| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Earl Russell: Some years ago my wife was visiting the local women's refuge, as she did from time to time, when a call came in from the local police station to one of the women in the refuge. The call was from a policewoman, wishing to check whether the woman in question was actually in the refuge. She was. That sounds a perfectly reputable call, but if you work in a women's refuge you are trained to be extremely wary of disclosure, so somebody asked the woman if she knew anything about the person who was calling her and discovered that the policewoman who was calling happened to be the best friend of the woman's ex-husband from whom she had fled to the refuge. Disclosure to a policewoman is not necessarily unauthorised disclosure; for a policewoman to possess information is not necessarily unauthorised possession of information, but to disclose it to the violent ex-partner is unlawful disclosure.
The whole point of the amendment is that it does not deal with disclosure only; it deals with use. A person may be perfectly authorised to be in possession of information, but not to use it for a particular purpose. After all, every public servant is not only a public servant; he or she is also a person with all the normal human weaknesses, sins, failings and liability to temptation. That point used to be expressed under the doctrine of what lawyers used to call "the king's two
bodies"--there is the king's public body, which one might describe as the Crown, and the king's personal body, which is the one that gets the toothache. That is perhaps most clearly expressed in the recent case of President Carter's signature. When he was running for office, Mr. Carter was absolutely horrified to discover that not all letters from the President were signed by the President, so he gave an election pledge that he would personally sign all letters from the President. After he had been elected, his staff slowly and painfully succeeded in explaining to him that that task would take him exactly 24 hours a day. In the end, President Carter was persuaded to understand the doctrine of "the king's two bodies". I hope that persuading the Minister to understand it will not be quite so laborious, but the Minister is extremely quick so I do not think that it will be.The point is to create an offence of unlawful use because without it, there is no protection. The Minister may invoke the Data Protection Act, but the Data Protection Registrar has stated:
- "it is not clear whether access is 'unauthorised' for the purposes of the Computer Misuse Act where the employee has authority to access data for limited purposes and in fact accesses them for other purposes".
The Minister in another place gave a whole series of reassurances against disclosure. He gave the assurance that if a battered wife is concerned that a member of staff might let her husband know where she lives, the record could be deemed to be sensitive. The Minister repeated that assurance the other day. That was very welcome, but it does not cover this case because this case is not about disclosing information to the husband; it is about what happens where the authority concerned might actually be the husband. That cannot be covered by any reassurance about disclosure. We need a separate reassurance about use.
In the case of R v. Brown, which reached the House of Lords, whether such use of the police national computer was an offence appeared doubtful and, in effect, the prosecution failed. That indicates a real gap in the law. If the Minister would like to be generous just once on this Bill, this would be a suitable place. It would protect many innocent people and, as far as I can see, it would cost the Government nothing.
4.15 p.m.
Lord Mackay of Ardbrecknish: I hope that I can be generous at least in the assurances that I may be able to give both the noble Lord, Lord Carter, and the noble Earl. A fair number of points arose in the speeches that we have just heard and I shall try to deal with them all although I believe that the noble Earl realises that I answered one of his points the other day on the question of the battered wife. A battered wife could
indicate that there was a problem, in which case her file would be subject to access only by highly authorised persons. That would give her protection.
Earl Russell: I did thank the Minister warmly for that assurance, but what I have said today is that that is not the same case as that which we seek to cover in this amendment, so that assurance, however welcome, is not to our present purpose.
Lord Mackay of Ardbrecknish: I thought that I should reiterate it. I must have misunderstood the noble Earl's point because I thought that he was raising the question again and I wanted to be sure that the point that I made two days ago was clear.
Section 123 of the Social Security Administration Act makes it an offence for employees of, and contractors to, the Department of Social Security and certain other government departments to disclose personal social security information unlawfully. Clause 4 of this Bill extends that offence to employees of local authorities, and to any contractors or their employees exercising housing benefit or council tax benefit functions. Unauthorised disclosure is an offence which attracts a penalty on conviction on indictment of imprisonment for a maximum term of two years, or a fine, or both.
The department considers unauthorised disclosure of information from departmental records or other information obtained by staff in the course of their official duties to be serious misconduct, and incidents are met with a range of penalties including dismissal. Where work is performed by contractors, strict conditions of confidentiality are included in the relevant contracts; moreover, our contractors, whose business often depends on the confidential processing of personal information for many other clients as well as ourselves, take confidentiality as seriously as we do and their employees are subject to similarly stringent disciplinary procedures.
