Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Nicholson of Winterbourne: I thank the noble and learned Lord for his long and very helpful explanation, which will need careful studying when we see it in Hansard, combined with the Government's own amendment which is most welcome. The point I raised, however, regarding the Data Protection Act 1984 and the lack of need for the current Clause 28(4) was met by the Minister, who pointed out that the Inland Revenue was not computerised at that time. I myself wonder if the--admittedly less sophisticated--computerisation of the Inland Revenue does make a relationship with this particular piece of legislation, whereby we are also talking about records that are not electronically stored or digitally created.

Lord Falconer of Thoroton: I did not explain myself adequately. The 1984 Act does not apply to manual records whereas the 1998 legislation--that is, the Bill--does and, therefore, you need to deal with that point as well. You did not need an exemption when there were no manual records.

Baroness Nicholson of Winterbourne: I do know that, but I also know that the computerisation of the Inland Revenue was well advanced in the middle of the 1980s, and therefore those records which were digitally

25 Feb 1998 : Column CWH83

created fell under the 1984 Act. I wonder therefore if the Minister has yet made a convincing enough case for Clause 28(4), with the argument that I have perhaps slightly nullified.

The Minister also made the point that there was greater security because of self-assessment. It is inherent in self- assessment that the data subject knows a great deal more about the data than ever before, because the self-assessment form has been created. Nonetheless, that may be nit-picking. I am looking forward to seeing in Hansard the results of the way in which the Government's own amendment, which I believe will be accepted, will affect the first and, implicitly, the fourth subsection. I do, however, dislike these wide-ranging seven powers that the Government have given themselves, with affirmative or negative resolution, in this Bill. It is clear that the substance of the problem in Clause 28(4) is the Inland Revenue, and whether a financial piece of regulation would not be the better way forward. I accept that the difficulty of data protection legislation of any sort is that it impacts upon all government departments. I myself raised the question of medical records on Monday; indeed, there is an impact on the Department of Health. I am grateful to the Minister and look forward to reading his arguments in Hansard. I hope not to have to refer to this matter again, but may well do so.

Viscount Astor: Before the noble Baroness, Lady Nicholson, withdraws her amendment, may I ask a question? From our debate it has become clear, as the noble Baroness said, that this is driven by the Inland Revenue and tax collection. The Committee would feel happier in the circumstances if Clause 28 could be more specific, for that reason. I am still concerned that it is too wide-reaching. As the noble Lord agreed, Clause 1 affects data which can be held by almost anybody. While we agree with their laudable intentions and this point about tax raising, would the Government consider between now and Report stage the fact that the powers go beyond mere tax raising?

Lord Falconer of Thoroton: The point made by the noble Baroness, Lady Nicholson, should be dealt with in the Finance Bill, rather than in the Data Protection Bill. If it is a data protection problem, it should rightly be faced here, rather than in a Finance Bill. But we should not, as it were, change the principle from some other Bill.

As far as the point made by the noble Viscount, Lord Astor, is concerned, we have included a general exemption power rather than one specific to the Inland Revenue because we believe it may well be that practices will change in other areas which cannot be foreseen and which make it appropriate to have a general power. If it can be dealt with in this way in relation to the Inland Revenue, then so could it in

25 Feb 1998 : Column CWH84

relation to other offences, for example. That is why it is appropriate to have a general power, rather than a specific one.

Lord Skelmersdale: Presumably the general power the noble and learned Lord has been referring to would include national insurance charges, for example?

Lord Falconer of Thoroton: The general power is limited to the exemptions required for any of the purposes mentioned in subsection (1), which are:

    "(a) the prevention or detection of crime,

    (b) the apprehension or prosecution of offenders, or

    (c) the assessment or collection of any tax or duty of any imposition of a similar nature".

Lord Skelmersdale: I misunderstood. The noble and learned Lord spent so much time in his very explicit speech defending Clause 28(1) rather than Clause 28(4) that I became somewhat confused. My question was directed to Clause 28(1)(c):

    "the assessment or collection of any tax or duty or of any imposition of a similar nature",

and I was asking whether national insurance charges would be of a similar nature.

Lord Falconer of Thoroton: They would be.

Baroness Nicholson of Winterbourne: I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Lord Falconer of Thoroton moved Amendments Nos. 90 and 91:

Page 17, line 17, leave out from ("from") to ("the") in line 20 and insert ("the subject information provisions and").
Page 17, line 21, after ("if") insert ("and to the extent that he considers that").

On Question, amendments agreed to.

