the new
technological age, much more data are being stored by Departments and
the private sector, and much more technology is being used to translate
data into different types, and to store, pass around and share data.
Bearing in mind the huge powers contained in clause 152, which we will
discuss later, we need proper sanctions in place. We also need proper
procedures to ensure that clause 151 is tightened up, so that the
commissioner will get the powers that he has asked for. If we combined
the powers in the clause with the extra powers that we suggest in new
clause 32, the Bill would be improved. I hope that the Minister will
indicate that the Government have listened to
us.
The
Parliamentary Under-Secretary of State for Justice (Bridget
Prentice): The Government are strongly committed to
improving public trust and confidence in the handling of personal
information by public sector data controllers. The hon. Member for
North-West Norfolk highlighted a number of previous examples, but the
assessment notices are an important step towards regaining that
confidence, and they represent a fair balance between the need for the
Information Commissioner to have more effective powers and the burden
on data controllers; I will come to the private sector in a
moment. The
assessment notices will create a formal system based on the current
arrangement of spot checks undertaken on central Government Departments
by
the commissioner. Additionally, the scope of the assessments will be
expanded to cover other public bodies. We are already expanding the
powers in a way that previously had not been available. Amendments
105 and 106 would represent an unwarranted extension of the scheme,
which is designated for public sector data controllers only. Those
controllers handle personal information that is necessary to fulfil
their responsibilities, such as providing health and social services,
fighting crime, and detecting fraud. Those who provide information to a
data controller normally cannot refuse to do so, if they want to access
a public service or have entitlement to a benefit. The public generally
have no choice in that relationship, which is not exactly the same as
that with the private sector. If people are unhappy with how their bank
or supermarket is handling their personal information—I suspect
that Sainsbury’s knows more about me than anybody else
does—they have the choice of switching, although they do not
have a choice of switching to another Department for Work and
Pensions.
David
Howarth: If that is the Minister’s defence, there
are two points that she must deal with. First, how does that defence
apply to the private sector or voluntary organisations that fulfil
public authority functions that have been contracted out? That seems to
be exactly the same situation as that of a public authority. Secondly,
with regard to what might be called fully private organisations, how do
we know that our data are being used properly? If there is no proper
enforcement mechanism in the Information Commissioner’s
Office—the assessment notice is a crucial part of
that—how will we know, in the first place, that what is being
done is proper? If we do not know, and have no information, the market
cannot work.
Bridget
Prentice: On the hon. Gentleman’s first point, in
the examples that I have given, it is important to recognise that there
is a qualitative difference regarding the level of scrutiny that public
sector bodies should have for matters of data protection. The fact that
citizens must provide personal information to access essential services
is a defining feature in the relationship between the citizen and the
public authority. In the private sector, the ability for someone to
choose to go elsewhere should be a powerful driver that encourages
businesses to look after personal
information.
9.45
am
Alun
Michael: I understand the distinction that my hon. Friend
makes in cases where people can exercise choice. In the commercial
sector, however, it is difficult to exercise choice if someone does not
know how things are undertaken. That is where the role of the
Information Commissioner, acting on behalf of the public, is crucial.
That should be a balanced role, not one that is important only on one
side. I am not sure that I accept my hon. Friend’s argument that
everybody can make the sort of choices that she suggests. I understand
her point in relation to large organisations or specific services, but
not in general terms. That brings us back to the point about private
companies and others which act on behalf of public bodies and which
are, in a sense, within the ambit of public service, even though they
are not public bodies per se.
Bridget
Prentice: One of the reasons why we are resistant to
extending the measure further into the private sector is because we
believe that the additional burdens would be in conflict with the
Hampton principles, which play a central role in ensuring that risks
are adequately assessed and redressed. I will not go into the details
of what the CBI has said, as that has been expressed in the Committee
already. It feels—there is some merit in this
argument—that extending assessment notices would distract
companies from taking the right approach to data handling. It feels
that a co-operative approach between businesses and the Information
Commissioner is more desirable. That is the CBI’s view. It is
not one that would necessarily run the full length in Committee, but it
is a generally held view.
Alun
Michael: I am sorry to disagree with my hon. Friend, but
if a co-operative approach would work with those organisations, why
would it not work with public bodies? Private sector organisations are
often as large or larger, and as bureaucratic, as public sector bodies.
