ANNEX (continued)
DATA PROTECTION BILL [HL]
Clause 28
17. Clause 28(1)
provides for an exemption from certain provisions of the Bill
in particular circumstances in the contexts of crime and taxation.
The clause 28(1) exemption is expressed to apply "in any
case" in which the application of the provisions in question
would be likely to prejudice any of the matters specified. But
it is understood that it may be necessary in some circumstances,
in view of the importance of the purposes set out in clause 28(1),
to disapply those provisions otherwise than on a case by case
basis. Clause 28(4), therefore, gives the Secretary of
State the power to exempt personal data of a specified description
from those provisions if required for the purposes set out in
clause 28(1). As any such order would restrict the rights of
data subjects, the affirmative resolution procedure is the appropriate
parliamentary control (see clause 60(4)).
Clause 29
18. Under section
29 of the Act, the Secretary of State can make an order exempting
from the subject access provisions personal data about the data
subject's physical or mental health, and an order has been made
in this respect: the Data Protection (Subject Access Modification)(Health)
Order 1987 (S.I.1987/1903). Article 13 of the Directive preserves
the availability of this exemption by granting Member States the
discretion to "adopt legislative measures" to restrict
the scope of the subject access provisions where necessary to
safeguard "the protection of the data subject or of the rights
and freedoms of others" (Article 13.1(g)). Accordingly,
clause 29(1) gives the Secretary of State the power to
make an order exempting from the subject information provisions
(as defined in clause 26(2)) personal data relating to the physical
or mental health or condition of the data subject. As such an
order effectively removes or limits the rights of the data subject
given to him under the Bill, the affirmative resolution procedure
applies as it did under the Act (see clause 60(4)).
19. Under section
29 of the Act, a similar exemption to that outlined at paragraph
18 above can be made with respect to other categories of personal
data relating to the carrying out of social work. One order has
been made in this respect: the Data Protection (Subject Access
Modification) (Social Work) Order 1987 (S.I.1987/1904). To retain
equivalent provision, and as permitted under Article 13.1(g) as
described above, clause 29(2) of the Bill gives the Secretary
of State the power to make an order exempting from the subject
information provisions personal data processed by certain public
or voluntary bodies and relating to the carrying out of social
work. There is an exception to clause 29(2) that the Secretary
of State cannot make an exemption order unless he considers the
subject information provisions would be likely to prejudice the
carrying out of the social work. For the same reasons as apply
to an order made under clause 29(1), any order made under Clause
29(2) will be subject to the affirmative resolution procedure
(see clause 60(4)).
Clause 31
20. Clause 31 of
the Bill provides an exemption for the media from the provisions
of the Bill listed in clause 31(2), provided the conditions set
out in clause 31(1) are satisfied. Part of the test for the exemption
is found in clause 31(1)(b), namely that the data controller reasonably
believes that publication would be in the public interest. When
considering this limb of the test, regard may be had to the data
controller's compliance with any relevant codes of practice with
respect to the publication: clause 31(3). It is not possible
or practicable to list on the face of the Bill the codes of practice
that are to be taken into account, and a generic description purporting
to define such codes was thought to be liable to invite abuse
in practice. Consequently, a power has been given to the Secretary
of State in clause 31(3)(b) to designate by order the relevant
codes of practice which may be considered. Any such order will
be subject to the negative resolution procedure (see clause 60(5)(a)).
Clause 37
21. By clause 26(4),
the subject information provisions are given general precedence
over enactments or other rules of law prohibiting or restricting
the disclosure, or authorising the withholding, of information.
That is not intended to be an invariable rule, however, and clause
37(1) gives the Secretary of State the power by order to exempt
certain personal data from the subject information provisions
(defined in clause 26(2)) where there are statutory restrictions
on the disclosure of the information concerned. No such order
can be made unless the Secretary of State considers it necessary
for the safeguarding of the interests of the data subject or the
rights and freedoms of any other individual that the statutory
restrictions should prevail. This necessity test is included to
give effect to the wording of Article 13.1(g) of the Directive.
A similar provision exists in section 34(2) of the Act to vary
the general rule established in section 26(4). Again, and following
the Act, as the granting of an exemption involves the restriction
of the rights of the data subject, any order will be subject to
the affirmative resolution procedure (see clause 60(4)).
22. Paragraphs
18, 19 and 21 above relate to exemptions from the subject information
provisions. Clause 37(2) gives the Secretary of State
the power by order to enable disclosures to be made which would
otherwise be in breach of the provisions of the Bill specified
at clause 26(3), in circumstances to be specified in the order.
