|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
Baroness Nicholson of Winterbourne: I should like to add to that point by reference to Amendment No. 139, which is also welcomed by the Data Protection Registrar because it would allow her to develop her powers to encourage good practice. There are significant limitations on her supervisory powers in the Bill, and many organisations have deliberately flouted the current Data Protection Act 1984. Indeed, some analyses have suggested that as many as 40 per cent. of companies have flouted the current legislation. I personally believe, therefore, that these supervisory powers for the data protection commissioner, the former registrar, in the new Bill are very important indeed, and that if she or her successor is inhibited by the data controller, who may be evading the legislation completely, her powers are very few. I am confident that the Government do not wish to be in the position of the previous government, who put through a great deal of legislation that has not been honoured. I believe that they will wish their
Amendment No. 92 was proposed by the noble Lord, Lord Norton. It would give the Commissioner power, subject to the consent of the Secretary of State, to assess any processing to which the Clause 28 exemptions apply. It is not clear from the amendment how the mechanism for securing the Secretary of State's consent would operate. Nor is it clear what the purpose of the assessment would be. However, those are shameful points to make when I understand the purpose of the amendment, which is in effect to give the commissioner power to investigate whether an exemption is being properly claimed.
We believe that that is not an addition that needs to be made to the Bill. We believe that the commissioner already has adequate powers in the Bill to seek the information she needs to enforce the law. I draw your Lordships' attention in particular to Clause 41, which sets out the information notice procedure where the commissioner has received a complaint or otherwise suspects that there might be an infringement. She also has the power, with the consent of the data controller, to make an assessment of good practice. We believe that that is enough to allow her to discover whether any abuse is taking place in relation to a particular data controller.
Lord Falconer of Thoroton: I understand that the Home Office is in discussion with the commissioner about that. The clause gives her the ability to ask questions of people. The alternative is that she simply be given a general power to find out what is going on. A balance must be struck between, on the one hand, people being legitimately entitled to carry on their business without inappropriate intervention from the state, but, on the other, the state--by which I mean the commissioner--having powers to make such investigations as are appropriate.
If and in so far as the commissioner believes that Clause 41 does not give her sufficient powers, that seems to be a matter that should be discussed with her. One hopes that agreement could be reached with her as to the appropriate course to take.
Lord Norton: Section 28 is used on a constant, day-to-day, basis by banks, insurance companies and police who exchange information with a variety of commercial operations, and I do not feel that the necessary discipline is set out in the Bill. It would act as a comfort for the person exchanging the information to know that that other person had an outside accountability. The police may draw comfort knowing
Lord Falconer of Thoroton: The position is that if there is a belief that the exemption is being improperly claimed, or that is what the commissioner believes, she will believe, or have reasonable grounds for suspecting, that a data controller is contravening one of the data protection principles, and she can serve an information notice.
Lord Norton: That is my point. Reasonable grounds have to be established in order for the commissioner to go in. I want there to be no grounds at all. The commissioner can knock at the door and say, "We understand you are using Section 28", and this applies to loss adjusters and insurance companies; I have seen a great deal of it on a day-to-day basis. It would act as a discipline. The "reasonable grounds" are too strong a test in my view.
Lord Falconer of Thoroton: I have understated my case because the commissioner can also make a request where she has received a request from a member of the public under Clause 40 in respect of any processing of personal data. Surely a balance has to be struck. Why is it that in all areas of endeavour, the one area where the state can simply march in and say "I want to see what you are doing" is here? What you have here is a perfectly responsible official who is given particular powers either upon complaints--that may be the wrong word--from a member of the public or where he or she has reasonable grounds for suspecting that some sort of infringement is going on. Then and only then can the enforcement officer, if I may call the commissioner that, compel the subject to answer questions. Surely a balance has to be struck somewhere.
Lord Norton: I agree that a balance has to be struck. We all know that the current registrar is a very reasonable and sensible operator and very popular in the commercial world for her balanced consideration in allowing clauses such as Clause 28(2) to operate. In my view, however, that would strengthen the case because she is not going to charge around interfering. Restrictions can be drafted to enable that. The data subject does not even necessarily know that he is under investigation. Records could be held by individuals who have absolutely no idea that they are on a file, and the commercial bodies have no rights to have those things. There has to be the discipline of telling people that they cannot maintain these files on these subjects on the excuse of Clause 28.
I shall move to the other amendments. I will deal with them in reverse order. The noble Baroness, Lady Nicholson of Winterbourne, proposes that, where an audit of good practice is going on, that should not have to depend on the consent of the data controller. Again, this seems to be a question of balance, and it is essentially a matter of judgment as to where the balance has to be struck. We believe that the consent safeguard is very important. Removing it, as with the amendment, would entirely change the nature of the provision--it would no longer be related solely to the development of good practice as now, but it would become a very powerful means of enforcement. The commissioner would be able to make spot checks on data controllers, uninvited, and with no good reason whatsoever for suspecting any infringement of the data protection laws.
The Government believe that this goes much too far. At present we believe the Bill achieves just about the right balance. It provides a means for the commissioner to seek the information she needs to enforce the law under Clauses 41 and 42 where she has received a complaint or otherwise suspects that there might be an infringement. Separately, under Clause 49(5), she is able to conduct an audit of good practice, but with the consent of the data controller.
It is a question of judgment as to where one pitches the balance. I understand the point, sincerely made, but it is my very strong view that we should be giving much too strong a power to intervene without good reason in controller activity if either the noble Baroness's amendment were made or even if the noble Earl's amendments were made. All the same points I made in relation to the other two amendments apply to his.