Q760 Lord Norton of Louth: What role
do you think parliament should play in this? Is their more of
a role that it should take on? There have been criticisms that
perhaps it is too willing to go along with government demanding
more surveillance powers and so on. I think you are implying in
Germany that the legislature is more active in this sphere. Is
there a role that parliament should be playing that it is not
Professor Fedtke: The role of parliament
is predominantly to legislate and the detail of legislation, which
we have talked about this morning on various occasions, is a task
for parliament to apply its mind to and to try, in my personal
opinion, to draft the statutes which authorise surveillance and
the use of data in very specific terms. That, in itself, is a
formidable task for parliament and is very difficult to do. There
are data protection commissioners who report to parliament. These
reports should be taken seriously and should be as elaborate as
possible because that is one source of knowledge for parliament
to actually see what is going on. It is an independent commissioner
after all with powers to ask for information, to ask how things
have happened, where things have gone wrong, to request access
to data to actually establish what happened and these reports
should offer quite a lot of information for parliament to work
with. Parliament in Germany, as I mentioned earlier, goes beyond
its usual remit on one occasion when there is a threat to the
nation as a whole, national security threats of the highest order.
That is where parliament, in the form of a special commission,
itself authorises surveillance and only parliamentarians can say
to go ahead or not to go ahead. That led to a constitutional court
case some years back because individuals felt this denies them
access to the courts. That is a problem in terms of the balance
of power between the institutions. The court came down five to
three in favour of this existing model with substantial criticism,
of course, because access to courts and the role of the judges
is extremely important and should not be curtailed lightly. Data
protection is a joint effort and it is not just parliament but
the courts themselves which should play a strong role. I think
the judge, if there is enough manpower for that, is a good person
to actually authorise specifically important or infringing measures.
There are the independent bodies and the commissioners. Again
I would like to stress the importance of internal measures within
public authorities. That is very important and more can be done
there I think.
Q761 Lord Norton of Louth: It is
almost a passive role for parliament in terms of being the recipient.
Is there more it should be doing?
Professor Oliver: I do think it is important
to distinguish, at the moment at least, between the House of Commons
and the House of Lords because your chamber is much more independent
and there is not a government majority, and for all the reasons
that we know one can rely on the House of Lords to make it much
more difficult for the government to legislate in ways that give
too much power in relation to surveillance and so on. Whether
that would remain the case as and when the House of Lords becomes
largely elected is a matter we cannot go into. When it comes to
parliamentary procedures, I myself am very interested in the idea
that committees scrutinising Bills and Draft Bills could develop
standards against which Bills, or provisions in Bills, that are
to do with surveillance would be tested. My own sense is that
those standards could partly be developed by committees themselves
so after a period when several Bills have been looked at you will
find a committee is repeatedly getting concerned about whatever
it is and you could say that is the standard. My own sense is
that does not prevent parliament voting for this thing that seems
to be contrary to standards but at least it is not going to be
done by mistake. It should feed back into the governmental process
where Bills are being drafted because then the minister will be
able to say "we are going to get in trouble with the House
of Commons, or whoever, if we do it. We want to do it but let
us brace ourselves". I think that would be entirely desirable.
Q762 Lord Norton of Louth: From your
previous work I believe you ascribe quite a role to this particular
Professor Oliver: Absolutely, yes.
Q763 Lord Rowlands: Your reply promoted
the question I was about to ask. We have seen a lot of evidence
about privacy impact assessments within government departments.
Would it be a good idea that any department bringing a Bill before
the House would have to undertake a privacy impact assessment
and publish it and reveal the degree to which it has assessed
what impact this Bill will have on privacy matters?
Professor Oliver: That sounds like an
Q764 Lord Rowlands: We can build
powers into the legislative process. Do you think that individual
privacy is sufficiently protected by the common law in the United
Professor Oliver: No, I do not. It has
made enormous strides, partly under the influence of the Human
Rights Act, in relation to privacy and the press. I think individuals
do now have a great deal more protection against the press than
they did some years ago but it does not say much about relations
between the individual and the state or other relationships which
are not to do with the press. There is a lot to be said for common
law development: it is incremental, it is trial and error and
it avoids the political disputes you get. If the government were
to introduce a Bill about privacy you would get Fleet Street up
in arms and then it is difficult but if the courts do it they
get there. But I think there is a limit to what the common law
Q765 Lord Lyell of Markyate: This
question follows immediately on from that. To what extent are
issues about privacy likely to be resolved by the courts in the
future? We have the recent Murray case, the J K Rowling case.
We had the earlier case of Mr Justice Jack where the Court of
Appeal thought he had gone a bit too far in limiting the powers
of the press. Some of us in this Committee are worried that judges
will be limiting freedom of speech, which is another very important
aspect even though it is sometimes unpleasant. To what extent
do you think the courts are going to get this right and provide
the right balance under the Human Rights Act?
Professor Oliver: One can only guess.
I do have quite a lot of faith in the ability of the courts to
find balances. There are conflicts between the freedom of the
press and privacy, and where you draw the line is not easy, but
it would not be any easier if the idea was that there should be
an Act setting it out. One can imagine the Act would go on and
on about things. The Human Rights Act already has this peculiar
provision about the importance of freedom of the press in it and
I think a statute about it would have many, many more of those.