This non-disclosure exemption is made subject to the same
necessity test as is included for an order under clause 37(1),
and thus the sense of Article 13.1(g) is transposed on the face
of the Bill. Although the wording of this non-disclosure exemption
is quite general, use of the power is circumscribed by the provisions
of the Directive. Any order made under this clause will be subject
to the affirmative resolution procedure (see clause 60(4)).
Clause 51
23. Clause 51(2)
gives the Secretary of State the power to make an order making
provision as to the functions to be discharged by the Commissioner
as the designated authority in the UK for the purposes of Article
13 of the Council of Europe Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data. An equivalent
power is given in section 37 of the Act. An order made under
clause 51(2) will be subject to the negative resolution
procedure (see clause 60(5)(a)). This is the procedure currently
specified in the Act.
24. Clause 51(3)
gives power to the Secretary of State to make provision as to
the co-operation by the Commissioner with the European Commission
and with supervisory authorities in other Member States. The
two particularisations set out in Clause 51(3)(a) and (b) bring
on to the face of the Bill the provisions in the last sentence
of the first paragraph and the second paragraph of Article 28.6
of the Directive. Any order made under clause 51(3) will
involve provisions of an essentially administrative nature. The
parliamentary control to be applied is the negative resolution
procedure (see clause 60(5)(a)).
25. It is envisaged
that the need to give effect to international obligations may
in the future result in the Commissioner being required to assist
other supervisory bodies in certain respects that are currently
outside his remit. For this purpose, clause 51(4) provides
for the Commissioner to carry out such data protection functions
as may be specified in an order of the Secretary of State in
this respect. The negative resolution procedure will apply to
this order (clause 60(5)(a)).
Clause 64
26. Clause 64(3)
contains a standard commencement order-making power, which is
not subject to any parliamentary procedure.
Schedule 1 to the Bill
27. Paragraph
3(1) of Part II of Schedule 1 disapplies in certain circumstances
the obligation on data controllers to provide certain information
where they collect data otherwise than from the data subject.
To come within the scope of the disapplication provisions, certain
conditions set out in paragraph 3(2) must be satisfied together
with any conditions specified in an order made by the Secretary
of State. This power is taken pursuant to the discretion given
by Article 11.2 of the Directive to the Member State to "provide
appropriate safeguards". The order can only add further
conditions to tests set out in the Bill, and will be subject to
the negative resolution procedure by virtue of clause 60(5)(a).
28. Paragraph
4 of Part II of Schedule 1 gives the Secretary of State power
to make an order which determines firstly what categories of data
will constitute "general identifiers" and secondly,
the conditions under which such a general identifier can be processed.
Article 8.7 of the Directive gives discretion to Member States
to determine the conditions, and as the conditions may vary from
identifier to identifier and additional identifiers may be introduced
in the future, it is considered appropriate to leave all of the
conditions to be determined by order. Any order made under this
provision adds to the protection already afforded to the individual
data subject and accordingly the negative resolution procedure
is to apply (see clause 60(5)(a)).
29. Provisions
are made in the Directive with a view to imposing a measure of
standardisation on the export of data to countries outside the
European Economic Area. The eighth data protection principle
therefore prohibits the transfer of data outside the European
Economic Area unless that third country ensures an adequate level
of data protection. Derogations from this prohibition are permitted
by Article 26 of the Directive and are contained in Schedule 4
to the Bill. Paragraph 15 of Part II of Schedule 1 gives
the Secretary of State a discretion to re-impose the prohibition
(or impose conditions) on transfers which otherwise come within
the derogations. It is anticipated that this power will rarely
be used, but it is felt desirable to retain the flexibility afforded
in this respect by Article 26.1 of the Directive which sets out
the categories of available derogations "save where otherwise
provided by domestic law governing particular cases". The
negative resolution procedure is thought to be the appropriate
control in this case, particularly as any order is likely to provide
additional protection for the data subject by either prohibiting
a transfer or bringing a transfer within stricter controls. Clause
60(5)(a) provides for such a procedure.
