Pension Credit and Personal Expense Allowance (Duty of Consultation and Review) – in the House of Commons am 5:41 pm ar 24 Mawrth 2009.
I beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
New clause 38— Failure by a government department or public authority to comply with an assessment notice
'(1) If a government department or public authority has failed to comply with an assessment notice the Commissioner may certify in writing to the court that the public authority has failed to comply with that notice.
(2) Where failure to comply is certified under subsection (1), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the government department or the public authority, and after hearing any statement that may be offered in defence, deal with the failure to comply as if it were a contempt of court.'.
Amendment 23, clause 153, page 98, line 20, leave out 'within subsection (2)'.
Amendment 78, page 98, line 24, at end insert—
'(1A) If a data controller has failed to comply with an assessment notice as requires steps to be taken, the Information Commissioner may certify in writing to the court that the government department or public authority has failed to comply with that notice.
(1B) For the purposes of this section, a data controller which, in purported compliance with an information notice—
(a) makes a statement which it knows to be false in a material respect, or
(b) recklessly makes a statement which is false in a material respect, is to be taken to have failed to comply with the notice.
(1C) Where a failure to comply is certified under subsection (1A), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the public authority, and after hearing any statement that may be offered in defence, deal with the authority as if it had committed a contempt of court.
(1D) In subsections (1A) to (1C), "the court" means the High Court or, in Scotland, the Court of Session.'.
Amendment 24, page 98, leave out lines 25 to 29.
Amendment 133, page 98, line 25, leave out from second 'is' to end of line 29 and insert 'not an excluded body'.
Amendment 79, page 99, line 19, at end insert—
'(6A) Non-compliance with any assessment notice will be treated as a contempt of court.'.
Amendment 80, page 101, line 6, leave out 'without the approval of the Secretary of State' and insert
'until the code has been approved by a resolution of each House of Parliament'.
Government amendment 25
Amendment 81, clause 155, page 109, leave out lines 7 and 8 and insert—
'(4) The code must not be issued by the Commissioner until a statutory instrument containing the draft code has been approved by a resolution of each House of Parliament.'.
Amendment 82, page 109, line 10, after 'must', insert 'not'.
Amendment 83, page 109, line 13, after 'is', insert 'not'.
Amendment 84, page 109, leave out lines 21 to 27.
Amendment 85, page 109, line 30, after 'under', insert 'annual'.
Government amendments 152 and 153
Amendment 86, schedule 18, page 183, line 1, leave out sub-paragraph (2) and insert—
'(2) In subsection (1) for "he may serve" to the end substitute "he may serve the data controller, or a data processor, with a notice (in this Act referred to as an 'information notice') requiring the data controller, or data processor, to furnish the Commissioner with specified information relating to the request or to compliance with the principles."'.
Amendment 87, page 183, line 5, after '(1)', insert
'"data processor" refers to a third party handling data on behalf of—
(a) a government department, or
(b) a public authority designated for the purpose of this section by an order made by the Secretary of State, other than an excluded body, as set out in section 41A(12);'.
Amendment 88, page 185, leave out line 21.
In addition to new clause 19, which stands in my name and those of my hon. and learned Friends the Members for Beaconsfield (Mr. Grieve) and for Harborough (Mr. Garnier) and my hon. Friends the Members for Enfield, Southgate (Mr. Burrowes), for Epping Forest (Mrs. Laing) and for Crewe and Nantwich (Mr. Timpson), I plan to discuss our amendments 78 to 88. I also want to comment on Government amendment 25.
Our new clause 19 would remove the immunity of Government Departments from prosecution, because the Government's record on handling, storing and transporting confidential data is appalling. I am afraid that the Ministry of Justice is one of the worst offenders. A computer hard drive containing the details of up to 5,000 employees of the National Offender Management Service in England and Wales was lost by the private firm, EDS. Despite the loss having occurred in July 2007, the Justice Secretary was not told until September 2008. In August last year, the names and addresses, details of convictions and even jail release dates of almost 130,000 people were lost when a computer memory stick went missing. It was being used by an employee of a private contractor working for the MOJ. The Information Commissioner said at the time that the data were a "toxic liability", and described the loss as "deeply worrying".
