Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Symons of Vernham Dean: My Lords, any military action will be taken in the light of circumstances and developments at the time. It would be injudicious and wrong for me to go any further in making statements about military objectives when the United Kingdom has servicemen in the area. I hope noble Lords will bear with me in the assurance I gave earlier to the noble Lord, Lord Moynihan, that, as and when I am able to make statements to the House about military objectives, always ensuring that such statements in no way jeopardise the security of British servicemen, I shall make such statements and render myself accountable to the House.

Viscount Mountgarret: My Lords, can the Minister say how many of the chemical weapons found by inspectors have been destroyed? It was part of the deal that not only should United Nations inspectors be allowed to inspect, but that, having been found, Saddam was under an obligation to destroy. How many weapons in fact have been destroyed?

2 Feb 1998 : Column 462

Baroness Symons of Vernham Dean: My Lords, as I understand it, the UN inspectors uncovered and eliminated the full list of weapons I gave to your Lordships' House a short time ago.

Data Protection Bill [H.L.]

4.54 p.m.

Second Reading debate resumed.

Lord Wakeham: My Lords, I rise as chairman of the Press Complaints Commission and it is right therefore that I declare an interest. I wish to speak to this Bill as it affects the privacy of individuals and the freedom of the press.

At the heart of the directive which this Bill implements is the protection of an individual's right to privacy with respect to the processing of personal data. The challenge for the Government has been to construct a Bill which produces safeguards for ordinary citizens, but does so with appropriate exemptions for journalism that will ensure that the right of those same ordinary citizens to know what is going on in the world is not undermined. In other words, they want to achieve that difficult balancing act of safeguarding both personal privacy and freedom of expression.

In doing that the Government have had to face up to two difficulties. The first is that the directive's definition of "personal data" is extremely wide, covering virtually any information relating to an individual, including details of political opinion, trade union membership, racial or ethnic origin and philosophical beliefs. The second is that the definition of processing specifically includes, for the first time, the use of material for journalistic purposes; and in turn journalism, of course, relies on the use of all the information covered by the directive.

The very real danger in the combination of those two points is that the directive could be used to introduce a regime that would gravely damage the freedom of the press, undermine investigative journalism and wound the system of effective self-regulation that we have built up--and that is the point with which I am principally concerned.

The directive recognises that such problems might occur, and allows for member states to grant exemptions from its terms for journalistic purposes or for the purpose of artistic or literary expression. There are some minor points of detail in the Bill which perhaps need ironing out. That said, I have to say that in my view the Bill steers a sensible path which avoids the perils of a privacy law and achieves the crucial balancing act--of privacy and freedom of expression--in a clever and constructive way. There are two points I would commend in particular.

First, in relation to the question of pre-publication injunctions, there was always a danger that the Bill might produce new powers for the rich and the corrupt to take out gagging orders against newspapers preventing publication of material which is true but uncomfortable. That would have been deeply damaging

2 Feb 1998 : Column 463

to investigative journalism. The Government dealt with that in an astute way. Clause 31 of the Bill ensures that the powers available in the legislation only bite after the publication of a story, not before. The Government therefore looked at the possibility that the Bill might be used to introduce injunctive powers relating to privacy and rejected the idea.

Secondly, I commend the way in which the Bill deals with the public interest defence, and in particular the way in which it enshrines the pre-eminence of freedom of expression. The exemption in Clause 31(1) specifically points to the special importance of freedom of expression. Again, the Government clearly looked at the dangers inherent in a Bill which might introduce a back-door privacy regime and rejected the idea because of the dangers posed by such a regime to freedom of expression.

If I may, I should like to make one point specifically relating to the Press Complaints Commission. There was always a danger that the implementation of the directive without suitable exemptions would undermine self-regulation, because privacy laws, whether grown here or in Brussels, do not mix with self-regulation. But that has not happened. The Bill itself strengthens individuals' rights, but it does so in a way which complements rather than undermines the dispute resolution service offered to ordinary people by the Press Complaints Commission.

The Bill is therefore a sound one--thanks in no small part to the constructive and thorough consultation process undertaken by the noble Lord, Lord Williams, in advance. It protects the privacy of individuals--which we all believe is vitally important and is indeed an important part of the commission's work--but does so in a way which does not diminish the freedom of the press to report and investigate in the public interest. And it strengthens the rights of ordinary people, but does so in a way which does not undermine press self-regulation. For those reasons alone, it will have my support.

However, I have to say to your Lordships that one thing greatly puzzles me and it should give us all cause for concern. The thing that puzzles me is that the Data Protection Bill and the Human Rights Bill, which this House has been considering, seem to exist almost in different worlds, for the truth is that they present two entirely contradictory sets of policies. The Data Protection Bill does not introduce new powers for the rich and the crooked to gag the press. The Human Rights Bill does the opposite. The Data Protection Bill does not introduce a back-door privacy regime. The Human Rights Bill does. The Data Protection Bill safeguards the position of effective self-regulation. The Human Rights Bill may end up undermining it.

The Government consulted on the Data Protection Bill, listened to the potential problems, analysed them and then produced an excellent piece of legislation which avoids all the perils of a privacy law. It is entirely in line with the Government's stated commitment to self-regulation and their opposition to a privacy law.

The contrast with the Human Rights Bill is dramatic. There was no true consultation or dialogue before the Bill was published, or even since then, while the Bill, at

2 Feb 1998 : Column 464

every turn, seems to present new and ever more serious problems, not just for the press but for many other organisations which are involved in some form or other with self regulation.

