Legislative Scrutiny: Coroners and Justice Bill - Human Rights Joint Committee Contents


3.  Data Protection

1.43 The Bill proposes to amend the Data Protection Act 1998 (DPA) in a number of ways: it introduces a number of new powers for the Information Commissioner and creates a new broad power for the creation of information sharing gateways by secondary legislation.

Information Sharing Orders and the right to respect for private life

1.44 Clause 154 of the Bill provides relevant Ministers, including Ministers in the devolved executives, with a broad power to open an information sharing gateway between two or more persons, by statutory instrument. As the Explanatory Notes make clear:

This clause creates a free-standing power for ministers to enact secondary legislation which will have the effect of removing all barriers to data-sharing between two or more persons, where the sharing concerns at least in part the sharing of personal data, where the sharing is necessary to achieve a policy objective, where to do so is proportionate, and where it strikes a fair balance between the public interest and the rights of any individual effected by the data-sharing.[37]

1.45 The Government accepts that these provisions engage the right to respect for private and family life (Article 8 ECHR). The Government considers that these provisions are justified and proportionate but the Explanatory Notes provide very little justification for the Government's view that these powers will always be exercised in a Convention compatible way. They explain that an analysis will need to be completed as each Information Sharing Order (ISO) is proposed, as each ISO will serve its own purpose; but, section 6 Human Rights Act 1998 (HRA) will ensure that a Minister will not propose any secondary legislation that is incompatible with the right to respect for personal information. We and our predecessors have consistently rejected this approach in our earlier reports and have called, where necessary, for safeguards to be placed on the face of the enabling legislation to reduce any risk that delegated powers are exercised in a way which is incompatible with the Convention.[38] We reiterate our view that, in principle, information sharing powers should be adequately defined in primary legislation, accompanied by appropriate safeguards and subject to the application of the Data Protection Act 1998.

1.46 On 7 and 8 March 2009, press reports indicated that the Secretary of State for Justice intended to ask for Cabinet level agreement to remove this Clause from the Bill.[39] It now seems likely that Government amendments will be tabled before Report stage in the House of Commons removing clause 154 from the Bill, with a Government consultation on future proposals on information sharing to be published in due course.[40] We would welcome confirmation that the Government has decided to drop these proposals. We recommend that the relevant amendments are tabled as soon as possible and that the Secretary of State should make a statement to Parliament on his decision and the Government's plans for taking this issue forward. No Government amendments have yet been tabled to the Bill for this purpose. For the avoidance of doubt, we recommend that clause 154 be deleted from the Bill:

Page 101, Line 12, Leave out Clause 154

1.47 We received a number of submissions from interested organisations and individuals, expressing concern about the scope of these provisions. We raised a number of issues in correspondence with the Minister and the Information Commissioner about the breadth and purpose of clause 154. We consider each of these in brief below. We recommend that the Government take on board the concerns we received from interested organisations and individuals when formulating any further consultation on information sharing.

1.48 If these proposals are part of the Bill introduced to the House of Lords, we may consider a further report to address our detailed concerns about the Government's proposals for ISOs.

PRIMARY VS SECONDARY LEGISLATION

1.49 In our recent report, Data Protection and Human Rights, we expressed concerns that primary legislation proposing information sharing or creating new proposals for information sharing gateways often provided very few safeguards on the face of the legislation, allowing very little opportunity for parliamentary scrutiny of whether the relevant safeguards were adequate to protect the individual right to respect for private life.[41]

1.50 These proposals raise these concerns on a grand scale, but propose alternative safeguards intended to ensure that adequate opportunity for parliamentary scrutiny is provided as and when new information sharing gateways are created. Ideally, safeguards should be provided in primary legislation. If adequate safeguards were in place in the enabling primary legislation, a narrow fast-track ISO procedure could be a positive development in terms of parliamentary oversight of information sharing proposals, particularly given the limited scrutiny of existing information sharing provisions in primary legislation. However, for the reasons set out below, we have significant concerns about the scope of these proposals and the associated safeguards in clause 154.

