Clause 28

  17.    Clause 28(1) provides for an exemption from certain provisions of the Bill in particular circumstances in the contexts of crime and taxation. The clause 28(1) exemption is expressed to apply "in any case" in which the application of the provisions in question would be likely to prejudice any of the matters specified. But it is understood that it may be necessary in some circumstances, in view of the importance of the purposes set out in clause 28(1), to disapply those provisions otherwise than on a case by case basis. Clause 28(4), therefore, gives the Secretary of State the power to exempt personal data of a specified description from those provisions if required for the purposes set out in clause 28(1). As any such order would restrict the rights of data subjects, the affirmative resolution procedure is the appropriate parliamentary control (see clause 60(4)).

Clause 29

  18.    Under section 29 of the Act, the Secretary of State can make an order exempting from the subject access provisions personal data about the data subject's physical or mental health, and an order has been made in this respect: the Data Protection (Subject Access Modification)(Health) Order 1987 (S.I.1987/1903). Article 13 of the Directive preserves the availability of this exemption by granting Member States the discretion to "adopt legislative measures" to restrict the scope of the subject access provisions where necessary to safeguard "the protection of the data subject or of the rights and freedoms of others" (Article 13.1(g)). Accordingly, clause 29(1) gives the Secretary of State the power to make an order exempting from the subject information provisions (as defined in clause 26(2)) personal data relating to the physical or mental health or condition of the data subject. As such an order effectively removes or limits the rights of the data subject given to him under the Bill, the affirmative resolution procedure applies as it did under the Act (see clause 60(4)).

  19.    Under section 29 of the Act, a similar exemption to that outlined at paragraph 18 above can be made with respect to other categories of personal data relating to the carrying out of social work. One order has been made in this respect: the Data Protection (Subject Access Modification) (Social Work) Order 1987 (S.I.1987/1904). To retain equivalent provision, and as permitted under Article 13.1(g) as described above, clause 29(2) of the Bill gives the Secretary of State the power to make an order exempting from the subject information provisions personal data processed by certain public or voluntary bodies and relating to the carrying out of social work. There is an exception to clause 29(2) that the Secretary of State cannot make an exemption order unless he considers the subject information provisions would be likely to prejudice the carrying out of the social work. For the same reasons as apply to an order made under clause 29(1), any order made under Clause 29(2) will be subject to the affirmative resolution procedure (see clause 60(4)).

Clause 31

  20.    Clause 31 of the Bill provides an exemption for the media from the provisions of the Bill listed in clause 31(2), provided the conditions set out in clause 31(1) are satisfied. Part of the test for the exemption is found in clause 31(1)(b), namely that the data controller reasonably believes that publication would be in the public interest. When considering this limb of the test, regard may be had to the data controller's compliance with any relevant codes of practice with respect to the publication: clause 31(3). It is not possible or practicable to list on the face of the Bill the codes of practice that are to be taken into account, and a generic description purporting to define such codes was thought to be liable to invite abuse in practice. Consequently, a power has been given to the Secretary of State in clause 31(3)(b) to designate by order the relevant codes of practice which may be considered. Any such order will be subject to the negative resolution procedure (see clause 60(5)(a)).

Clause 37

  21.    By clause 26(4), the subject information provisions are given general precedence over enactments or other rules of law prohibiting or restricting the disclosure, or authorising the withholding, of information. That is not intended to be an invariable rule, however, and clause 37(1) gives the Secretary of State the power by order to exempt certain personal data from the subject information provisions (defined in clause 26(2)) where there are statutory restrictions on the disclosure of the information concerned. No such order can be made unless the Secretary of State considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the statutory restrictions should prevail. This necessity test is included to give effect to the wording of Article 13.1(g) of the Directive. A similar provision exists in section 34(2) of the Act to vary the general rule established in section 26(4). Again, and following the Act, as the granting of an exemption involves the restriction of the rights of the data subject, any order will be subject to the affirmative resolution procedure (see clause 60(4)).

