| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Viscount Astor: My Lords, I thank the Minister for introducing the Bill. I am afraid that at this stage we can only give it a rather guarded welcome. The main reason for that is because we are concerned about the effects of the Bill; that it might become too great a burden for some of those who may be affected--businesses, data providers, parts of the media and perhaps journalists. It may be more of a burden than is necessary to implement the EU directive designed to protect the rights of individuals. We shall concentrate on that during the Bill's passage through this House.
I realise that the Minister does not speak for other European governments. However, the Bill which implements the directive is designed to improve the free movement of personal data throughout the Community. Therefore, I hope that the Government will ensure that work has started in other EU countries. It would be disappointing if we, like good Europeans, implemented the directive only to find ourselves one of the few to do so. That has happened in the past.
We are anxious about the costs of the Bill. The Government admit that the start-up costs for industry will be £836 million, with annual costs of £630 million. The start-up costs for the voluntary sector is £120 million, with annual costs of £37 million. That will be a great burden, particularly on the voluntary sector.
We support the necessary protection for the rights of the individual. After all, it was the Conservative government which introduced the Data Protection Act 1984. That Act gave individuals rights to access data stored about them; to demand disclosure of that data; and in some circumstances, to demand cessation, rectification and compensation. Therefore, the rights in the Bill are not new, but they have been strengthened. One must ask whether there is any evidence that the current Act is not working. Which parts of the current Act do not comply with the directive? How much further have the Government gone? Have they gone further than necessary to comply with the directive? It is a question of balance and we shall be examining that to see whether the Government have it right.
We need to protect the rights of individuals to privacy, but we do not want a back door privacy law. We are also concerned with the practical needs of business to process information in a cost effective manner for the benefit of consumers. There are two areas in which important changes appear to have been made. Manual records are now included by Clause 1 if those records at some time in the future might be transferred to a processing system. When the Data Protection Registrar examined that issue, she stated:
- "These include whether it is possible to provide a clearer definition of those manual records that will be covered by the new Act".
The Data Protection Registrar was also concerned about Clause 28(4), providing an order-making power which allows the Secretary of State to exempt personal data of a specified description not only from subject access but also from the requirement to process personal
data fairly and lawfully. The registrar stated that she saw no justification for making that blanket exception. Perhaps the noble and learned Lord will comment further on that subject.Another important change is the switch from registration to notification. I acknowledge that there is a gap in the system. At present, someone who is not registered can be prosecuted only for non-registration, but the principles of registration cannot be enforced. Under the Bill, the new system of notification will allow data protection rules to be enforced even if the subject is not registered. That must be an improvement.
The Bill defines the principal terms used in relation to processing information. It is a concern of the CBI that the definition of "processing" will catch any automated processing of personal data even if it is not directly concerned with an individual. An example may be an order or an invoice between two companies which may have a contact name and may be included as part of personal data. We wish to know why the phrase used in the 1984 Act--that is, "by reference to the data subject"--is not used in Clause 1 of the Bill.
Clause 7 is widely drawn. In its attempt to give the right of access to personal data, it allows access to intellectual property rights and confidential business records which may not relate directly to the individual. There is a danger that such rights of access could be abused by the unscrupulous and perhaps for fraudulent purposes. We do not want to give criminals the right to collect information which they can then use to commit further crimes. I am sure that the Minister has considered that and perhaps he will comment further.
I welcome the introduction of the rights of the individual in Clause 10 with regard to direct marketing and I concur with what the Minister said. How much that will stem the flow of useless junk mail which pours through our letterboxes is not clear, but at least it is a valid attempt to try.
Schedule 3 sets out conditions for the processing of sensitive data. Employers are worried that the Bill does not make adequate provision for them to keep certain employment records which is required of them by certain codes of practice. In our view, and in the view of the CBI, the circumstances in which criminal records can be held are not sufficiently extensive. Businesses which have a duty to protect the public and property, or to protect the public from fraud or theft, should be allowed to hold the data that is necessary for that protection.
The role of the data protection commissioner and his or her powers are crucial for the proposed system to work. We will examine those powers closely, including the right to appeal and the right to issue information notices. I note that under the 1984 Act we have a data protection registrar. Now that the Government have gone "Euro", we are to have a commissioner.
