Previous Section Back to Table of Contents Lords Hansard Home Page

However, we have listened to the arguments made in favour of further extending the scope of assessment notices to the private sector. We recognise that there are genuine concerns about the private sector's handling of personal data-indeed, the noble Baroness, Lady Miller, referred to them-and that there are certain categories of private-sector data controller whose circumstances merit the application of assessment notices.

Government Amendments 198A, 199A and 199C address those scenarios. We remain unpersuaded that the assessment notice regime should apply automatically to all data controllers. Such an approach would be a little excessive and impose disproportionate burdens on business. Instead, our amendments enable the Secretary of State to designate by order certain descriptions of private-sector data controller as liable for assessment notices.

The amendments provide the Secretary of State with the power to make an order following a recommendation from the Information Commissioner. Where the Secretary of State was minded to accept such a recommendation, we would be able to proceed to make an order, which would be subject to the affirmative procedure, only following consultation with the affected sectors. Such consultations would be accompanied by a full impact assessment. The Secretary of State and the Information Commissioner will have to be satisfied that designation is necessary, taking into account the nature and quantity of data under the control of such persons and the damage or distress that may be caused by a contravention by such persons of the data protection principles.

This amendment does not provide for the designation of a particular data controller but for a description of a data controller. This means that the designation would not single out or list individual data controllers but would provide a description of a class of data controller-for example, credit reference agencies, which have been referred to in the debate-as liable to assessment notices. In addition, we are introducing a requirement for the Secretary of State to review, at least every five years, whether it continues to be appropriate for a public authority and necessary for a description of a private-sector data controller to be subject to the assessment notice regime.

Amendment 199D in the name of the noble Lord, Lord Henley, would amend government Amendment 199C and would require the Information Commissioner

21 July 2009 : Column 1564

and the Secretary of State, before making an order under new Section 41A(2)(c) of the Data Protection Act, to consider the public function of the data under the control of those private-sector data controllers to be designated in such an order. We are not persuaded that this amendment is necessary. Data controllers exercising public functions may already be brought within the assessment notice regime by virtue of an order under new Section 41A(2)(b). That is the context in which this class of data controllers should be considered, not the context of the new order-making power introduced by the government amendments. We are confident that our amendments to Clause 156 provide for an extension that is in tune with the need for enhancing the current supervisory powers of the Information Commissioner without creating a disproportionate regulatory burden.

Amendments 194, 196, 198 and 199 in the name of the noble Baroness, Lady Miller, similarly seek to extend the categories of data controllers who are liable to an assessment notice. Amendment 199, for example, would make assessment notices directly applicable to public authorities without the need for an order. However, we do not consider such an extension across the whole public sector to be justified. The definition of "public authority" in the Bill relies on an order being made. Without an order, there would be uncertainty as to exactly which persons are covered. I hope that, having had an opportunity to consider our amendments and to hear what I briefly had to say about them, the noble Baroness may be persuaded that they offer a more balanced and proportionate approach and that she will not press her amendments to a vote today.

Government Amendments 199B, 200A and 200B in large measure simply re-order existing provisions in Clause 156, but there is one notable change in that judges are added to the list of persons excluded from the assessment notice regime. The Committee will of course appreciate the very special constitutional position of the judiciary that has led to us tabling this amendment. Currently, the only inspection regime involving the judiciary is provided for in Section 59 of the Courts Act 2003. That is limited to the inspection of the system that supports the carrying on of the business of the courts and the services provided for those courts. It expressly does not permit scrutiny of anyone exercising judicial discretion or making judicial decisions.

For judicial office-holders to be subject to the assessment notice procedure while exercising their professional judicial functions would compromise the constitutional principle of judicial independence, which this and every Government rightly have a statutory duty to uphold. There can be no disagreement that judicial impartiality and freedom from improper influence are at the heart of the fair administration of justice in this country. The Information Commissioner agrees with our making this special exception.

Government Amendments 205B and 205C are consequential to the proposed changes to Clause 156.

I turn now to sanctions for non-compliance with an assessment notice. Again, we have listened to the representations in the other place on this issue. The case for some express sanction in the event of non-compliance is reinforced now that private-sector data

21 July 2009 : Column 1565

controllers can be brought within the scope of assessment notices. Our Amendments 206ZA to 206ZD would introduce changes to Schedule 18 to provide the Information Commissioner with the power to apply for a warrant under Schedule 9 to the Data Protection Act where a data controller had failed to comply with a requirement imposed by an assessment notice. As now, the Information Commissioner's office would need to satisfy the judge that there were sufficient grounds for the issue of a warrant to search the data controller's premises.