I think that this piece of legislation is right and the Human Rights Bill is wrong in its consequences. It is my hope that the Government will now reflect on the lessons learnt during the consultation on the data protection directive.

5.1 p.m.

Lord Norton: My Lords, I begin by declaring an interest. I play a small part in the world of insurance and loss adjusting. I have received a brief from the ABI and heard representations from the Chartered Institute of Loss Adjusters, although most of what I have to say comes from my own observations.

I welcome this Bill in today's massive data processing world. A Bill that strengthens the rights of individuals against such power is to be welcomed. It incorporates Article 1 of the European directive, which states:

    "Protect the fundamental rights and freedoms of natural persons, and in particular their rights to privacy with respect to the processing of personal data".
As the Data Protection Registrar states, the new law,

    "is a partial privacy law".

It seems to me that one of the main methods of ensuring such freedoms is to give the subject greater access to the information; and this the current Bill certainly does. But there is another side to data protection, and that is to protect companies and businesses from false information that individuals can present which then results in a fraud.

Current fraud in this country is estimated to be running at £16 billion a year. A timely headline in today's Independent states:

    "Nigerian Crime Wave Sweeps through Britain".
The article goes on to state that MI5, MI6 and GCHQ are involved, but so are banks, building societies and insurance companies; in fact, the whole of the financial sector. Commerce does not have such powerful resources and so has to co-operate to fight such activity, for it is a fact that the serious fraudster in one sector is frequently involved in many other sectors--be it university applications for grants by fictitious identities or local authority, bank or insurance fraud. In the detection of fraud co-operation between parties is essential and has huge data protection ramifications. In such situations the companies are at the frontiers of the individual's privacy.

Unfortunately, the fighting of fraud cannot be left to the police. They do not have the resources and see such activity as being in the realms of the commercial world to sort out. When the assistance of the police is required there is a current ACPO policy to the effect that insurance companies should receive information only in appropriate cases. The definition of what constitutes an appropriate case is far from clear and frequently results in no co-operation. I have witnessed a case in which the only piece of information required to satisfy the insurance company was the verification of the date that an individual reported a theft of a £5,000 motorcycle; data

2 Feb 1998 : Column 465

that was not covered by the Data Protection Act. Nonetheless, the reason for non-disclosure was quoted as being the Data Protection Act. Such lack of co-operation is surprising, given the role that insurance companies play in educating the public on such issues as neighbourhood watch, domestic security and a host of other crime prevention activities. It is my understanding that the police, in the form of the ACPO crime committee, will be reviewing this policy in March.

The Data Protection Act is frequently misunderstood and misquoted by the police. It is therefore important that everyone, including the police, fully understands the provisions of this Bill. For as late as last September the deputy data protection officer from the data protection office of a prominent provincial police force wrote, and I quote:

    "Simply put, the Section"--
he was referring to Section 28 of the 1984 Act--

    "permits prosecuting authorities to obtain data from users for the prevention and detection of crime and not for organisations to require the police to disclose".
The officer was quite wrong. It is an enabling provision which allows the exchange of information in defined circumstances to anyone, including the police. The same issue is dealt with in Clause 28 of the Bill. I should like to return to that part of the Bill in a moment.

The first point I should like to make about the Bill is that, because it incorporates the European directive, it has found itself written in legalese. This is a Bill that is concerned with individual rights and freedoms and as such it should be capable, as far as possible, of being read by such people. By contrast the 1984 Act was brilliant for its simple and concise English.

In Schedule 1, principle 1--the paragraph dealing with the fair and lawful processing of information--makes for difficult reading when compared with the 1984 Act. In order to process data two new conditions have to be met--the legitimacy tests in Schedule 2 and the sensitive data test in Schedule 3. The judgment can be a complex matter. What is meant, for instance, by the "vital interests" of the data subject mentioned in Schedule 2? It could be that the whole processing process depended on such interpretation. Many people would say that getting their insurance claim paid in full or their loan agreement granted was a vital matter, but I doubt whether that is the correct interpretation. The interpretation of the first principle, dealing with the fair processing of data, in the 1984 Act took up 15 lines of legislation; in the Bill there are 60. The insurance industry has a concept of fair processing, as understood by the 1984 Act. This concept has not caused the industry problems on claims' handling. Does the Bill alter this concept of fairness?

Under Clause 7 the data user has, for a prescribed fee, the chance to access personal data on a register. At present the fee charged, usually £10, is on the basis of each entry for which the data is used for a different purpose. Thus, if an individual wishes to find out all the information that police files hold on him, it is likely to cost in the region of £220. I am glad to see, reading this Bill, that this will no longer be the case.

2 Feb 1998 : Column 466

Under the same section the subject has access to the logic involved in automated decision-making. I can see this causing difficulties. For instance, does it include weighting or scoring factors? What is meant by the logic involved?

I now return to Clause 28, which is the clause which possibly holds the greatest threat to the individual's privacy and yet it provides the essential mechanism that allows commerce to fight crime--for, in the case where data are being processed for the prevention and detection of crime, it allows the collection of data to be exempt from the first principle and to be exempt from the non-disclosure provisions. But the first principle now includes the lawful processing of information. Does the clause, as drafted, now allow the unlawful processing of information? That cannot be right.

Finally, I would like to mention enforced subject access. That is something that the Data Protection Registrar wishes to outlaw and it is not mentioned in the Bill. The only comment that I would make is that at present it is the only available method of obtaining certain personal data legally, although it is fair to say that it is onerous on the individual. I am glad that the Minister is going to include this in the Bill so that each party is aware of its rights.

5.11 p.m.

Next Section Back to Table of Contents Lords Hansard Home Page