  22.    Paragraphs 18, 19 and 21 above relate to exemptions from the subject information provisions. Clause 37(2) gives the Secretary of State the power by order to enable disclosures to be made which would otherwise be in breach of the provisions of the Bill specified at clause 26(3), in circumstances to be specified in the order. This non-disclosure exemption is made subject to the same necessity test as is included for an order under clause 37(1), and thus the sense of Article 13.1(g) is transposed on the face of the Bill. Although the wording of this non-disclosure exemption is quite general, use of the power is circumscribed by the provisions of the Directive. Any order made under this clause will be subject to the affirmative resolution procedure (see clause 60(4)).

Clause 51

  23.    Clause 51(2) gives the Secretary of State the power to make an order making provision as to the functions to be discharged by the Commissioner as the designated authority in the UK for the purposes of Article 13 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. An equivalent power is given in section 37 of the Act. An order made under clause 51(2) will be subject to the negative resolution procedure (see clause 60(5)(a)). This is the procedure currently specified in the Act.

  24.    Clause 51(3) gives power to the Secretary of State to make provision as to the co-operation by the Commissioner with the European Commission and with supervisory authorities in other Member States. The two particularisations set out in Clause 51(3)(a) and (b) bring on to the face of the Bill the provisions in the last sentence of the first paragraph and the second paragraph of Article 28.6 of the Directive. Any order made under clause 51(3) will involve provisions of an essentially administrative nature. The parliamentary control to be applied is the negative resolution procedure (see clause 60(5)(a)).

  25.    It is envisaged that the need to give effect to international obligations may in the future result in the Commissioner being required to assist other supervisory bodies in certain respects that are currently outside his remit. For this purpose, clause 51(4) provides for the Commissioner to carry out such data protection functions as may be specified in an order of the Secretary of State in this respect. The negative resolution procedure will apply to this order (clause 60(5)(a)).

Clause 64

  26.    Clause 64(3) contains a standard commencement order-making power, which is not subject to any parliamentary procedure.

Schedule 1 to the Bill

  27.    Paragraph 3(1) of Part II of Schedule 1 disapplies in certain circumstances the obligation on data controllers to provide certain information where they collect data otherwise than from the data subject. To come within the scope of the disapplication provisions, certain conditions set out in paragraph 3(2) must be satisfied together with any conditions specified in an order made by the Secretary of State. This power is taken pursuant to the discretion given by Article 11.2 of the Directive to the Member State to "provide appropriate safeguards". The order can only add further conditions to tests set out in the Bill, and will be subject to the negative resolution procedure by virtue of clause 60(5)(a).

  28.    Paragraph 4 of Part II of Schedule 1 gives the Secretary of State power to make an order which determines firstly what categories of data will constitute "general identifiers" and secondly, the conditions under which such a general identifier can be processed. Article 8.7 of the Directive gives discretion to Member States to determine the conditions, and as the conditions may vary from identifier to identifier and additional identifiers may be introduced in the future, it is considered appropriate to leave all of the conditions to be determined by order. Any order made under this provision adds to the protection already afforded to the individual data subject and accordingly the negative resolution procedure is to apply (see clause 60(5)(a)).

  29.    Provisions are made in the Directive with a view to imposing a measure of standardisation on the export of data to countries outside the European Economic Area. The eighth data protection principle therefore prohibits the transfer of data outside the European Economic Area unless that third country ensures an adequate level of data protection. Derogations from this prohibition are permitted by Article 26 of the Directive and are contained in Schedule 4 to the Bill. Paragraph 15 of Part II of Schedule 1 gives the Secretary of State a discretion to re-impose the prohibition (or impose conditions) on transfers which otherwise come within the derogations. It is anticipated that this power will rarely be used, but it is felt desirable to retain the flexibility afforded in this respect by Article 26.1 of the Directive which sets out the categories of available derogations "save where otherwise provided by domestic law governing particular cases". The negative resolution procedure is thought to be the appropriate control in this case, particularly as any order is likely to provide additional protection for the data subject by either prohibiting a transfer or bringing a transfer within stricter controls. Clause 60(5)(a) provides for such a procedure.

