Thank you for your letter of 3 February enclosing the final draft of the Committee's report on digital images as evidence.

    You explained that the Committee had concluded, in the light of the evidence it had heard, that improved controls over public space CCTV systems and associated data matching schemes were needed, and that you had identified the Data Protection Bill as a potential vehicle for achieving these.

    I am grateful to you for giving me the opportunity to consider the Committee's views in advance of the Bill's committee stages. I believe that in practice the Bill as drafted already addresses the Committee's concerns as summarised in your letter, for the reasons given below.

    You queried firstly whether the digital television surveillance systems which are increasingly likely to be used in city centres were unambiguously within the scope of the proposed legislation. We are confident that they are. As you know, the Bill builds on the data protection regime established under the Data Protection Act 1984. Like the 1984 Act the Bill and its data protection principles are framed in general terms rather than by reference to specific data processing technologies, which can be swiftly superseded by new ones. As the Data Protection Registrar explained in her oral evidence, a number of CCTV systems are outside the scope of the 1984 Act because of the limitations of its definition of personal data and its requirement for processing to be undertaken by reference to the individual. Clause 1(1) of the Bill significantly expands both definitions. It appears to us that monitoring by live CCTV comes within the first limb of the definition of "data", i.e. information which is being processed by means of equipment operating automatically in response to instructions given for that purpose. "Processing" is no longer limited to activities carried out by reference to the data subject and it also covers a much wider range of operations, including the disclosure of data by transmission, dissemination or otherwise making available. We consider that the new definitions are sufficiently broad to catch not only the sophisticated types of CCTV systems with which the Committee are concerned, but even much simpler equipment which merely projects images of individuals passing a shop into the shop window without actually recording.

    Your second concern was whether data matching schemes, which might for example be used to identify and track individuals, would be adequately controlled under the new legislation in the absence of a specific complaint by an individual. As explained above, the Bill, like the present Act, is not technology-specific. Its controls will apply to data matching schemes, as do those of the current Act.

    It may be helpful at this stage if I briefly explain the relevant aspects of the Bill's enforcement regime. Whereas under the present Act the Registrar is only able to enforce compliance with the data protection principles against registered data users, the Bill requires compliance with the principles from all data controllers (unless their processing comes within an exempt category), whether or not they have notified their particulars to the Commissioner. Clause 49(1) of the Bill imposes a duty on the Commissioner to promote the following of good practice by data controllers and clause 49(3) enables the Commissioner to prepare and disseminate codes of practice; to encourage the preparation and dissemination of such codes by trade associations; and to advise on the adequacy of any such codes submitted for her consideration. Under clause 49(5) the Commissioner may, with the consent of the data controller, assess any processing of personal data for the observance of good practice. These are wider powers and responsibilities than those applying to the Registrar under the current Act. I note that the Registrar referred in her oral evidence to the possibility, for example, of the Commissioner issuing a code of practice for CCTV systems. Although any such code would be non-statutory, it could be expected to include a detailed statement of application of the data protection principles.

    The Commissioner will not need to wait for a complaint before initiating an investigation. Clause 41 empowers her to issue an information notice requesting relevant details from a data controller where she has reasonable grounds for suspecting any contravention of the data protection principles. This power is backed up by the powers of entry, inspection and seizure detailed in Schedule 8. Failure to comply with an information notice is an offence under clause 45.

    In addition to the enforcement provisions relating to the Commissioner, the Bill also strengthens the judicial remedies available to individuals; for example, clause 11 enables an individual to seek compensation for damage or distress caused by a data controller's failure to comply with any of the requirements of the Bill.

    Aside from the audit powers conferred on the Commissioner under clauses 41 and 49(5), the Bill also provides, at clause 21, for a system of preliminary assessment or "prior checking". You sought clarification about the extent to which this provision will go to meet the need which the Committee sees for an audit function in relation to data matching. We would see it as having the potential to meet it in full. Clause 21, which responds to Article 20 of the 1995 EC Data Protection Directive, provides for certain processing which is particularly likely to harm data subjects to be prohibited for a period of time in order to allow the Commissioner to assess its likely compliance with the requirements of the Bill. Processing during the prohibited period will be an offence. If the Commissioner concludes that the processing is unlikely to comply with the Bill's requirements, the processing may still go ahead, but the data controller will of course be at risk in that event of subsequent enforcement action for any breach of the Act. The particular processing to which the clause applies is to be specified in an Order subject to the affirmative resolution procedure. No decisions have yet been taken as to which categories of processing operation should be subject to preliminary assessment, but you will be aware from the paper published last July (Data protection: the Government's proposals) that operations involving data matching are primary candidates.

    Recommendation 5.14 of the Committee's draft report proposed that the Government should produce guidance for both the public and private sectors on the use of data matching. We see the issue of guidance on data protection issues as falling within the remit of the Registrar/Commissioner rather than government and I have outlined above the duties imposed on her by the Bill in this regard. In fact the Registrar already has a duty under the current Act to promote observance of the data protection principles and in August 1997 she issued guidance on developing data protection codes of practice on data matching. Its aim was to provide a framework within which codes of practice could be developed within particular sectors, leading ultimately to model codes which could be commended to those seeking to establish new data matching systems.

    I hope you will feel that this letter addresses the Committee's concerns satisfactorily. If, however, there are still points outstanding which you consider would be best dealt with by an early meeting, my diary secretary will be happy to arrange one as soon as practicable.

THE LORD WILLIAMS OF MOSTYN

17 February 1998