Letter to the Chairman from the Lord Williams
Parliamentary Under Secretary of State,
Thank you for your letter of 3 February
enclosing the final draft of the Committee's report on digital
images as evidence.
You explained that the Committee had concluded,
in the light of the evidence it had heard, that improved controls
over public space CCTV systems and associated data matching schemes
were needed, and that you had identified the Data Protection Bill
as a potential vehicle for achieving these.
I am grateful to you for giving me the
opportunity to consider the Committee's views in advance of the
Bill's committee stages. I believe that in practice the Bill as
drafted already addresses the Committee's concerns as summarised
in your letter, for the reasons given below.
You queried firstly whether the digital
television surveillance systems which are increasingly likely
to be used in city centres were unambiguously within the scope
of the proposed legislation. We are confident that they are. As
you know, the Bill builds on the data protection regime established
under the Data Protection Act 1984. Like the 1984 Act the Bill
and its data protection principles are framed in general terms
rather than by reference to specific data processing technologies,
which can be swiftly superseded by new ones. As the Data Protection
Registrar explained in her oral evidence, a number of CCTV systems
are outside the scope of the 1984 Act because of the limitations
of its definition of personal data and its requirement for processing
to be undertaken by reference to the individual. Clause 1(1) of
the Bill significantly expands both definitions. It appears to
us that monitoring by live CCTV comes within the first limb of
the definition of "data", i.e. information which is
being processed by means of equipment operating automatically
in response to instructions given for that purpose. "Processing"
is no longer limited to activities carried out by reference to
the data subject and it also covers a much wider range of operations,
including the disclosure of data by transmission, dissemination
or otherwise making available. We consider that the new definitions
are sufficiently broad to catch not only the sophisticated types
of CCTV systems with which the Committee are concerned, but even
much simpler equipment which merely projects images of individuals
passing a shop into the shop window without actually recording.
Your second concern was whether data matching
schemes, which might for example be used to identify and track
individuals, would be adequately controlled under the new legislation
in the absence of a specific complaint by an individual. As explained
above, the Bill, like the present Act, is not technology-specific.
Its controls will apply to data matching schemes, as do those
of the current Act.
It may be helpful at this stage if I briefly
explain the relevant aspects of the Bill's enforcement regime.
Whereas under the present Act the Registrar is only able to enforce
compliance with the data protection principles against registered
data users, the Bill requires compliance with the principles from
all data controllers (unless their processing comes within
an exempt category), whether or not they have notified their particulars
to the Commissioner. Clause 49(1) of the Bill imposes a duty on
the Commissioner to promote the following of good practice by
data controllers and clause 49(3) enables the Commissioner to
prepare and disseminate codes of practice; to encourage the preparation
and dissemination of such codes by trade associations; and to
advise on the adequacy of any such codes submitted for her consideration.
Under clause 49(5) the Commissioner may, with the consent of the
data controller, assess any processing of personal data for the
observance of good practice. These are wider powers and responsibilities
than those applying to the Registrar under the current Act. I
note that the Registrar referred in her oral evidence to the possibility,
for example, of the Commissioner issuing a code of practice for
CCTV systems. Although any such code would be non-statutory, it
could be expected to include a detailed statement of application
of the data protection principles.
The Commissioner will not need to wait
for a complaint before initiating an investigation. Clause 41
empowers her to issue an information notice requesting relevant
details from a data controller where she has reasonable grounds
for suspecting any contravention of the data protection principles.
This power is backed up by the powers of entry, inspection and
seizure detailed in Schedule 8. Failure to comply with an information
notice is an offence under clause 45.
In addition to the enforcement provisions
relating to the Commissioner, the Bill also strengthens the judicial
remedies available to individuals; for example, clause 11 enables
an individual to seek compensation for damage or distress caused
by a data controller's failure to comply with any of the requirements
of the Bill.
Aside from the audit powers conferred on
the Commissioner under clauses 41 and 49(5), the Bill also provides,
at clause 21, for a system of preliminary assessment or "prior
checking". You sought clarification about the extent to which
this provision will go to meet the need which the Committee sees
for an audit function in relation to data matching. We would see
it as having the potential to meet it in full. Clause 21, which
responds to Article 20 of the 1995 EC Data Protection Directive,
provides for certain processing which is particularly likely to
harm data subjects to be prohibited for a period of time in order
to allow the Commissioner to assess its likely compliance with
the requirements of the Bill. Processing during the prohibited
period will be an offence. If the Commissioner concludes that
the processing is unlikely to comply with the Bill's requirements,
the processing may still go ahead, but the data controller will
of course be at risk in that event of subsequent enforcement action
for any breach of the Act. The particular processing to which
the clause applies is to be specified in an Order subject to the
affirmative resolution procedure. No decisions have yet been taken
as to which categories of processing operation should be subject
to preliminary assessment, but you will be aware from the paper
published last July (Data protection: the Government's proposals)
that operations involving data matching are primary candidates.
Recommendation 5.14 of the Committee's
draft report proposed that the Government should produce guidance
for both the public and private sectors on the use of data matching.
We see the issue of guidance on data protection issues as falling
within the remit of the Registrar/Commissioner rather than government
and I have outlined above the duties imposed on her by the Bill
in this regard. In fact the Registrar already has a duty under
the current Act to promote observance of the data protection principles
and in August 1997 she issued guidance on developing data protection
codes of practice on data matching. Its aim was to provide a framework
within which codes of practice could be developed within particular
sectors, leading ultimately to model codes which could be commended
to those seeking to establish new data matching systems.
I hope you will feel that this letter addresses
the Committee's concerns satisfactorily. If, however, there are
still points outstanding which you consider would be best dealt
with by an early meeting, my diary secretary will be happy to
arrange one as soon as practicable.
THE LORD WILLIAMS OF MOSTYN
17 February 1998