|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
Lord Mackay of Ardbrecknish: I will not say that at all. What I will say is that it is ultimately for the courts to decide how the law is to be interpreted. It is not for me to decide who is right and who is wrong in this matter. However, if there are difficulties in this area it is for the Home Office to address the point. I underline that my department has relied successfully on the Computer Misuse Act 1990 when dealing with situations of this kind. There have been three successful prosecutions of the department's staff under that Act.
To demonstrate that the department takes this matter very seriously, in 1995/96 it dismissed eight members of staff and 12 others had penalties imposed, including fines, downgrading and written warnings on account of unauthorised access to departmental systems. In addition, two members of staff were dismissed and three others had penalties imposed for the unauthorised disclosure of information. I hope that both the noble Lord and the noble Earl can be assured that we take these matters very seriously indeed. Staff within the department do not have unrestricted access to the information held in its systems. It is made very clear to them that they may only access information that is relevant to the work that is allocated to them. Access to any other information for which prior authority is not given by a senior officer is therefore unauthorised. All staff receive an on-screen warning that accessing departmental data without authority is an offence; in other words, when they enter the system to do whatever they need to do legitimately they receive a warning. We
We take these matters very seriously. If one looks at the three levels of the problem--access, use and disclosure--it is clear that, as to access, the Computer Misuse Act 1990 can be and has been used. We also have the internal disciplinary system within the department. As to the question of use, the Data Protection Act can be applied. We also have the disciplinary procedures within the department. As far as concerns disclosure, use can be made of the Social Security Administration Act and the Data Protection Act. We believe that we have sufficient safeguards.
I said earlier that I believed the amendment of the noble Lord, Lord Carter, did not do exactly what he intended. But I hope that I have dealt with what he is after, explained that we take these matters very seriously and the different levels of protection in our internal disciplinary systems. Further, we have been and are able to use the three Acts that I have mentioned to deal with those who infringe both those enactments and the principles and guidance given to staff in the context of what the department fully accepts is the need to handle other people's data with care.
Baroness Hollis of Heigham: The Minister has been very helpful and clear in dealing with the procedures in place within the DSS, partly because it is a very large organisation with very clear lines of responsibility and detailed forms of management, on the assumption that the work is done in-house. But the problem is perhaps less likely to occur within the department than within local authorities. In local authorities it is not a question of browsing or unauthorised or illegitimate access. One may be dealing with a small local authority that has only a few officers who are handling this material. They will have a right of full legitimate access to that information. For example, the individuals may be housing officers checking against income support records. They realise for the first time that the person on income support is having some top-slicing--it is an issue to which the noble Earl will refer on a later amendment--which suggests arrears of debt and so on, which are unknown to the local authority officers. That is information, legitimately obtained, which he might go on to use illegitimately.
Can the Minister assure us over and above the general reference to local authority good management guidelines, and so on, that that offence would be caught within the Bill at present? Surely we need an amendment such as that moved by my noble friend, or a revised version, to pick up that point. We are not talking about browsing or unauthorised access but legitimate authorised access which gives rise to unauthorised use. In the situation I have described, can the Minister assure us that we do not need this additional protection?
Lord Monkswell: I have followed the debate with interest and it appears that the Minister has given assurances about unauthorised access and unauthorised disclosure. I think that there is probably enough
However, the concern relates to the unauthorised use of information obtained on an authorised basis. The noble Lord, Lord Russell, mentioned the individual who may have authorised access to the whereabouts of a spouse whom he has mistreated in the past. Perhaps I may suggest another example. A senior official within the housing benefits service runs in his private capacity establishments which have as tenants predominantly people who are in receipt of housing benefit. The information that he would legitimately obtain as a senior housing benefit officer from the computer system would be useful to him in running establishments with predominantly housing benefit tenants. I hope that that officer would not be authorised to use that information that he has legitimately obtained as a senior housing benefit officer in his private capacity. From what the Minister said, there is nothing that renders that use unlawful. That is the crux of this issue.
I accept the intention as described by the noble Lord, Lord Carter. The wording of the amendment may not be quite right. I am not sure that the Minister addressed the kernel of the problem which we addressed with the amendment.
Earl Russell: I think that the Minister tried hard to be helpful. When he said we take these matters seriously, he clearly meant what he said. What I am not quite so certain about is whether the matters that he takes seriously are these matters. The Minister referred to the matter resting on three legs: disclosure; access; and use. He is right. But all the reassurance that he gave related to disclosure and access. Clearly the department is aware of those two risks and is doing everything it can to meet them. But we are dealing with disclosure to a person who is actually authorised to have the information, and access by a person who is allowed to have it.
Let me take some cases which have arisen. They concern the police. In my opinion, the Conservative Party has suffered severely and unjustly from a number of cases where some of its Members in another place have been stopped by the police, questioned but not charged, and the information has found its way on to the front page of the Sun. In those cases, police officers were clearly authorised to have access to the information, but they were not authorised to use it, possibly for their own purposes, and possibly even for their own profit. The noble Baroness reminds me that that may constitute disclosure. But if the policeman writes the piece himself--and I would not be surprised if that has been known--that is not covered; and the provisions do not cover the case where the person uses the information purely for his own personal benefit.
Let us suppose that the information is market sensitive, and the individual acts upon it. He may make a considerable sum of money out of it. In my opinion that is an unauthorised use. I cannot help remembering the words once used in this Chamber by the right
Lord Mackay of Ardbrecknish: If the noble Earl checks in Hansard, he will see that I ended my summary by talking about access, use and disclosure. I discussed in each case the Act which could be used in a breach. I instanced the fact that the Data Protection Act could be used in the case of unlawful use. I added that the Department of Social Security would take disciplinary steps against the individual. That leads me back one step to the point raised by the noble Lord, Lord Monkswell. The unauthorised use of information obtained lawfully is unauthorised and therefore it is in breach of the Computer Misuse Act. That is the point I make about use; it is a breach of the Computer Misuse Act.
As regards the noble Lord's example, it would be doubtful whether a local authority would give a person such as he instanced the right to access the kind of information we are discussing. However, let us leave that to one side. Even if it did, and the individual had authorisation for access, if he used that information in an unauthorised way, he would be in breach of the Data Protection Act and I suspect that he would not long have his job with the local authority.
The noble Baroness asked me a question about local authorities and, quite rightly, said that some local authorities are quite small and will not have big data bases. That will not allow them to escape from the legislation contained in the Computer Misuse Act or the Data Protection Act. They will clearly be caught by that Act regardless of the size of the data base. The Bill before us provides that information can be supplied only by the Department of Social Security to local authorities, and by one local authority to another, to tackle benefit fraud and for specified benefit administration purposes.
Authorities will be responsible for ensuring that their staff comply with the new law, and with the requirements of the Data Protection Act, and in addition to internal authority controls, authorities' external auditors may become aware of and comment upon any unauthorised use of personal data.
Back to Table of Contents
Lords Hansard Home Page