THE SCOPE OF THE ORDER

1.51 The recent Thomas-Walport review, on which these proposals are based, suggested that the Government might require an exceptional power to create new information sharing powers by secondary legislation, but that such a power should be accompanied by safeguards to ensure adequate parliamentary and wider scrutiny for compatibility with the right to respect for personal information.[42] The proposed powers in the Bill appear to be far from exceptional and their scope is exceedingly broad. For example:

  • An ISO may relate to many different kinds of information and is not limited to personal data. An ISO could include commercial information, medical information including medical records, information stored on central databases such as the National DNA database and the children's database. The Thomas-Walport review recommended that information sharing on this scale should not be authorised by ISO.[43]
  • Information may be shared between Government, agencies or other public authorities and private individuals and organisations, including some who will not generally, on the Government's reasoning, be subject to the provisions of the HRA 1998 and the duty to exercise their powers in a Convention compatible way.
  • Similarly, private individuals and organisations may be required to share information with Government, agencies and other official authorities.
  • There is no limitation in respect of information gathered before these provisions came into force (so, information which may have been provided for a single purpose some time ago, may now be subject to a wide order permitting it to be shared among multiple parties for multiple purposes). This is of particular concern, as information will not have been provided at that stage, in the expectation that it would later be shared in this way.
  • An order made under this section may amend any legislation, except the Regulation of Investigatory Powers Act 2000. This would include power to amend the HRA 1998 and the DPA 1998. We have previously made clear that such a wide order-making power is not acceptable. Ministers should never be given the power to amend, by order, legislation as significant for human rights as the HRA and the DPA.[44]

1.52 Certain information, including certain types of personal information, is accepted by the European Court of Human Rights as having a greater sensitivity and a greater need for caution in respect of information sharing and the need for respect for private life (as guaranteed by Article 8 ECHR). Similarly, the DPA 1998 recognises "sensitive personal data" which requires greater protection than all other "personal data". We asked the Minister about a number of these concerns.[45] Her responses to our questions add little to the discussion of these proposals during the debate in the House of Commons Public Bill Committee.[46]

1.53 The Information Commissioner's responses to our questions were helpful. He does not consider that distinctions based on perceived sensitivities of categories of information are helpful. He notes that existing distinctions have caused some difficulties and stresses that in some circumstances, seemingly innocuous information may be extremely sensitive (for example, in respect of witnesses who require protection). We note the Information Commissioner's views. However, we are concerned that his caution around the exemption of particular categories of information from the ISO process seems inconsistent with the conclusion of the Thomas-Walport review that information of the type stored on the National DNA Database would not be suitable for sharing under a fast-track procedure.

1.54 The Information Commissioner shares our concern at the breadth of the effect of ISOs on primary legislation. We recommend that the Government should take up the Information Commissioner's suggestion that a clear savings clause for the continued application of the DPA 1998 and the HRA 1998 is necessary.

THE TEST: MINISTERIAL POLICY AND PROPORTIONALITY

1.55 The relevant Minister may make an ISO if he or she is "satisfied (a) that the sharing of information enabled by the order is necessary to secure a relevant policy objective, (b) that the effect of the provision made by the order is proportionate to that policy objective, and that the provision made by the order strikes a fair balance between the public interest and the interests of any person affected by it." This is an unusually broad test. In information sharing powers recently considered by the Committee, information sharing has generally been tied to an individual's public functions, not the policy objective of an individual Minister. The Government explains its view that this test is an appropriate safeguard for the protection of the right to respect for personal information. A Minister must act in pursuit of a policy objective, but is bound by the HRA 1998 to act in a Convention compatible way. The ISO must be proportionate to the policy objective and strike a fair balance between the subject of the information being shared and the public interest. This, together with parliamentary scrutiny, should, in the Government's view, satisfy Article 8(2) ECHR.[47]

1.56 This reasoning is very difficult to follow. In order to be compatible with Article 8(2), information can only be shared for the purpose of one of the "legitimate aims" identified by that article. The proportionality test engaged by Article 8(2) does not equate to the "striking of a fair balance" between the public interest in meeting the policy interests of a Minister and the interests of an individual or a group of individuals in keeping information about themselves private. The correct test is whether the interference with the rights of those individuals which happens when their information is shared is necessary and proportionate to the pressing social need which the sharing proposes to address.