The Ministry of Defence is another serial offender. Some time ago, the Defence Secretary of the time was forced to revise upwards the estimate of the number of laptops stolen from his Department in the previous four years from 347 to 658. Furthermore, in January last year, the then Defence Secretary revealed that an MOD laptop, which contained the details of 600,000 people, had been stolen from the boot of a naval officer's car in Birmingham. The computer contained unencrypted lists of names, addresses, bank and driving licence details, national insurance and national health service numbers and so on—an appalling security lapse.
In 2007, Her Majesty's Revenue and Customs had the so-called discgate scandal, in which 25 million records were lost. In November that year, the Chancellor of the Exchequer admitted that two CDs containing child benefit data had been lost in transit to the National Audit Office. Also in November that year, HMRC lost the personal details of 15,000 Standard Life pension holders, after a CD was lost in transit by an external courier.
Many other Departments have lost data, including the Department of Health, the Department for Work and Pensions and the Department for Communities and Local Government. Many of the subsequent inquiries revealed lax security procedures, confused chains of command and, above all, no proper accountability. Many Departments have a serious cultural problem, which is simply not being addressed.
Last year, the Secretary of State for Energy and Climate Change, who was then the Minister for the Cabinet Office, amid great fanfare launched new guidelines called "Data Handling Procedures". He promised
"a culture that properly values, protects and uses information".—[ Hansard, 25 June 2008; Vol. 478, c. 26WS.]
He also announced stronger accountability mechanisms within all Departments, but unfortunately those changes have delivered no substantial improvements. In fact, they have delivered little. Proper sanctions are needed. The Bill contains no sanctions, and we feel strongly that immunity of Departments from prosecution should be removed. Only by applying such sanctions will permanent secretaries and civil servants make the prevention of loss of data a key priority. We need to send a strong signal to all Departments and agencies that cavalier and unprofessional attitudes to our personal data and privacy will not be tolerated. I hope that the Minister will accept our new clause.
I turn to our amendments 78 and 79. Amendment 78 is almost identical to new clause 38, which was tabled by the hon. Members for Hendon (Mr. Dismore) and for Oxford, West and Abingdon (Dr. Harris). The official Opposition, and particularly my hon. Friend the Member for Epping Forest, have said for some time that it is essential that the Information Commissioner be given more power to control and monitor holders of data. That is why we support the principles behind clause 153. However, the clause has one glaring gap, as it does not provide any enforcement powers. If the assessment notice is made, and its subject refuses to comply, the Bill does not allow for any immediate sanction.
Under our amendments 78 and 79, the Information Commissioner will be able to go to the county court, which must decide whether the assessment notice was properly issued, and whether there was a reasonable excuse for non-compliance. If the court decides for the commissioner, it will order the data controller to comply with the assessment notice. Failure to do so will result in the data controller being in contempt of court. We feel strongly that there is no point having an assessment notice regime without proper sanctions for non-compliance. As Sir Mark Walport and the Information Commissioner, Richard Thomas, said in their submission to the Committee:
"There are also no meaningful sanctions for failure to comply with the requirements of an Assessment Notice: this needs strengthening in order for it to be taken seriously."
I hope that the Minister will accept amendments 78 and 79.
I am grateful to the hon. Gentleman for his comments about new clause 38. As he says, the Information Commissioner recommends such a proposal. The sanction comes at the end of a long chain of warnings and efforts to ensure compliance. If we get to the end of that long chain, something has obviously gone seriously wrong. Some effort is required to make compliance happen, and a contempt of court order can be absolved by compliance.