Some are lean and efficient, but not all.
Bridget
Prentice: My right hon. Friend makes a good point. I
reiterate that the Government feel that the public sector has a higher
level of responsibility, because there is no choice as far as this is
concerned. We can discuss the matter further and discussions are
continuing.
Mr.
Garnier: The right hon. Member for Cardiff, South and
Penarth made a point about the distinction between the private and the
public sector. That distinction is being blurred by the public
sector’s use of the private sector to carry out public
functions. Should we not concentrate on the function rather than on the
description of the body carrying out that
function? Under
the Identity Cards Act 2006—another terrible piece of
legislation introduced by this Government—and the Government
business case that was published alongside the legislation, 40,000
private companies or agents were said to be part of the process of data
recovery through the national identity register. The public had no
access to that; it was not possible for a member of the public to audit
the trail of information in the national identity register, which is a
large Government bucket of private information. Some of that
information would be in the hands of public bodies, and some in the
hands of private companies. It is essential that we understand the
principle and similarity of function, rather than getting tied up with
whether something is a private or public sector
body.
Bridget
Prentice: The hon. and learned Gentleman makes a very good
point. It is appropriate, therefore, for me to consider in detail at
this point who could be given an assessment notice. Obviously, that
includes Government Departments, publicly owned companies under the
Freedom of Information Act 2000 and so on. Any person exercising a
function of a public nature could be included in an order under section
5 of the Act. I think that that covers the examples from DBERR given by
the hon. Member for North-West
Norfolk. A
person providing, under a contract with a public authority, a service
whose provision is a function of the public authority—that would
include the private sector
and the voluntary and third sector—could also be included under
section 5. The powers can cover bodies that the definition of public
authority covers where a person is providing, under a contract with a
public authority a service whose provision is a function of the public
authority. That covers any contracting out of public services, because
proposed new section 41A(12) of the Data Protection Act 1998 provides
that a body can be designated under new section 41A(2)(b), if it
could be included in an order under section 5 of the Freedom
of Information Act or its equivalent in Scotland. I hope that that
provides some reassurance with regard to those valid concerns about
cases in which the private sector is working within the public sector,
which can be covered under assessment
notices. David
Howarth: I cannot remember the details of those sections
offhand, but I seem to remember that they are about powers to include,
not obligations to include, and they would not necessarily lead to the
Information Commissioner being able to issue an assessment notice, if
the organisation had not been designated as included in the
Act.
Bridget
Prentice: My understanding is that the hon. Gentleman is
right: they are powers to include; they are not obligatory. However, I
will come back to him on whether there will be further discussions on
that. Amendments
105 and 106 would strike out the exemptions in proposed new section
41A(12), but included in those exemptions are such people as the
security services and special forces, who handle sensitive security
information. The provision also covers Ofsted, because of the sensitive
personal data that it holds on children and young people. I am
resisting the amendments, given the sensitive nature of that
information, and striking out the provision entirely would be
inappropriate. We must balance the need to enhance the Information
Commissioner’s powers with the potential impact of the changes
in the wider context of the regulatory framework. If I may, I shall now
deal with the amendments on
non-compliance.
Mr.
Kidney: The Hampton principles were about proportionate
burdens that are assessed according to the level of risk involved. As
my right hon. Friend the Member for Cardiff, South and Penarth has
said, why should the public sector not have the same benefit of the
Hampton approach as the private sector when we come to imposing new
burdens? In his memorandum to us, the Information Commissioner
states: “We
have no desire to undertake heavy handed or widespread
inspections.” So
is it not possible to mirror the Hampton principles more closely in
this power? Then the code of practice could amplify that when it is
produced
later.
Bridget
Prentice: That is a very good point, and I certainly want
to carry it forward. My hon. Friend has made a constructive
contribution, because the Hampton principles provide an important
structure for us to work to. Perhaps we can consider that in more
detail and ensure that that aspect of the Bill complies with the
principles, as he has outlined.