Lord Norton moved Amendment No. 92:

Page 17, line 22, at end insert--
("( ) The Commissioner may, with the consent of the Secretary of State, assess any processing of personal data exempted from any provision of this Act by virtue of this section.").

The noble Lord said: Clause 28, as the Committee already realises, is the atomic bomb clause of the Bill. It gives data controllers, which include the police as well as commercial concerns, huge rights in three defined purposes: exemption from the first principle--now much modified by the Minister; the refusal to grant subject access; and the exemption from non-disclosure provisions in cases where the disclosure would be likely to prejudice any of the three purposes. These include the prevention and detection of crime and the prosecution of offenders.

The term "likely to prejudice" has been held by the tribunal as the real likelihood of prejudice in a particular case, rather than a mere risk of prejudice. It is therefore quite a strong test.

The exemptions are considered case by case but are frequently used on a constant basis in anti-fraud departments in commerce. Among police uses are the exchange of photographs of known or suspect

25 Feb 1998 : Column CWH85

shoplifters with shopping centres, under-age drinkers or photographs of football hooligans with football stadiums. I understand that the photographs are not restricted to wanted criminals but to those whom the police consider to be relevant targets. I wonder how much analysis, on a case-by-case basis, goes on considering the limited resources of the police. Given their limited resources, there must be a temptation to release more and more information, thereby increasing the effectiveness of policing, irrespective of any involvement of likely criminal activity. There is now the digital technology to recognise faces, not just number plates, by computer, so it is a very fine line that we could be treading before entering the dreaded Orwellian world.

The clause is essential but because of the concerns of possible abuse in commerce and other authorities, including the police, I believe it has to have the safeguard of allowing the commissioner automatic access to data controllers to verify the bona fide operation of any data controller relying on Clause 28, which is what my amendment proposes. I believe this would strengthen the clause's effectiveness by applying a discipline to the working of the clause as well as safeguarding the data subject.

It is not as if the commissioner will not have access to sensitive information, because it is expected under the innocuous Clause 51(4) that the commissioner will be granted audit powers by the Secretary of State to audit Europol, NCIS and the Customs information system. These databases will hold highly sensitive information and thus access by the commissioner to activity under Clause 28 should present no problem. I beg to move.

5.15 p.m.

The Earl of Northesk: I note that Amendment No. 140 is in this grouping, so, if I may, I will speak to it. Its effect would be to give the data protection commissioner specific authority to conduct a systematic data protection audit of an organisation, whether public or private, in addition to any good practice assessment.

Article 23(3) of the directive requires each national data protection authority to have:

    "investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties".

In this context, Clause 49(1) of the Bill follows Section 36 of the 1984 Act in requiring the commissioner to:

    "promote the following of good practice by data controllers and...promote the observance of the requirements of this Act by data controllers".

But, as a generality, the commissioner will be unable to monitor compliance, nor, more crucially, to detect future problems before they become serious.

Noble Lords will recall that at Second Reading I made the point that the Bill does little to acknowledge the inexorable march of computer technology. The capacity of the law to stay abreast, let alone get ahead,

25 Feb 1998 : Column CWH86

of IT development is inevitably restricted. As mentioned in the Delegated Powers and Deregulation Committee's report:

    "automated processing is increasing rapidly, and is likely to continue to do so as developments in computer technology continue to push areas of the law into hitherto uncharted territory".

By affording the commissioner audit powers of the kind envisaged in the amendment, the potential is created for the commission to monitor and keep pace with technological developments as they occur.

It is worth noting that elsewhere in the world, albeit that the precise way in which monitoring is achieved varies widely from country to country, such audits are the norm. Some commissioners rely almost entirely upon informal visits and inspections, while others devote resources to a smaller number of detailed audits. The important point is that all data controllers are made more aware of the possibility of sanctions and, in the case of public authorities--and this is a particularly important point--of the public exposure of failure with embarrassing consequences.

As an aside--I am mindful that we will be debating data matching later in Committee--such audits could be used to monitor data matching activity more effectively. It is also worth making the point that with regard to the general category of information attempted to be picked up by Clause 28(4), in some respects that might be more usefully dealt with by the audit powers of the commission that the amendment proposes.

I have no doubt that the Minister will in response highlight the issue of financial cost. This need not be excessive, dependent upon the mechanisms adopted to exercise the powers granted. Moreover, I believe that the UK Government seem to be very much in a minority in their insistence that data protection supervision should aim to be self-financing from the collection of fees. Other governments treat data protection as an essential public service.

Next Section Back to Table of Contents Lords Hansard Home Page