Schedule 2 to the Bill
30. The first data
protection principle, and one of the fundamental concepts of any
data protection regime, is the requirement for personal data to
be processed fairly and lawfully. As well as establishing this
principle, paragraph 1 of Part I of Schedule 1 goes on to prohibit
the processing of any personal data in the absence of the satisfaction
of at least one of the conditions set out in Schedule 2. Paragraph
6 of Schedule 2 specifies one such condition: the processing must
be necessary for the purposes of the legitimate interests of the
data controller or anyone to whom the data is disclosed. There
is an exception to this provision where the processing is unwarranted
by reason of prejudice to the rights and freedoms or legitimate
interests of the data subject.
31. Paragraph 6
gives effect to the provisions in Article 7(f) of the Directive.
The wording of Article 7 appears to be entirely mandatory, but
when read together with Recital 30 to the Directive, discretion
is given to Member States to specify circumstances in which some
processing is or is not to be taken as satisfying the conditions
in paragraph 6. Accordingly, paragraph 6(2) of Schedule
2 gives the Secretary of State power by order to specify such
circumstances, thus effectively giving the Secretary of State
power to determine the "balance of interests" test in
certain circumstances. Any order made under this provision will
be subject to the negative resolution procedure by virtue of clause
60(5)(a).
Schedule 3 to the Bill
32. In the case
of sensitive personal data as defined in clause 2, those data
cannot be processed in accordance with the first data protection
principle unless at least one of the conditions in Schedule 3
is met in addition to one of the conditions in Schedule 2. Paragraph
2(1) of Schedule 3 lifts this bar on processing sensitive personal
data in the context of employment law. Article 8.2(b) of the
Directive provides for this disapplication, "in so far as
it is authorised by national law providing for adequate safeguards".
In this respect, paragraph 2(1) permits processing to comply
with any right or obligation conferred or imposed by law on the
data controller, and paragraph 2(2) goes on to give the
Secretary of State power to specify additional safeguards. Under
section 2(3) of the Act, a similar power to modify the data protection
principles in respect of certain categories of sensitive personal
data is subject to the affirmative resolution procedure. It is
felt, however, that the appropriate level of parliamentary control
for any order under paragraph 2(2) is the negative resolution
procedure, as the power is to be used simply to fine-tune the
"adequate safeguards" which will already be largely
provided for under the existing employment law. Accordingly,
clause 60(5)(a) provides for this procedure.
33. In addition
to the general disapplications given effect to in paragraphs 1
to 7 of Schedule 3, Articles 8.4 and 8.5 give Member States the
discretion to lay down further disapplications provided that suitable
specific safeguards are provided under national law. Accordingly,
paragraph 9 of Schedule 3 gives the Secretary of State
power to disapply the prohibition of the processing of sensitive
personal data in circumstances to be specified. Examples of activities
which an order might cover include public health and social protection,
scientific research and Government statistics. It was not considered
possible or appropriate to try to set out all the necessary exemptions
on the face of the Bill, and the taking of a power will enable
any specified list of exemptions to be readily amended. For consistency
with the section 2(3) provision in the Act and due to the potential
political interest an order under this provision might attract,
the affirmative resolution procedure will apply by virtue of clause
60(4).
Schedule 4 to the Bill
34. In paragraph
29 preceding, a brief background is given to the provisions in
the Bill relating to the transfers of data to a country outside
the European Economic Area which does not have an adequate data
protection regime. A further exception to the general prohibition
on transfers is found in paragraph 4 of Schedule 4 if the transfer
is necessary for reasons of substantial public interest. This
provision transposes the derogation permitted by Article 26.1(d)
of the Directive. The wording of Article 26.1(d) not only permits
transfers where the necessity test is satisfied but also where
the transfer is "legally required" on important public
interest grounds. In this respect, a power is taken in paragraph
4(2) of Schedule 4, enabling the Secretary of State to specify
by order circumstances in which data controllers may, and in some
cases may not, make such transfers for reasons of substantial
public interest. Any order made under this provision is subject
to the negative resolution procedure (see clause 60(5)(a)).
Schedule 6 to the Bill
35. Schedule 3
of the Act presently enables the Secretary of State to make rules
for regulating the exercise of rights of appeal and the practice
and procedure of the Tribunal. Paragraph 7(1) of Schedule
6 retains this provision. Although the list in paragraph 7(2)
of Schedule 6 includes several procedural matters which are not
contained in the equivalent list in the Act, these lists are illustrative
only and the matters specified arguably already come within the
generality of the order-making power. By analogy with the Act's
provisions and due to the procedural nature of the matters within
by this power, the rules are subject to the negative resolution
procedure (see clause 60(5)(d)).
15 January 1998
|