Further supplementary memorandum submitted by the Information Commissioner's Office (CJ 27 a)

 

 

Coroners and Justice Bill:

Information Commissioner's commentary on the Data Protection Clauses

(151 - 154 & Sch.18)

 

Clause 151 - Assessment Notices

 

 

Section

 

Commentary

DPA s.41A(2)

The Assessment Notice provisions need to be widened, so the Information Commissioner can serve an assessment notice on any data controller. The risks can be just as great outside the public sector and the boundary lines between the sectors are increasingly blurred. The House of Lords Select Committee on the Constitution supported this conclusion at paragraph 238 of its recent 'Surveillance: Citizens and the State' report.

 

DPA s.41A(3)

The Bill should provide for a sanction for data controllers that fail to comply with an assessment notice.

 

DPA s.41A(6)

It is inconsistent that whilst there is a right of appeal against an assessment notice, there is no sanction for failure to comply with one.

 

DPA s.41B(4)

The requirement that an assessment report contains a determination as to whether a data controller has complied or is complying with the data protection principles is impractical and likely to make the assessment process unnecessarily confrontational. Where the Commissioner makes an assessment under s.42 of the Data Protection Act 1998 (DPA), the determination is not an absolute one: it is whether it is likely or unlikely that the Act is being complied with.

 

DPA s.41B(7)

We have difficulty seeing the justification for requiring the Secretary of State's approval for issuing the Code. This could call the ICO's independence into question and could undermine the credibility of the assessment process. Sub-section 7 should be deleted.

 

 

 

 

 

 


Clause 152 - Information Sharing

 

Section

Commentary

 

DPA s.50

The Bill's information-sharing provisions are too wide, and its safeguards relatively weak. The provisions should only apply in precisely defined circumstances where there is a legal barrier to information sharing that would be in the public interest. The Bill needs an additional safeguard, to prevent the use of information-sharing orders in the context of large-scale data sharing initiatives that would constitute significant changes to public policy.

 

DPA s.50A(1)

It is not clear whether the Bill's information sharing provisions, or its data protection clauses more widely, apply to 'data', 'personal data' or 'information'. These terms have specific meanings in the DPA, but seem to be used interchangeably in this Bill. The Bill's data protection clauses should only apply to 'personal data', as does the DPA itself. Amendment of the DPA to introduce provisions that apply to non-personal data will be highly confusing.

 

DPA s.50A(3)(b)

This definition of 'information sharing' will cause considerable difficulty. Sharing information and using it for a different purpose are quite different activities; it is possible to share information without using it for a different purpose, or to use if for a different purpose without sharing it. This legally convoluted definition will pose a considerable and avoidable obstacle. If a definition of 'information sharing' is needed at all, sub-clause 3(b) should be deleted from it. If there is a need to address use of information for a different purpose, and we do not believe there is, then this should be covered by a separate provision.

 

DPA s.50A(5)

An information-sharing order should specify the organisations providing and those receiving the shared information - as it stands, it is not clear whether sub-section 5(a) does this.

 

DPA s.50A(7)

There should be an additional sub-section following s.50A(7), stating explicitly that the DPA still applies to the sharing of personal data authorised by an information-sharing order, as does the Human Rights Act.

 

DPA s.50D(3)

There should be a requirement for any authority seeking an 'opinion' from the Information Commissioner to provide him with any additional information, such as background documents, that he needs to consider the draft order. This should be provided before the 21-day consideration period begins.

 

DPA s.50D(4)

There should be a provision to extend the 21-day period for consideration of draft orders that deal with particularly complex or controversial issues.

DPA s.50D(8)

The Bill should specify '21 working days'.

 

DPA s.50E(1)

The responsible Secretary of State will have an important role in terms of putting safeguards in place as a precursor to granting consent. The MoJ's Memorandum to the House of Lords Delegated Powers and Regulatory Reform Committee says that a Privacy Impact Assessment (PIA) will be required for all proposed information-sharing orders. The Secretary of State's role and the relevant safeguards should be specified on the face of the Bill.

 

 

 

 

 

 

 

Clause 153 - Data-sharing code of practice

 

Section

Commentary

 

DPA s.52E(3)

There should be an explicit requirement to take the Information Commissioner's code of practice into account when drafting an information sharing order.

 

 

 

 

 

 

Schedule 18

 

Section

Commentary

 

DPA s.43(1)

As amended, the DPA's information notice provisions would still only allow the Information Commissioner to serve an information notice on 'the data controller'. The commissioner should be empowered to serve an information notice on any person who holds relevant information.

 

DPA Sch.9

The Information Commissioner should be able to obtain a warrant for entry and inspection where he has reason to believe that the data controller is likely to contravene any of the data protection principles. The Commissioner should have the power to intervene where there is a significant risk, and not only once a breach has taken place.

 

 

 

March 2009