We propose to
introduce assessment notices to raise the awareness and compliance of
public bodies in respect of data protection principles. They are a
complementary measure to support the existing investigatory and
enforcement powers of the Information Commissioner. It is difficult to
envisage a public sector body refusing to comply with an assessment
notice, given the bad publicity that would ensue. That said, the
Information Commissioner has told the Committee that he would like some
kind of penalty or sanction for refusal to
comply. Let
me outline the extensive enforcement powers that are already available
to the commissioner, if a public sector body fails to comply with the
Data Protection Act. Where there is a refusal to comply with an
assessment notice, the Information Commissioner would, where
appropriate, still be able to use his existing investigatory powers,
including powers of entry and inspection under schedule 9 to the Act.
If the commissioner then discovers a breach of the data protection
principles during an assessment, he can issue an enforcement notice to
compel the controller to comply with their data protection
obligations. Amendments
364 and 365 relate to information notices. Section 43 of the Data
Protection Act provides the information commissioner with the power to
issue a data controller with an information notice. That notice can
require the controller to provide the commissioner with specified
information in a specified form to assess compliance with data
protection principles. The commissioner can also issue a notice to any
data controller, as long as he reasonably requires information to
determine their compliance. Failure to comply with an information
notice is a criminal offence, so the commissioner already has a pretty
powerful tool.
The
amendments would extend the commissioner’s power to issue a
notice served under section 43 to data processors as well as
controllers. I am resistant to the amendments because the structure of
the Data Protection Act places the responsibility for personal
information on the data controller, not the data processor. Introducing
a power to serve an information notice on a processor shifts the
regulatory balance in the
Act. All
data being processed by, or on behalf of, an organisation must be
covered by the data controller’s registration. It is the data
controller’s responsibility to obtain the information that the
commissioner requires. It is the data controller who controls the
personal data that would be the subject of an information notice, so it
should be the controller who has to comply with a notice. A data
processor does not control the personal data, so it would be
inappropriate to make them responsible for it—it is for the data
controller to take that responsibility.
Mr.
Bellingham: Will the Minister clarify that? Is she saying
that third parties that handle the data on behalf of the data
controller do not really need to be covered by the information notice?
Is the nub of what she is saying that there is no need for amendment
365 to extend the powers in the Bill to such third
parties?
Bridget
Prentice: That is the nub of what I am saying. It is the
responsibility of the data controller, not the processor, to ensure
compliance. For example, following the Hannigan data handling review,
the Government introduced new standard contract clauses on information
assurance. Those clauses mean that any contractors working with the
Government will have processes in place to ensure acceptable standards
for the protection and handling of personal data. The onus is on the
data controller—in this case the Government—to ensure
that such standards are in place. Amendments 364 and 365 represent a
significant change to that regime, and the hon. Gentleman might
consider it more appropriate for the issue to be considered by the
review of the European directive, which is currently under
way. Finally,
new clause 32 seeks to limit existing Crown immunity under the Data
Protection Act so that Government Departments would be open to
prosecution. Crown immunity means that emanations of the Crown are not
ordinarily liable to prosecution for offences created by statute or the
common law—the hon. Member for North-West Norfolk mentioned the
Corporate Manslaughter and Corporate Homicide Act 2007, which is a
notable exception. That immunity includes Departments. For that reason,
the limitation on the prosecution of Departments is included in
relation to the offences in the Data Protection
Act. However,
that does not mean that Departments are not subject to adequate
sanctions for breaches of data protection principles. They may still be
subject to enforcement notices, claims for damages in the civil courts
and civil monetary penalties. That final point is particularly
important, because it means that financial penalties can still be
imposed on Departments. It is also important to note that the immunity
does not extend to those who work for
Departments. 10
am The
hon. Member for North-West Norfolk asked when the penalties will come
into force. A number of steps need to be taken before they can be
introduced. The commissioner needs to prepare guidance on how he
proposes to exercise his functions with regard to the penalties, and a
number of pieces of secondary legislation will be needed, for example,
to set out the levels of penalty. We will also have to build in a
12-week lead-in period before imposing such burdens on business, but we
are working closely with the commissioner on that. My right hon. Friend
the Member for Cardiff, South and Penarth asked for reassurance that
further discussions are taking place. I can give him that reassurance.
Discussions are ongoing. In light of that, I invite the hon. Member for
Cambridge to withdraw the
amendment.
| 
