Memorandum submitted by the Information Commissioner (CJ 02)
1.1 There is much to be welcomed in the data protection clauses of this Bill. These will:
· facilitate reasonable sharing
· put a rigorous set of safeguards for individuals in place
· address long-standing deficiencies in the Information Commissioner's powers and resources.
1.2 The Bill's data protection clauses will enable the Information Commissioner's Office (ICO) to deal much more effectively with the demands placed upon it, and to improve protection for individuals.
1.3 But our practical experience of regulating the Data Protection Act 1998 (DPA) leads us to believe that the Bill needs to be further improved. We hope that the necessary improvements can be made as the Bill passes through Parliament.
2. Assessment notices (clause 151)
2.1 An assessment notice will allow us to inspect an organisation to determine whether it is complying with the data protection principles. However, as it stands, the Bill will only allow the ICO to serve an assessment notice on a government department or a designated public authority. It would not allow the ICO to serve an assessment notice on a private or third sector organisation.
2..2 Clearly, particular risks can arise in public sector contexts, where individuals may be required by law to provide very sensitive personal information to organisations with very extensive collections of records. Therefore we are pleased that the Bill provides for ICO to serve an assessment notice on government departments and some public authorities. However, given that these public authorities have to be designated by order, it is not clear how far into the public sector our power will ultimately reach.
2.3 The level of risk that arises in private sector contexts should not be underestimated. There have been many examples (some recent) of mishandling in the private sector. The line of demarcation between the public and other sectors is becoming increasingly blurred. Private and third sector bodies frequently carry out work for public sector ones. It is common for charities, for example, to carry out functions on behalf of local government. As it stands, we could inspect the local authority, but not the charity.
2.4 Some private sector bodies have collections of sensitive information that are as extensive as those held within the public sector. In reality, an individual may have no alternative to providing information to a private sector body, and to this being shared. For example, an application for credit will necessarily involve information about a person's finances being shared with the credit reference agencies. The loss, corruption or misuse of private sector information can have an enormously detrimental effect on individuals' lives. Most will be are aware of the severe consequences when individuals are 'locked out' of their bank-account, have their electricity turned off due to an 'administrative error' or become the victims of identity fraud because their personal details haven't been kept safe.
2.5 We have no desire to undertake heavy handed or widespread inspections. We only take action where we identify a specific risk to individuals, for example by analysing the tens of thousands of complaints that we receive each year - most of which are about private sector organisations. We are strongly of the view that if individuals are to be protected properly, we must be able to serve assessment notices on all data controllers - including private sector, public sector and third sector organisations.
2.6 It is also very worrying that the Bill
does not provide for any sanction if an assessment notice isn't complied with,
but does provide for a formal right of appeal against a notice. In order to make our power of inspection effective, and to ensure
the credibility of the inspection process, even if it is limited to public
bodies, there must be a sanction where an organisation fails to comply with an
assessment notice. One approach would be to introduce a clause similar to s.54
of the Freedom of Information Act 2000. This treats failures by public
authorities to comply with our
2.7 The Bill provides for a code of practice concerning assessment notices. Whilst this is welcome, we cannot see the justification for needing the Secretary of State's approval for issuing the code. This could call our independence into question and could undermine the code's credibility.
3. Information sharing (clause 152)
ICO report on a draft information sharing order
3.1 The Bill's information sharing provisions would be significantly improved if they mirrored more closely the relevant recommendation of the Thomas / Walport Data Sharing Review. The recommendation was to provide a statutory fast-track procedure for use in circumstances where there is a genuine case for removing or modifying an existing legal barrier to information sharing. The recommendation made it clear that the procedure should only be available in precisely defined circumstances. It would be helpful if the Bill could specify the particular barriers to reasonable information sharing that an information-sharing order is intended to modify or remove.
3.2 We are pleased that the Bill provides for ICO to produce a report to Parliament when a Ministerial information-sharing order is introduced - preferably after a privacy impact assessment has already been undertaken. Our report will address the proportionality of the information sharing and its effect on individuals. This provision will allow us to ensure that safeguards are in place and that individuals' rights are respected. Where appropriate, we will be able to advise Parliament that a particular initiative is a step too far, or that further safeguards are required.
Definition of 'information sharing'
3.3 The Bill's definition of 'information sharing' will cause considerable difficulty. As it stands, clause 152 says that a person shares information not only if the person discloses the information to another person, but also if the person consults or uses the information for a purpose other than the purpose for which the information was obtained. This legally convoluted definition will add to the considerable confusion surrounding information sharing. The ICO has to translate the law into simple, sensible guidance for organisations. This definition, which goes against the principle of clarity which lies at the heart of better regulation, will pose a considerable and avoidable obstacle.
3.4 If the Government believes that there is need to address the use of information for a different purpose, then this should be done through a separate provision, not by stretching the meaning of 'sharing' beyond its normal usage.
4. Data sharing code of practice (clause 153)
4.1 We welcome the requirement for the Information Commissioner to produce a data-sharing code of practice. We can do this by building on the ICO's current non-statutory code. We would prefer it, though, if the legislation made it clear that organisations benefiting from an information-sharing order must take the code of practice into account. As it stands, there is no direct link between the order and the code of practice.
5. Further amendments to the DPA (clause 154)
Power to require information
5.1 Currently we can only serve an information notice on 'the data controller'. The data controller is the organisation with legal responsibility for processing personal data. The nature of modern business means that it is not always easy to determine who this is. In complex outsourcing arrangements it can be unclear who, if anyone, is ultimately in control of a data processing operation. We need to be able to serve notices on anyone who may hold relevant information, sometimes to identify who the responsible data controller is and sometimes to collect evidence of breaches.
5.2 In this paper we have commented on the main policy issues of relevance to us. We are also preparing a paper that will contain our more detailed analysis of the Bill's provisions. This will be updated as the Bill passes through Parliament. A first version will be released in time for the Committee's detailed scrutiny of Part 8 of the Bill.