Schedule 2 to the Bill

  30.    The first data protection principle, and one of the fundamental concepts of any data protection regime, is the requirement for personal data to be processed fairly and lawfully. As well as establishing this principle, paragraph 1 of Part I of Schedule 1 goes on to prohibit the processing of any personal data in the absence of the satisfaction of at least one of the conditions set out in Schedule 2. Paragraph 6 of Schedule 2 specifies one such condition: the processing must be necessary for the purposes of the legitimate interests of the data controller or anyone to whom the data is disclosed. There is an exception to this provision where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

  31.    Paragraph 6 gives effect to the provisions in Article 7(f) of the Directive. The wording of Article 7 appears to be entirely mandatory, but when read together with Recital 30 to the Directive, discretion is given to Member States to specify circumstances in which some processing is or is not to be taken as satisfying the conditions in paragraph 6. Accordingly, paragraph 6(2) of Schedule 2 gives the Secretary of State power by order to specify such circumstances, thus effectively giving the Secretary of State power to determine the "balance of interests" test in certain circumstances. Any order made under this provision will be subject to the negative resolution procedure by virtue of clause 60(5)(a).

Schedule 3 to the Bill

  32.    In the case of sensitive personal data as defined in clause 2, those data cannot be processed in accordance with the first data protection principle unless at least one of the conditions in Schedule 3 is met in addition to one of the conditions in Schedule 2. Paragraph 2(1) of Schedule 3 lifts this bar on processing sensitive personal data in the context of employment law. Article 8.2(b) of the Directive provides for this disapplication, "in so far as it is authorised by national law providing for adequate safeguards". In this respect, paragraph 2(1) permits processing to comply with any right or obligation conferred or imposed by law on the data controller, and paragraph 2(2) goes on to give the Secretary of State power to specify additional safeguards. Under section 2(3) of the Act, a similar power to modify the data protection principles in respect of certain categories of sensitive personal data is subject to the affirmative resolution procedure. It is felt, however, that the appropriate level of parliamentary control for any order under paragraph 2(2) is the negative resolution procedure, as the power is to be used simply to fine-tune the "adequate safeguards" which will already be largely provided for under the existing employment law. Accordingly, clause 60(5)(a) provides for this procedure.

  33.    In addition to the general disapplications given effect to in paragraphs 1 to 7 of Schedule 3, Articles 8.4 and 8.5 give Member States the discretion to lay down further disapplications provided that suitable specific safeguards are provided under national law. Accordingly, paragraph 9 of Schedule 3 gives the Secretary of State power to disapply the prohibition of the processing of sensitive personal data in circumstances to be specified. Examples of activities which an order might cover include public health and social protection, scientific research and Government statistics. It was not considered possible or appropriate to try to set out all the necessary exemptions on the face of the Bill, and the taking of a power will enable any specified list of exemptions to be readily amended. For consistency with the section 2(3) provision in the Act and due to the potential political interest an order under this provision might attract, the affirmative resolution procedure will apply by virtue of clause 60(4).

Schedule 4 to the Bill

  34.    In paragraph 29 preceding, a brief background is given to the provisions in the Bill relating to the transfers of data to a country outside the European Economic Area which does not have an adequate data protection regime. A further exception to the general prohibition on transfers is found in paragraph 4 of Schedule 4 if the transfer is necessary for reasons of substantial public interest. This provision transposes the derogation permitted by Article 26.1(d) of the Directive. The wording of Article 26.1(d) not only permits transfers where the necessity test is satisfied but also where the transfer is "legally required" on important public interest grounds. In this respect, a power is taken in paragraph 4(2) of Schedule 4, enabling the Secretary of State to specify by order circumstances in which data controllers may, and in some cases may not, make such transfers for reasons of substantial public interest. Any order made under this provision is subject to the negative resolution procedure (see clause 60(5)(a)).

Schedule 6 to the Bill

  35.     Schedule 3 of the Act presently enables the Secretary of State to make rules for regulating the exercise of rights of appeal and the practice and procedure of the Tribunal. Paragraph 7(1) of Schedule 6 retains this provision. Although the list in paragraph 7(2) of Schedule 6 includes several procedural matters which are not contained in the equivalent list in the Act, these lists are illustrative only and the matters specified arguably already come within the generality of the order-making power. By analogy with the Act's provisions and due to the procedural nature of the matters within by this power, the rules are subject to the negative resolution procedure (see clause 60(5)(d)).

15 January 1998