Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Hollis of Heigham: Perhaps the Minister will forgive my intervening. It may give time for him to be given the information if he does not have it to hand.

In a small local authority with few officers, a local authority officer has legitimate use of the full file but he proceeds to make use of the information in some private capacity. Can the Minister read out, or tell us, the words of the Data Protection Act which catch the offence of unauthorised use of authorised material?

Lord Mackay of Ardbrecknish: I do not have the Data Protection Act to hand, but I have made it clear that it covers the unauthorised use of information to which the person had authorised access. As I mentioned earlier, we have successfully prosecuted department staff under the Computer Misuse Act.

13 Mar 1997 : Column 445

I was about to give the noble Baroness the reassurance that Clause 4 makes an offence the unlawful disclosure of personal data by local authority staff, auditors, and local government ombudsmen. Therefore, it makes an offence the unlawful disclosure of personal data by those people, including local authority staff mentioned by the noble Baroness.

To sum up, we believe that in addition to the tight internal controls we have, and what I believe will be the responsible way local authorities will deal with the three issues of access, use and disclosure--we shall be sending out a circular once the Bill receives Royal Assent drawing attention to the new offence in Clause 4--the legislation is in place which will allow the authorities to prosecute anyone who breaches the terms of the Act; that is, through unauthorised access, unauthorised use or unauthorised disclosure. In addition, we will certainly take disciplinary steps against such a person.

Lord Carter: I am sure that the Committee is extremely grateful to the Minister. Perhaps while I ask the Minister a question, advice will reach him on the Data Protection Act. We can see only the provisions which deal with disclosure. We can see nothing which deals with use. Perhaps advice about that will be forthcoming and we can be directed to the relevant part of the Data Protection Act.

If the amendment is incorrectly drafted it can be redrafted, or the Minister can bring back his own amendment if he is prepared to take the point. I am still not convinced, not about authorised access as part of a person's work--that is the proper access of information--but about the unauthorised use of such information. The Minister has not dealt with the concerns of the registrar, which I read to him. Perhaps I may again quote from her letter. It refers not to R. v Brown but to R. v. Victoria Parker, now Bignell. It was heard before Southwark Crown Court. In January, the registrar stated:

    "This has increased my concern that there is a gap in the protection provided by the Data Protection Act 1984 and the Computer Misuse Act 1990".
Obviously, the CPS takes the matter seriously enough to appeal the point to the Divisional Court in order to have the law clarified.

The Minister must deal with the issue. It is the job of the Data Protection Registrar to consider such issues. She has expressed real concern that there is a gap in protection and the amendment is intended to deal with that. However, the Minister appears to be saying that the department is entirely happy that there is no such gap. The Minister must say in terms on what grounds the registrar's argument is misconceived.

Perhaps I may give an example. It is not wholly appropriate, but it shows what can happen. I am not sure whether the Committee is aware that banks have what are called "related" or "connected" accounts. At a particular bank in the area where I live, I am involved with a number of accounts both personal and business. I introduced a co-director to that bank. When I ask the bank for a printout

13 Mar 1997 : Column 446

of the balances on the various accounts I invariably receive one which has his name and his balance in the middle. That is not unauthorised use because the employee of the bank is completely authorised to search the records for that information. I do not know whether he or she is authorised to pass that on to me, but, as the Minister says, he or she cannot be responsible for my behaviour. I might go back to my company and say to the director, "Look, you are heavily overdrawn and I wish that you would do something about that.".

I was surprised when I was handed such information, but it is standard procedure in this bank that all accounts which it calls "connected" or "related" are printed out together. Those balances are elicited every day so that the manager can look at them. That is an example of authorised use. I am not sure about disclosure and certainly not the use I might make of the information.

I hope that the Minister has taken on board the point that we are not talking about browsing. We are talking about someone who is authorised as part of his duty to obtain information about taxation, housing benefit, or whatever, who realises that it applies to someone he knows--it could be a former partner, for instance--and who then proceeds to use it.

Is the Minister really happy that that is the case? I know that he has said he is. I do not want to press the amendment to a Division but it relates to an important point. I wish to give the Minister an opportunity to discuss it following this stage of the Bill or to write to me. I hope that if he says he will write he will not merely repeat the argument because I am still not convinced. I do not believe that he has answered the concerns of the registrar.

4.45 p.m.

Lord Mackay of Ardbrecknish: During our little discussion about right or wrong, I indicated that it is ultimately for the courts to decide how the law is interpreted in this dispute, if I may put it as strongly as that, between the Data Protection Registrar and the Secretary of State. We have relied on the Computer Misuse Act quite successfully. As regards the Data Protection Act, perhaps I may refer to Section 5(1) and (2), which creates the duty, and to subsection (3), which clearly applies the duties to the employee. It states:

    "A servant or agent of a person to whom subsection (2) above applies shall, as respects personal data held by that person, be subject to the same restrictions on the use, disclosure or transfer of the data as those to which that person is subject under paragraphs (b), (d) and (e)".

The offence is created in subsection (5), which states:

    "Any person who contravenes subsection (1) above or knowingly or recklessly contravenes any of the other provisions of this section shall be guilty of an offence.".
We in the department, and that includes the people who run and work the system, are satisfied about the matter. It may be additionally helpful to explain that the report of the Data Protection Registrar on Brown states that your Lordships' House in its judicial capacity,

    "also showed concern that the term 'use' should be given its ordinary meaning and not interpreted in a way which would narrow the scope of the Act and make it difficult to fulfil the intention of Parliament. It was for this reason they rejected the argument put forward by Counsel.".

13 Mar 1997 : Column 447

The noble and learned Lord, Lord Goff, in the judgment said:

    "It seems to me that the above reading of the statute (the judgement) accords not only with the natural and ordinary meaning of the word 'use' in its statutory context, but also with the statutory purpose of protecting personal data from improper use.".

In the same vein, the noble and learned Lord, Lord Hoffmann, rejected the argument that the term "data" covers only data held in the memory of the machine with the words:

    "It would be strange if the Act was concerned only with what happened unseen in the computer and not with what happened when the information became accessible to the human user. This is not making the tail wag the dog; it is all tail and no dog.".
I realise that these are complex issues and I understand the seriousness of them. However, I hope that the reassurances I have given will at least help the noble Lord to check when he has an opportunity following today's Committee stage. If he has any further reservations, I should certainly be happy to try to resolve them either at a meeting or in writing.

Lord Carter: Just so that we are clear, the Minister was correct to refer to the case of Regina v. Brown which reached the House of Lords. As I said before, in that case the prosecution was overturned on appeal because it was deemed that a police officer who had accessed the Police National Computer to obtain personal information did not use the data. However, I would ask the Minister to comment on the other case that I mentioned. The Minister referred to that specifically. I do not have the details of that case but I presume that the context was different. This is the one about which the Data Protection Registrar said:

    "This has increased my concern that there is a gap in the protection provided by the Data Protection Act 1984 and the Computer Misuse Act 1990".

The Minister does not seem to have been briefed on that case. It may be better to return to this matter when the Minister has had the briefing. We may need to have a meeting or return to this matter at a later stage. I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

[Amendment No. 46 not moved.]

Clause 4 agreed to.

Clause 5 [Overseeing of administration by Secretary of State]:

Next Section Back to Table of Contents Lords Hansard Home Page