SAFEGUARDS: THE PRIVACY IMPACT ASSESSMENT

1.57 The Thomas-Walport review recommended that the relevant Minister proposing an Order under these provisions should be required to perform a Privacy Impact Assessment.. This requirement could enhance the ability of parliamentarians and others, including the Information Commissioner, to assess the potential impact of an order. The Explanatory Notes accompanying the Bill do not refer to the requirement to make a Privacy Impact Assessment. We welcome the Minister's reassurance that any ISO would automatically be accompanied by a Privacy Impact Assessment, which would be provided to the Information Commissioner and generally published more widely.[48] We do not consider, however, that this would provide an adequate safeguard to meet our other concerns about the breadth of the proposals in clause 154.

SAFEGUARDS: REVIEW BY THE INFORMATION COMMISSIONER

1.58 The Bill provides that the Information Commissioner must be given at least 21 days to consider whether to issue an opinion on any draft ISO. He is not required to publish an opinion, but where he does, that opinion must be laid before Parliament, together with the draft Order. The Information Commissioner is not required to report, nor is the relevant Minister required to do anything other than lay his report before Parliament. The Commissioner can only report on whether the effect of a provision is proportionate to the policy objective that the Minister seeks to meet and whether the order strikes a fair balance between the public interest and the interests of any person affected by it. The Commissioner is not permitted to question whether the sharing of information is necessary to meet the specified policy objective, nor is he allowed to report on wider issues in respect of the compatibility of the provisions with Article 8 ECHR or the implications of disregarding the data protection principles in this case. We are concerned at the limitations on the role of the Information Commissioner in these proposals and note that he shares some of our concerns.[49]

New powers for the Information Commissioner

1.59 Clause 153 will allow the Information Commissioner to conduct mandatory assessments of compliance with the Data Protection Act (DPA) 1998 by public bodies. Although the Commissioner has the power to inspect these bodies at present, he may only do so with prior notice and consent. This new power will extend to all ministerial and non-ministerial Government departments, local authorities and certain police and NHS bodies. The Commissioner will be required to provide guidance on how he intends to exercise these powers.

1.60 In his commentary on these parts of the Bill, and in his evidence to the House of Commons Public Bill Committee, the Information Commissioner points out that most complaints and risks in respect of data arise in private organisations and argues that these new powers should apply both to the public and private sector. He is also concerned that there is no sanction for non-compliance with an assessment notice provided on the face of the Bill. The Commissioner told us:

As it stands we regret that the Bill will not give us powers to ensure that all those processing personal information do so in compliance with the principles of data protection. In particular, we must be able to serve an Assessment Notice on any data controller and there must be meaningful sanctions for ignoring a Notice.[50]

He added:

We received welcome new powers in the Criminal Justice and Immigration Act 2008 to levy fines on data controllers for deliberately or recklessly breaching the data protection principles. However it is important that the Government brings these powers into force as soon as possible.[51]

1.61 The CBI wrote to the members of the Public Bill Committee to express its view that the new powers of assessment provided in the Bill should not be extended to the private sector. We understand that these concerns relate to a lack of adequate safeguards for the privacy of individual data controllers, including in respect of the right of the Information Commissioner to search private commercial premises without, the CBI argues, adequate safeguards for the individuals subject to inspection.[52]

1.62 We asked the Minister for a further explanation of the Government's view that these new powers should only apply to data processing in the public sector. The Minister told us that the Information Commissioner already has adequate powers to deal with the private sector, and that the new powers of assessment are principally designed in order to raise awareness in the public sector:

It is important to remember that Assessment Notices are intended to assist in raising the awareness and compliance of public bodies with the data protection principles. The public sector holds a large amount of data about UK citizens, the processing of which is often necessary to safeguard rights and responsibilities. This means, in contrast to the private sector, that individuals usually have no choice over whether data is processed. It is therefore appropriate that those public sector organisations that process information in what the Information Commissioner regards as high risk circumstances should be subject to inspection without necessarily granting prior consent. This is a complementary measure to support the existing investigatory and enforcement powers of the Commissioner.[53]

1.63 In our recent report Data Protection and Human Rights, we supported the Commissioner's call for additional powers and resources, noting:

We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery.[54]

1.64 We are concerned that the Government's response to the Information Commissioner's request that these new powers extend to the private sector underestimates the role which the private sector increasingly plays in the processing of information and the impact which that processing may have on the right of individuals to respect for their private life. This is particularly the case when private sector providers deliver public services, an issue on which we have often commented. We accept that the Information Commissioner has existing powers in respect of the private sector. These were recently demonstrated with success in respect of the Information Commissioner's investigation and enforcement action against Ian Kerr, a private detective, in relation to the alleged operation of an unlawful database of personal information and commentary on individual construction workers.[55]

