| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Lord Williams of Mostyn moved Amendment No. 4:
The noble Lord said: Amendment No. 4 is now grouped with Amendments Nos. 5 to 11, 12, 14 and 16, and I will speak to the amendments in that group if I may. Our purpose in Amendment No. 4 is to seek to put it beyond doubt that the definition of personal data includes indications of intentions towards data subjects. The definition in Section 1(3)of the Act of 1984 says in terms that indications of the intentions of data users towards data subjects are excluded from the definition of personal data. The data protection directive does not allow such exclusion to be maintained.
We have tried to make that clear in our July 1997 White Paper. We originally thought that no express reference to indications of intention was needed, but having thought about it further we believe it would be better to put the matter beyond doubt on the face of the Bill, and that is the purpose of the amendment. This is not a change of policy, but we thought we had better make compliance with the requirements of the directive clear beyond any doubt. There is no change of substance; it is a cautious approach.
Amendments Nos. 5, 6, 7, 8, 9, 10 and 11 are technical amendments to ensure that we have the basic building blocks of the Bill correct. Essentially the Bill is about processing information about people. "Processing" means doing anything with that information, from collection right through to destruction. The definition of "processing" is presently expressed by reference to personal data, and that means that the definition of "data" earlier in Clause 1 does not work properly. Therefore the first amendment corrects the reference by substituting "information or data" for "personal data". The following amendments change later references to "data" to "information or data".
If one looks at the definition of "data" on page 1 of the Bill, your Lordships will see that "data" means information which is dealt with in one of a number of different ways, so at various points in the cycle of the process the raw product, if I may call it that, may be either information or data, and we simply introduce these amendments in order to cater for both possibilities.
Amendment No. 12 is in the name of the noble Earl, Lord Northesk. I am not entirely sure at this stage--I am sure it is my deficiency--what the purpose of the amendment is. We think that it is to provide an exception from the definition of processing given in the Bill for the processing of personal data which forms back-up data. We considered at some length whether we could provide an exemption for back-up data such as is to be found in the 1984 Act. However, we cannot see that the directive allows us to make such an exemption. In practice, we anticipate that it may be quite rare that a data subject will want access to back-up data, and there is nothing to stop a controller confirming that a data subject wishes only the most recent records. But if, rarely, a data subject desires access to a set of records, we cannot see any immediately persuasive basis on which that may be properly denied. The question of subject access fees of course falls to be settled in subordinate legislation.
I hope that is a helpful pre-rejoinder, since the noble Earl, Lord Northesk, has not said anything about his amendment, but it may have been convenient that I set out our position there.
The last two amendments in this grouping are Nos. 14 and 16. Amendment No. 14 is in the name of the noble Viscount, Lord Astor. We are bound to implement the directive, which means in turn that we are bound to provide a very wide definition of what makes data personal data. We have done our best to put that definition as tightly and tautly as possible.
The directive also has a very wide definition of what is "to process data", which includes disclosing it, and that is why we have disclosure in the Bill's definition of processing. If a data controller discloses personal data as we have defined it, then we are obliged by the directive to treat that as a disclosure to which the regime applies; we do not see that we have an option to do otherwise.
If information identifying the data subject is unlikely to come into the hands of the recipient, those data will not qualify as personal data in the hands of the recipient for that reason, and will therefore not be subject to the data protection regime to that extent. We do not see any basis in the directive which would allow us to deem disclosures not to be disclosures in the way suggested by the amendment. Again, I hope that has been helpful.
We believe that there is a logic to the conclusion to which the directive points us. A data controller may find it quite hard to know what information is likely to come into a recipient's hands. He may have little control over what a recipient does with the data, but the directive suggests he should minimise the risks by complying with the data protection principles.