We have taken a different approach to enforcement from that taken in Amendments 195, 200, 201, 203, and 204, tabled by my noble friend Lord Dubs and the noble Baroness, Lady Miller. The key difficulty with treating the failure to comply with an assessment notice as a contempt of court or as an offence is that ultimately it does not provide the Information Commissioner with access to the premises in question, which is exactly what a warrant does; it provides the Information Commissioner with access. The former Information Commissioner agreed with us that this would not provide him with the access he believed was required.

3 pm

Amendment 202, in the name of the noble Baroness, Lady Miller, would provide for an enforcement mechanism through the issuing of a warrant under Schedule 9 to the Data Protection Act to allow the Information Commissioner access to the data controller's premises. I hope that noble Lords will agree that our amendments are intended in the same spirit and achieve a similar end.

Part 5 of Schedule 18 amends Section 55A of the Data Protection Act to prevent the imposition of a civil monetary penalty based on information obtained from either a good practice assessment or an assessment notice. Amendment 206 would remove this exemption, which we believe will provide a strong incentive for data controllers to consent to a good practice assessment. This exemption will not-I emphasise, not-provide immunity to data controllers from all enforcement action in relation to breaches that might be discovered during a good practice assessment or an assessment notice. The commissioner will still be able to issue an enforcement notice under Section 40 of the Data Protection Act to compel the data controller to comply with their data protection obligations if he discovers a breach of the data protection principles during any of these assessments.

As the noble Lord, Lord Henley, reminded us, these government amendments follow consultations that my ministerial colleague, Michael Wills, had with the Information Commissioner and the opposition spokespersons in the other place. I hope that the House will agree that this package of government amendments provides a workable scheme to bring those data controllers who need to be subject to additional scrutiny within the assessment notice regime and to provide the Information Commissioner with sufficient remedies where a data controller fails to comply with an assessment notice. In due course, I shall move the government amendments.

The noble Baroness asked me, harking back to last year and the Criminal Justice and Immigration Act, why the increased penalties in those Acts are not yet

21 July 2009 : Column 1566

commenced. This answer may not totally satisfy her, but we are, together with the Information Commissioner's office, monitoring the illegal trade closely. Should the position get worse, we will not hesitate to bring forward an order to increase the maximum penalty for this offence, but for the present we have no immediate intention to do so.

Baroness Miller of Chilthorne Domer: Let me deal with that last point first. That is very disappointing news because when I went to the launch of the Information Commissioner's annual report this year, one of the main points was that the office welcomed the new legislation going on to the statute book last year to allow this power to the Secretary of State so that he or she could make an order which would bring in a satisfactory penalty. But it was very disappointed that these orders had not been brought in. I understand that the Government may be monitoring the situation with the Information Commissioner's office. But its reaction to the lack of these orders seems to be at variance with the Government's view that the orders are not necessary.

Lord Bach: I realise that the answer I have given the noble Baroness is short and may not be full enough. If she will allow me, I will write to her with fuller reasons on why these orders have not been brought in.

Baroness Miller of Chilthorne Domer: I should be most grateful for that. On the substance of my other amendments and the government amendments, I recognise that this is an evolutionary process. The government amendments are a couple of steps in the right direction of evolution. Therefore, the statutory regime surrounding the retention of data and the way in which they are managed is keeping pace with the technological capabilities, which is what has not happened to date. I am very pleased to see that we have more steps to ensure that citizens in the UK can feel a little more confident that their private data are regarded as valuable, precious and something that should be looked after properly. These steps are in the right direction. I beg leave to withdraw the amendment.

Amendment 194 withdrawn.

Amendments 195 and 196 not moved.

Amendment 197 withdrawn.

Amendment 198 not moved

Amendment 198A

Moved by Lord Bach

198A: Clause 156, page 102, line 26, leave out "or"

Amendment 198A agreed.

Amendment 199 not moved.

21 July 2009 : Column 1567

Amendments 199A and 199B

Moved by Lord Bach

199A: Clause 156, page 102, leave out line 29 and insert "or

(c) a person of a description designated for the purposes of this section by such an order."

199B: Clause 156, page 103, leave out lines 20 to 46

Amendments 199A and 199B agreed.

Amendment 199C

Moved by Lord Bach

199C: Clause 156, page 103, line 48, at end insert-

"(11A) Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.

(11B) The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless-

(a) the Commissioner has made a recommendation that the description be designated, and

(b) the Secretary of State has consulted-

(i) such persons as appear to the Secretary of State to represent the interests of those that meet the description;

(ii) such other persons as the Secretary of State considers appropriate.

(11C) The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (11B)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to-

(a) the nature and quantity of data under the control of such persons, and

(b) any damage or distress which may be caused by a contravention by such persons of the data protection principles.

(11D) Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (11C)."

Amendment199D (to Amendment 199C) not moved.

Amendment 199C agreed.

Amendment 200 not moved.

Amendments 200A and 200B

Moved by Lord Bach

200A: Clause 156, page 104, leave out lines 2 to 11

200B: Clause 156, page 104, line 18, at end insert-

"41AB Assessment notices: limitations

(1) A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.