1.65 We have, in our recent work, consistently emphasised the increasing role that the private sector plays in our public lives. Services are increasingly contracted out by public authorities as a matter of course. We and other Committees of both Houses have consistently noted that private sector data handling and surveillance can impact as adversely on our individual right to respect for private life and the right to respect for our personal information as the same processing in the public sector. [56]

1.66 We share the view of the CBI that adequate safeguards must always accompany powers of search and seizure but we consider that the safeguards already on the face of the Bill are significant (and indeed, provide greater protection than other compulsory powers of entry, search and seizure in this Bill). An assessment notice must specify the time at which a search or other inspection will take place and the time within which an individual data controller must comply; rights to appeal against the terms of any notice are provided; and there is express protection for legally privileged material. These are all safeguards which we have consistently called for with respect to other Bills where the Government considered that safeguards were more appropriately placed in secondary legislation. We recommend that the Government reconsiders the Information Commissioner's request that the proposed power to issue assessment notices be extended to data controllers in the private sector. Extension of these proposals to the private sector should include safeguards for data controllers' rights to respect for private life, if necessary. We do not consider that an amendment together with any necessary safeguards should be overly complex and we propose an amendment for the purposes of debate.

Page 98, Line 25, [Clause 153], delete from the second "is" to the end of line 29 and insert "not an excluded body"

1.67 At present, the Bill provides for no sanction for any individual data controller who fails to comply with an Assessment Notice. The Information Commissioner has called for a power of sanction to be applied, if only in respect of public authorities, who fail to comply with Assessment Notices. He recommends that public authorities who ignore or fail to comply with Assessment Notices should be treated as if they were in contempt of court, as they currently are in respect of certain obligations under the Freedom of Information Act 2000. We consider that these additional powers for the Information Commissioner would be a human rights enhancing measure. While we note the Government's view that it would be unusual for a department or other public body to ignore an Assessment Notice, or to fail to comply with its terms, there is no reassurance on the face of the Bill that this will not be the case. We propose an amendment to meet the Information Commissioner's concerns, for the purpose of debate.

Failure by a government department or public authority to comply with an assessment notice

To move the following clause-

"(1) If a government department or public authority has failed to comply with an assessment notice the Commissioner may certify in writing to the court that the public authority has failed to comply with that notice.

(2) Where failure to comply is certified under subsection (1), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the government department or the public authority, and after hearing any statement that may be offered in defence, deal with the failure to comply as if it were a contempt of court."


37   EN, paragraph 962 Back

38   Fourteenth Report of Session 2007-08, Data Protection and Human Rights, HL Paper 72, HC 132. Back

39   See for example, Telegraph, Government abandons data-sharing scheme, 7 March 2009 Back

40   PBC,10 Mar 2009, Col 586. The Parliamentary Under-Secretary of State confirmed the Government's intention to remove this clause to the Public Bill Committee. At the time this report was agreed, no Government amendments had yet been tabled for Report stage in the House of Commons. Back

41   Fourteenth Report of Session 2007-08, Data Protection and Human Rights, HL Paper 72, HC 132. Back

42   Richard Thomas and Mark Walport, Data Sharing Review Report, 11 July 2008, paragraph 8.40 - 8.41 Back

43   Ibid, 8.47. Back

44   Fourth Report of 2003-04, Scrutiny of Bills: Second Progress Report, HL Paper 34, HC 303, paragraphs 1.23 - 1.24. Back

45   Ev 6 - 8 Back

46   Ev 20 - 23 Back

47   EN, paragraphs 963 - 965 Back

48   Ev 22 Back

49   Ev 36 Back

50   Ev 33 Back

51   Ibid Back

52   PBC, 26 Feb 2009,Cols 343 - 345 Back

53   Ev 20 Back

54   Fourteenth Report of Session 2007-08, Data Protection and Human Rights, paragraph 39. Back

55   ICO Press Release, ICO seizes covert database of construction industry workers, 6 March 2009. Back

56   See for example, Fourteenth Report of Session 2007-08, Data Protection and Human Rights; House of Lords Select Committee on the Constitution, Second Report of Session 2008-09, Surveillance, Citizens and the State, HL 18-I. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009
Prepared 26 March 2009