The storage and use of data is a technology which is constantly changing. Those who provide on-line services will be affected by the Bill. I believe that there is a problem for them. How can they control what their users do with the data, or what data their users transmit when it is contained within their service? Fundamentally, we are
talking about how to control the Internet. Is it possible? It is difficult to see whether the provisions apply to the Internet and to on-line service providers. Will an on-line service provider be responsible, for example, if he offers simple services such as magazine archives which may contain personal data? There is a danger in saying where the line will be drawn. I hope that there will be flexibility within the system so that the new data protection commissioner will be allowed to make sensible judgments.I note, too, that there is a provision for the data protection commissioner to grant a special form of legal aid to those seeking compensation from the media. How will that be funded? Will there be any cap on the costs? It is a new phenomenon; it was not covered in the 1984 Act. I also understand that every freelance journalist might have to register with the data protection commissioner and that it will be an offence not to do so. At first glance, the consequence of a government body holding a list of all freelance journalists in this country is somewhat Orwellian. Is my interpretation correct? If so--and many journalists have said that they believe they will have to register--how are we to define a journalist? Will one become a journalist if one writes a book review for a magazine? If one of your Lordships writes for the House Magazine will registration be required? Will he have to register what is in his personal computer, even if it does not contain information about the noble Lord, Lord Williams of Mostyn, or any of the other Ministers on the Front Bench?
Clause 31 is crucial as regards the press. I am pleased to see that my noble friend Lord Wakeham will speak today. The whole House will be interested in his views, particularly in his role with the Press Complaints Commission. Although Clause 31(3) refers to "any code of practice", I believe it to refer to that of the commission. Will the Government confirm that? Paragraph (b) of Clause 31(3) also refers to,
- "[anything] ... designated by the Secretary of State by order for the purposes of this subsection",
As the Minister said, the Bill also provides new rules for the transfer of personal data to countries outside the EU. I am concerned to know how British companies, which currently send raw data to be processed in other countries, will be affected. Will that process be illegal if it contains personal data?
As I am sure your Lordships are aware, there is a large and growing worldwide business where data is often processed in third world countries. India, for example, has software skills that are cheaper, and sometimes better, than our own. Will that trade cease? If a bank or insurance company sends its files to be processed in some way to a third world country so that they can then be returned and put, in a different way, on to a system using the latest software, how will that situation be covered? It would be a great pity if that trade were to cease as it provides business for those countries and, indeed, is very cost-effective for the companies which use it.
I wonder whether the Government have studied data protection laws in other countries? For example, America is, I suppose, the country whose technology in this respect has led the world. Do the Government have any plans to introduce similar rights and protections? Will the EU be in step or out of step with the rest of the world?
We have before us a complex Bill. It is a simple subject, but a complex one because the devil is in the detail. We will all have to brace ourselves as we attempt to get to grips with technology, and learn how the rights of the individual can be protected in a reasonable way at a reasonable cost. I worry that the Bill is perhaps more prescriptive than it has to be. In some ways, I should like a shorter Bill which is strong on principle but one which allowed flexibility so as to enable the new commissioner to act in a way that is sensible for both individuals and business.
Of course, I recognise that governments like to dot every "i" and cross every "t" and, therefore, that makes Bills much longer than we would all wish. However, because it is such a long and detailed Bill, I fear that, despite careful scrutiny, we may miss something in it which will manifest itself to the detriment of those affected by the Bill.
As the Minister reminded us, the Government announced that they will include measures relating to the "transitional arrangements" in the Bill by way of amendment as the Bill passes through Parliament. The noble Lord kindly informed the House that those amendments will be offered, "as soon as we can". Perhaps the noble Lord could be a little more specific in that respect. Does that mean during the Committee or Report stages or, indeed, while the Bill is actually passing through this House? That is of particular importance because, in a statement made by the Chancellor of the Duchy of Lancaster in December, I noted that the Government announced that they would introduce a freedom of information and data protection Bill and that both would be processed hand in hand. Perhaps I may quote the Chancellor of the Duchy of Lancaster, who said:
- "Any freedom of information Act must provide adequate protection for an individual from any unwarranted invasion of personal privacy caused by an application from a third party. In practice, for the Freedom of Information Act in the United Kingdom, the new Data Protection Act will provide the basis for this protection".
I am grateful to the Minister for saying that he will be open-minded about the Bill. Indeed, we shall be critical where necessary but I hope that we shall also be constructive. I am delighted to know that the Minister will listen carefully. I trust that he will be prepared to accept amendments which will improve the Bill.
4.5 p.m.
| Next Section | Back to Table of Contents | Lords Hansard Home Page |