(2) If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that

21 July 2009 : Column 1568

effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from "within" to the end there were substituted "of 7 days beginning with the day on which the notice is served".

(3) A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of-

(a) any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or

(b) any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(4) In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.

(5) Nothing in section 41A authorises the Commissioner to serve an assessment notice on-

(a) a judge,

(b) a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or

(c) the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Education, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.

(6) In this section "judge" includes -

(a) a justice of the peace (or, in Northern Ireland, a lay magistrate),

(b) a member of a tribunal, and

(c) a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;

and in this subsection "tribunal" means any tribunal in which legal proceedings may be brought."

Amendments 200A and 200B agreed.

Amendment 201 not moved.

Clause 156, as amended, agreed.

Amendments 202 to 204 not moved.

Clauses 157 and 158 agreed.

Amendment 205

Moved by Lord Dubs

205: After Clause 158, insert the following new Clause-

"Data protection

In section 77 of the Freedom of Information Act 2000 (c. 36) (offence of altering etc records with intent to prevent disclosure), after subsection (4) insert-

"(5) Notwithstanding anything in section 127(1) of the Magistrates' Courts Act 1980, a magistrates' court may try an information relating to an offence under this section if the information is laid-

(a) before the end of the period of three years beginning with the date of the commission of the offence, and

(b) before the end of the period of six months beginning with the date on which evidence which the prosecutor thinks is sufficient to justify the proceedings comes to his knowledge.

(6) For the purpose of subsection (5)-

21 July 2009 : Column 1569

(a) a certificate signed by or on behalf of the prosecutor and stating the date on which such evidence came to his knowledge shall be conclusive evidence of that fact, and

(b) a certificate stating that matter and purporting to be so signed shall be treated as so signed unless the contrary is proved.""

Lord Dubs: This amendment sets out to put right what I think has been a mistake in the way in which various pieces of legislation have been drafted. I shall seek to persuade the Government that it is a mistake in order that they can use my amendment as an opportunity to put things right. This amendment does not come from the Joint Committee on Human Rights. It comes with the help of the freedom of information campaign. Under Section 77 of the Freedom of Information Act, it is an offence for a public authority or an official to deliberately destroy or alter a record which has been requested if the intention in doing so is to prevent the release of information to which the requester is entitled. That is fairly clear.

The offence also applies to the deliberate destruction of a record requested under the Data Protection Act, which gives individuals the right to obtain personal information about themselves. The offence is committed only where the act is deliberate; that is, where the record is deliberately destroyed and amended after being requested with the intention of frustrating the applicant's legal right of access. An official who accidentally destroys the record or who does so in accordance with the authority's established record destruction policy commits no offence. So there are safeguards.

The offence can be tried only in a magistrates' court where the maximum fine is level 5 on the standard scale, £5,000. There is no provision for this offence to be tried on indictment. Your Lordships will think, "So far, so good. Why do we need the amendment?". I shall explain. Section 127(1) of the Magistrates' Courts Act 1980 prohibits a prosecution from being brought more than six months after the offence has been committed. This provision would make it virtually impossible to bring a successful prosecution for the Section 77 offence under the Freedom of Information Act. Therefore, with a very tight time limit, I contend that it is virtually impossible to bring a successful prosecution.

The deliberate destruction of requested records is likely to be detected only during an investigation by the Information Commissioner, which will rarely even have started within six months of the offence. There are three reasons why there might be a delay which would take up the whole of the six months within which a prosecution has to be brought for it to be successful.

For example, there may be a delay in responding to a freedom of information request. Although the Act requires an authority to respond to a request within 20 working days, it permits an unspecified reasonable extension where the authority has to consider the disclosure of exempt information under the Act's public interest test. The commissioner recommended that the extension should normally be limited to an additional 20 working days and should never exceed 40 working days. In practice, it sometimes runs to many months. The commissioner has described how the National

21 July 2009 : Column 1570

Offender Manager Service responded to one request by taking 12 consecutive extensions, each of 20 working days, so that the request was answered one year after it was made. That is the first cause of delay which can make it difficult to bring forward a prosecution within six months.

The second example is where the requester is dissatisfied with the authority's response to a request. He or she cannot complain directly to the Information Commissioner, but must first ask the authority to reconsider the matter under its own internal complaints procedure, and there is no statutory time limit for this process. The commissioner said that it should normally be completed within 20 working days, with the outside being 40 working days. In practice, the process sometimes takes substantially longer. On one occasion, DBERR-I find the names of government departments difficult at times; they do not trip off the tongue at all, and it was easier in the old days-took 21 months to complete an internal review, only doing so after the commissioner's intervention. And that is a government department.

Next Section Back to Table of Contents Lords Hansard Home Page