Previous Section Back to Table of Contents Lords Hansard Home Page

Earl Russell: Before I consider what to do with the amendment, I wonder whether the Minister can tell me why he is not convinced that Article 15 of Directive 95/46 does not apply to social security matters. I was very surprised to hear him say that.

Lord Mackay of Ardbrecknish: I do not know what more I can say. We do not think it necessarily does, but we do not think the problem arises for the reasons I have explained. Equally, as I have explained, we shall have to address all these matters as they affect the whole field of data protection when we come to enact in our domestic law the necessary legislation in order to allow us to fulfil by October 1998 the terms of the directive. I really cannot be plainer than that.

Earl Russell: If the answer comes to the Minister and comes into his mind, I shall be happy to give way to him at any time when he is willing to ask me to do so. I cannot see any reason why he should have that opinion. He says that he does so for the reasons he gave me. That is a little like the letter I quoted last Thursday about the Jobseekers Act, "We have not granted you jobseeker's allowance for the reasons explained in a previous letter", which had not arrived. The point is of some importance, so if any light could be shed on it I would be happy to give way.

13 Mar 1997 : Column 434

On authorisation, the Minister makes a good and valid point, and I accept it. But in doing that he inadvertently strengthened the case for the amendment. It is right that access to the computer should be restricted to those who have authority and the proper status, but that means that it takes longer to put errors right since the number of those people is limited. That means that the need for restriction on decisions made on potentially erroneous data is rather bigger than it was before.

The Minister says that data matching does not involve decisions. In a very narrow and technical sense, that is true. Yet it is equally true that data matching is presumed to be the cause of decisions. Otherwise there would be no point in all the effort put into the Bill. The risk of erroneous decisions remains. I believe the Minister is receiving some light on this matter. I shall be interested to hear what it is.

Lord Mackay of Ardbrecknish: I thought I had shed more than enough light on this point on Tuesday when I made it clear what the position would be and I explained what data matching was. I said in my original remarks not so much that it did not apply but that it was doubtful whether Article 15 concerns the evaluation of certain personal aspects relating to a person such as his performance. I am afraid that I am now having some trouble with the writing on the notes.

I come back to my main point. This is a much wider matter than simply data matching in the Department of Social Security. We shall have to address the issue in the next Session of Parliament in order to put into domestic legislation before October 1998 the terms of the directive. It seems to me that that is the sensible way to proceed. I do not believe that it is sensible to do a little bit on social security especially when I hear the noble Earl suggesting that even if a doubt is thrown up by data matching somehow or other the adjudication officer will not be able to change a benefit decision because the doubt has been put into his mind by an automatic process. That is trying to say, "Let us not have the modern world or any computers." One of the things they do very quickly and cleverly is throw up information on which one can act in every field of life. I do not quite understand that particular part of the noble Earl's argument.

Article 15 says,

    "Member states shall grant the right to every person not to be subject to a decision which produces a legal effect concerning him or which significantly affects him, and which is based solely on automated processes of data intended to evaluate certain personal aspects relating to him such as his performance at work, credit worthiness, reliability and conduct".
That is based solely on automated processing of data. I believe I explained that the way we envisage this working it will not be based solely on the automated data process. It may be based on the automated data process, but it will then have to be taken on board by the people working in the Benefits Agency and, at the end of the day, by the adjudication officer if it comes to a decision on benefit. I believe that I am just repeating what I said on Tuesday. I cannot be any clearer than that.

13 Mar 1997 : Column 435

4 p.m.

Earl Russell: If I understood the Minister correctly, he has just granted the whole substance of this amendment. He said that no decision would be based solely on automated data matching: in other words, it would be checked first before any action was taken. If the Minister said that, I thank him warmly. He has granted me what I was asking and I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 4 [Unauthorised disclosure by officials]:

Lord Carter moved Amendment No. 45:

Page 10, line 25, at end insert--
("( ) At the end of section 123 of that Act insert--
"(11) For the purposes of this section, a "disclosure without lawful authority" includes the circumstances where information is disclosed to a person who is employed in social security administration or adjudication, but where that information is subsequently used by that person for an unauthorised or an unlawful purpose.".").

The noble Lord said: This amendment deals with a very important point which has been drawn to our attention. We are advised that there could be a major flaw in the Bill. It will be interesting to hear the Minister's view. The amendment brings in a new subsection to Section 123 of the Social Security Administration Act 1992. The words of the amendment are:

    "For the purposes of this section, a 'disclosure without lawful authority' includes the circumstances where information is disclosed to a person who is employed in social security administration or adjudication, but where that information is subsequently used by that person for an unauthorised or an unlawful purpose".
The implication is that although the disclosure is proper, the use is not.

The purpose of the amendment is to assess whether there is adequate protection from the unauthorised use of personal data by an official who is authorised to use it. The point was raised at Committee stage in another place.