Local authorities have their own disciplinary procedures, and of course their staff are subject to a general duty of confidentiality. Once this Bill has received Royal Assent, the department will issue a circular to draw local authorities' attention to the new offence.
The amendment seeks to make it an offence to pass on information to a person employed in social security administration or adjudication if that person subsequently uses the information unlawfully or without authority. That seems a little harsh. Indeed, having listened to the noble Lord, Lord Carter, I suspect that that is not what he meant although it is what the amendment would achieve. The amendment would make the supplier his brother's keeper by placing him under a responsibility for the receiver's behaviour. The receiver may, of course, be committing an offence himself under Section 123 of the Social Security Administration Act, for which he could be fined, imprisoned or both; and the offence would occur with retrospective effect. At the time the information was supplied the receiver would have done nothing with it, but the supplier could, by the mere act of supplying
information in a way which was lawful at the time he did it, become guilty of an offence by the receiver's actions at some undefined point in the future.As drafted the amendment would make officials of the department responsible for any later lapses in security by local authorities and their contractors, or others to whom they have passed information including the department's own contractors. The effect could be that no information would be passed between for fear of later culpability. Nor is it clear where the chain of culpability would stop: if the end receiver used the information unlawfully or without authorisation, then the supplier would have committed an offence, but what about the person who supplied him? Is he guilty too?
I believe that the noble Lord's amendment is intended to extend the offence to a person who uses information in an unauthorised way without disclosing it to another person. Such a case might hypothetically be one where an official accessed the records of an ex-partner in order to find out his or her whereabouts and then harassed that person. That was the example used. Officials do not have unrestricted access to information held in the department's systems. It is made very clear to them that they may only access information relevant to the work allocated to them, and access to any other information for which prior authority is not given by a senior officer is therefore unauthorised. This guards against staff entering a database and browsing through it, whether or not they then use the information themselves unlawfully or disclose it to another person. In such cases, whether or not the offence in Section 123 of the Social Security Administration Act, which I described earlier, applies, there are other safeguards elsewhere in legislation to ensure that information obtained in the course of an individual's job is not used unlawfully. Browsing is an offence under Section 1 of the Computer Misuse Act 1990, which creates the offence of accessing information without authorisation. A person is guilty of an offence if the access he intends to secure is unauthorised and he knows at the time he accesses the computer that that is the case. Successful prosecutions have been brought for unauthorised access to computers under this offence.
Section 122C(4) gives the Secretary of State power to impose conditions on the use of information supplied by the department to local authorities. We intend to exercise this power to impose requirements which are aimed at ensuring the security of data supplied. However, responsibility for preventing unauthorised access inevitably must remain with each local authority itself.
The noble Lord referred to R. v. Brown which, as I understand it, related to browsing. Browsing is, I suppose, rather like surfing the Internet. Browsing is the viewing of data without using it, disclosing it or even mentioning it to anyone else. In this particular case, on 9th February 1996 the court held that the employee could not be prosecuted under the Data Protection Act for simply browsing computerised personal data without using or disclosing it. I understand that the Home Office has considered the matter very carefully following the Brown decision but, in the light
of the facts of that case, has concluded that it is not necessary to take any immediate action to make any amendment to the Data Protection Act.In Brown it was also held that the term "use" in the Data Protection Act, while not wide enough to cover the situation where someone merely called up and viewed computerised personal data, should nevertheless be given its natural meaning. The effect of this is to confirm that if that data is subsequently used for any unauthorised purpose that action is caught by the existing legislation. Brown also confirmed that while unauthorised access was not an offence under the Data Protection Act, the Data Protection Registrar can still take action against the data holder for a breach of the data protection principles. In addition, the Computer Misuse Act continues to be effective against employees or contractors who access computer systems beyond the extent of their authorisation, and the Department of Social Security has brought successful prosecutions on this basis. Moreover, in the case of personal data relating to social security, the offence under Section 123 of the Act would also be relevant. As I believe I suggested earlier, it could easily lead not just to prosecution but to disciplinary action: either downgrading of the person involved or dismissal from the service of the department.
A number of other issues have arisen. The noble Lord, Lord Carter, asked me who was right: the Data Protection Registrar or the Secretary of State.
Next Section
Back to Table of Contents
Lords Hansard Home Page