The last amendment in this group is Amendment No. 16, again in the name of the noble Viscount, Lord Astor. We do not believe that the amendment is strictly necessary, though we are not out of sympathy with its underlying purpose, which we take to be the clarification of who the controller is in the case of messages sent by telephone or on systems like the Internet. I think I am right in saying that the approach in the amendment follows that in Recital 47 in the directive. The effect crudely would be that if I used the Internet to send a message, I, not the Internet service provider, would be the controller for any personal data contained in my message, but the Internet service provider would be the controller for any personal data used in the system underpinning the message. The distinction is there, and it is understandable when one sits down with a wet towel for some hours and a bucket of black coffee--so I am told!
We believe, therefore, that the definition of data controller in Clause 1 already has the desired effect. When I send my message on the Internet, I determine the purpose of the processing--that is, the reason for my sending the message--and the manner of the processing--that is, the Internet. The Internet service provider has no part in the determination of the purpose of the process, so he cannot be controller for the message content. However, he does determine the process and manner of processing of any personal data used in the support of the message--for instance, if I am to be billed for use of the service. In the billing context, the service provider is the controller, not I who simply use the service that the service provider provides.
We think, therefore, that our definition achieves the effect which we believe to be the purpose behind the amendments. Those are the words that I wish to offer to the Committee in respect of that group.
The Earl of Northesk: I am grateful to the invitation from the Minister to clarify Amendment No. 12, which is in this group. In essence, I am trying to tease out an issue that I raised at Second Reading. As I attempted to explain at that time, a great deal of computer software has been designed to conduct a series of routine operations in the background without any specific input being required of the user of the programme or--this is the key point--without his necessarily being aware that they are being carried out. For example, mail merge functions could be interpreted as falling into this category. Over coming years, if not months, programmers will be designing more and more macros to facilitate repetitive and laborious computer operations and building them into commercial software.
One example I cited at Second Reading was that of e-mail programs. As a matter of course these are frequently designed to generate a number of personalised fields in the headers which fall within the definition contained in Clause 1 of the Bill. That being so, it is possible that anyone using an e-mail programme, except in so far as the exemptions in Part IV of the Bill apply, will qualify as a data controller and/or a data processor within the terms of the Bill.
Of course, for large organisations, either public or private, this may not be a particular problem. The data processing operations of such bodies will almost certainly be subject to the provisions of the Bill for other legitimate reasons in any event. I am much more concerned about the burden that this could impose upon individual users of such programs. For example, it is entirely possible that a sole trader or a self-employed person, without otherwise processing data within the terms of the Bill, may be using e-mail as a preferred means of business communication with contacts elsewhere in the European Union. As currently drafted, and if I understand it correctly, the Bill could require such persons to be subject to its notification provisions. In effect they would require a form of permission before being allowed to conduct their business and/or communicate with colleagues. Indeed, much the same could be said of Members of Parliament who use e-mail in pursuit of their duties.
Equally, this raises awkward questions with respect to e-mail communication with third-party countries. More generally, it is conceivable that the Bill could be applied to all Internet traffic, not just to e-mail, because of the way in which relevant software programmes process data in the background--again, essentially without the knowledge of the user. Inevitably this particular aspect will become increasingly significant as digital television and set-top-box technology comes on screen. It may or may not be a good thing to have inadvertently stumbled upon a mechanism that has potential in terms of regulating the Internet but, to my interpretation, this is outwith the purposes of the Bill as defined in the Long Title.
Thus the attempted purpose of the amendment is to exclude these forms of background processing from the provisions of the Bill. Of course, I acknowledge that my drafting leaves a great deal to be desired. Nor am I
In passing, I do not wish to embarrass the Minister, particularly bearing in mind his gracious opening remarks, but I should perhaps mention that I wrote to him about this point on 5th February, seeking clarification on a number of other matters. It is perhaps regrettable that I have not yet had a reply to that letter.
Page 1, line 29, at end insert ("and any indication of the intentions of the data controller or any other person in respect of the individual").
4 p.m.
Next Section
Back to Table of Contents
Lords Hansard Home Page