I just happen to like judges and I like the common law method
and I have a bit of faith in it but I do not believe it can solve
all the problems.
Q766 Lord Morris of Aberavon: I am
concerned about the Data Protection Act and how far it is an adequate
organ for the privacy of citizens' personal data to be protected.
The exceptions and exemptions created under the Act, are they
too broad and should they be narrowed? Is not the Act itself contradicted
by the Freedom of Information Act?
Professor Fedtke: A Data Protection Act
is an enormous advantage in whatever form because it does provide
a very thorough broad basis on which public authorities and citizens
can draw in the absence of specific legislation. Specific legislation
is more helpful, as I said again and again, to actually identify
specific dangers and balance them to the aims of public authorities.
As far as the exemptions are concerned, it is true that the Act
does specify a long list of exemptions and that begs the question
what happens if these exemptions are invoked, what regime will
take hold in the absence of the application of the Data Protection
Act. The answer again is design specific legislation for those
particular areas, whether it is media which have exemptions under
the Data Protection Act, whether it is security agencies which
have exemptions under the Data Protection Act or whether it is
the police which have exemptions under the Data Protection Act.
I would try to design special statutes which address those specific
areas. In that case, I do not really see a problem with the fact
that the Data Protection Act is not applicable across the board
because that will not be the case in a system like Germany because
special legislation will kick in. How do you define particular
aspects? How do you define national security, for instance, which
is one of the grounds for an exemption? It is very difficult to
phrase that in detailed terms. The Data Protection Act, as it
is, is a very substantial piece of legislation already. If you
try to introduce additional interpretations to make that more
specific and to make the exemptions more workable, that could
double the size of the Act at the end of the day. That is one
of the main problems, the definition of these exemptions, to try
to find language which specifically says under what conditions
there will be an exemption. That is the main problem and that
is where the data protection is quite broad at times and leaves
a lot of flexibility and room for interpretation.
Q767 Baroness Quin: Professor Oliver,
at the beginning you talked about your concerns about sharing
of personal data between departments of government but I wanted
to ask about the sharing of personal data between the public and
the private sectors and how concerned you are about that. Does
that undermine any constitutional safeguards or principles and
is the private sector in some way less constrained than the public
Professor Oliver: There is a concern.
There was an example in the news a few days ago where the social
security department was talking about sharing information with
the power supply companies about which people were on benefits
so it could check that people were on the right tariff, so poor
people got the low tariff. I was rather horrified at the idea
that, without thinking about the implications of disclosing information
to private bodies, particularly about somebody's poverty or their
income level or whatever it was, the sharing of information should
be suggested without evidently the minister in question thinking
it was a peculiar thing to do. I am a bit concerned about the
sharing of information with private bodies and that is just an
example. The government possesses pretty personal information
which we hope they will not abuse, but private power companies
or Tesco might well. It worries me, and it worries me partly that
there does not seem to be a culture in government that sets alarm
bells ringing and asks "is this something we should do?"
Maybe there should be a code somewhere or statutory provisions
to limit that.
Q768 Viscount Bledisloe: I have a
related question about retention of data. We were told that if
the police ask somebody who is on the scene of a crime but is
not a suspect for his DNA or his blood because they want to eliminate
him, unless he actually says at the time "I want that torn
up after you have finished this investigation" it will be
kept forever, or virtually forever, and can be used for other
purposes. Do you think that is the right way around or do you
think he should be asked at the end of the inquiry shall we destroy
it or can we keep it?
Professor Oliver: My own sense is there
should be a presumption that it should be destroyed unless the
person in question specifically agrees otherwise.
Professor Fedtke: I would go one step
further and say not just a presumption that it is destroyed but
a clear timetable when data has to be destroyed, again specific
data and specific instances. DNA is extremely important, sensitive
information. I think there should be a clear rule saying after
one month, after three months, after the close of the investigation.
There should be a clear time line rather than just a presumption
a public authority will do it. There should be statutory provision
which says so.
Q769 Viscount Bledisloe: It may well
be that the inquiry is rolling on forever. I would have thought
they could keep it as long as the inquiry was alive rather than
for a set period of time. Would that not be better?
Professor Fedtke: Absolutely. It depends
on the context. Data is extremely contextual and its importance
in the way you deal with it is relevant. Of course if you have
a criminal investigation which drags on for a long period of time
you would not want data to be destroyed within a month or three
months. Of course you wait for the formal close of that investigation
and then say from that point in time we will ensure that data
is destroyed. Another brief idea here when it comes to the erasure
of data, I would look closely at internal safeguards. Public authorities
should be under a duty to document that data was destroyed or
erased from data bases on a particular day, at a particular time,
by a particular officer so there is a paper trail of what public
authorities do with the data they have retained and are supposed
to destroy. You could add that that particular function, destruction
or erasure of information, is to be placed under the scrutiny
of one particular high-ranking official possibly with a special
legal qualification. You can introduce different levels of control
within the public authority to ensure that destruction of data
Chairman: Can I thank you both for being with
us and for the evidence you have given which is greatly appreciated.