The problem seems to be that the Data Protection Registrar is of the view that there is a loophole in the law but the Government are not of that opinion. They cannot both be right. It is important that the divergence of opinion is resolved. The Government are proposing wider access to sensitive personal data and we are opposed to that. They must be sure of the position should an official abuse that ability to access personal data. The impact of the amendment is to widen the offences in Section 123, which are currently linked to disclosure. The amendment also removes the uncertainty which may surround Section 1 of the Computer Misuse Act 1990.

For example, under the Bill there is increased potential for an estranged partner to pry into the affairs of another, a scenario which can apply to an official who uses access to DSS and tax records in order to locate his former partner or wife who perhaps he has intimidated or beaten up. He might use his access to pry into the financial circumstances of his ex-wife's new lover. In such cases there is no disclosure to a third party. Legitimate access is given to information which results in it being used for another, but improper, purpose. The offences in Section

13 Mar 1997 : Column 436

123 might not apply because they relate to disclosure of personal information to a third party. That is the basis of the advice we have been given.

The absence of disclosure of information is the key issue in these examples. An official who is authorised to have access to such information may not disclose it but could use it for his own purposes. That is why the amendment deals with circumstances in which the information accessed by an official is used for an unauthorised purpose. Thus it tracks the unauthorised use of the information for the purpose of locating an ex-partner or studying the financial affairs of an ex-partner's new partner.

The amendment sends a clear signal that unauthorised access to, and use of, information as well as disclosure, can lead to prosecution. We are advised to ask the Minister what the impact is of the case of R. v. Brown which reached the House of Lords. The prosecution was overturned on appeal because it was deemed that a police officer had accessed the police national computer to obtain personal information and had used that data.

The Minister may cite the Computer Misuse Act 1990 as a way of getting round the examples I have given. However, I refer him to page 85 of the annual report of the registrar which states,

    "It is not clear whether access is 'unauthorised' for the purposes of the Computer Misuse Act where the employee has authority to access data for limited purposes and in fact accesses them for other purposes".
The Data Protection Registrar is saying that the 1990 Act may be insufficient to deal with disclosure. There is the possibility of disciplinary action against an official who accesses information for improper or personal purposes, but we understand that there is no opportunity to take legal action against such an official by prosecution in the courts. If information is used for offensive purposes action should be merited.

Therefore, we are trying to help the Minister by tightening up the provisions on disclosure, and that is why there is access and usage. The Audit Commission's report of March 1995 found that instances of computer hacking in Whitehall had increased by 140 per cent. in 1994. The report went on to say that the majority of the 655 reported incidents involved staff exceeding their authority by using their passwords to try to obtain information on members of the public to disclose to outsiders.

I am not sure whether the Minister is aware of the correspondence between my honourable friend Mr. Harry Cohen, the Minister and the Date Protection Registrar. My honourable friend wrote to Mr. Oliver Heald, the Parliamentary Under-Secretary, on 16th January 1997, on a point raised in Committee.

    "I return to a point I raised with you. It relates to offences under the Computer Misuse Act 1990 and the circumstances under which an employee who is authorised to access a computer exceeds his or her level of authorisation. The point I was raising was that the Date Protection Registrar has made a statement in her twelfth annual report which expresses some doubt on the circumstances. You on the other hand are convinced that the 1990 Act is certain. My understanding (from hearsay sources I should add) is that there [have] been cases where the Crown Prosecution Service has failed in the prosecution of these offences, where a case has come to trial before a judge".

13 Mar 1997 : Column 437

Mr. Cohen asked to be reassured that the registrar was mistaken in her concerns. He wrote,

    "As you can imagine, if there is any doubt, I would like to see the law amended and the Fraud Bill offers a suitable opportunity in this regard".
A copy of that letter was sent to the Data Protection Registrar. There is an interesting little sidewind on this. Mr. Cohen wrote on 16th January 1997. In all the discussion we have had about information in documentation and computers being wrong, the reply of the Data Protection Registrar was dated 27th January 1996. The typist in the office of the registrar obviously had not realised that the new year had started and put the wrong date on the letter. The interesting point is what would have happened if that letter was filed through the word processor under its date. It would have disappeared into the computer works in the previous year.

In her reply the registrar thanks Mr. Cohen for the copy of the letter and says,

    "One of the cases to which you refer is R. v. Victoria Parker (now Bignell) heard before Southwark Crown Court. This has increased my concern that there is a gap in the protection provided by the Data Protection Act 1984 and the Computer Misuse Act 1990. I understand from the CPS that they intend to appeal the point to the Divisional Court".
As I say, that was on 27th January, and I am not sure whether the appeal has yet been heard. She copied her reply to Mr. Heald.

The Minister will agree that this is an extremely important point and that real concern has been expressed by the registrar that the Act could be flawed. This amendment provides the Minister with an opportunity to say who is right and who is wrong. I beg to move.

Next Section Back to Table of Contents Lords Hansard Home Page