I am grateful to the hon. Gentleman for making that point, on which he can expand when he makes his speech.
Amendments 80 to 85 relate to clause 155, which sets up the data-sharing code of practice. They would ensure that there is an affirmative resolution of both Houses before the commissioner issues the data-sharing code. Given that the Secretary of State is removing the key data-sharing provision, clause 154, from the Bill, why is it necessary to have a data-sharing code? Is that not a little suspicious and illogical? Surely the Secretary of Sate's credibility in the matter would be reinforced if he also withdrew clause 155; otherwise, people will conclude that if the power to set up a data-sharing code is left in the Bill, the Government will return at some stage with their totally unacceptable data-sharing proposals. However, if the Secretary of State does decide that the data-sharing code proposals must stay in the Bill, surely it makes sense to accept our amendments 80 to 85.
I turn to our amendments 86 to 88. In Committee, we discussed at length the apparent anomaly that the assessment notice regime applied to the public sector only. May I refer again to the submission to the Committee by Sir Mark Walport and Richard Thomas, the Information Commissioner? The submission pointed out:
"As we stated in the report, distinguishing between public, private and voluntary sectors makes little sense, especially as more information is shared across sectors whose boundary lines are forever shifting."
The Information Commissioner went on to say:
"Private and third sector bodies frequently carry out work for public sector ones. It is common for charities, for example, to carry out functions on behalf of local government. As it stands, we could inspect the local council but not the charity."
I argued in Committee that as a consequence of the private sector's ever greater involvement with Government Departments, agencies and local government, there was an increased blurring of the barriers between the public and private sectors. I gave a couple of examples. The Crown Prosecution Service and the Solicitor-General have a large contract with what was LogicaCMG that covers the provision, support and maintenance of hardware and software applications used by the CPS, including the management of a number of large databases such as the witness management system and the graduated fee scheme for counsel.
Another example relates to the Department for Business, Enterprise and Regulatory Reform, which manages a large number of public sector databases but also has a number of private sector contractors. In fact, of its 166 databases, 75 are maintained by the Department but 90 are run by private sector contractors. Obviously, there is substantial blurring between the two sectors. Amendments 23 and 24 would bring the private sector into the assessment notice regime. The Minister has argued that such an extension to the private sector would place extra burdens on business and conflict with the Hampton principles. My party believes passionately in reducing the burdens on business, so it is hard to ignore the Minister's concerns; she also raised various points about powers of entry. She feels that a more co-operative approach between business and the Information Commissioner would be desirable.
However, I submit that there is a compromise solution. Amendments 86 to 88 would extend the less severe and substantially less burdensome information notice regime to the private sector. Crucially, the information notices in schedule 18 do not confer powers of entry, so why does the Minister not accept the amendments as a way to extend the Information Commissioner's powers to the private sector in a much less onerous manner? I urge the Minister to accept that argument. She has said clearly that she does not want the assessment notice regime to be extended to the private sector, and she has given her reasons for that, but surely our compromise solution would make a great deal of sense.
I turn to Government amendment 25. We argued in Committee as powerfully as we could that clause 154—it was clause 152 at the time—should be deleted. In response, the Minister gave numerous reasons why the clause was needed. We had a vote and lost it. Then we heard that the Government were in the process of climbing down—unfortunately, that was announced in the Sunday press, rather than in Committee or on the Floor of the House. The Secretary of State then tabled his amendment.
For the record, and as the hon. Gentleman will know, I said clearly in response to the Committee debate that the clause was too wide and that we would reflect on the debate and look at it again.
I am grateful to the Minister, and I do not want to be churlish. We had a vote and the clause stood part of the Bill when we came out of Committee, and we felt that we had to vote against it at the time. We are delighted that we helped win the argument and feel vindicated, and we should not be churlish. However, our relief and joy is coloured and tinged by our ongoing and grave concerns about the Government's record and policy on data.
I mentioned earlier the Government's appalling record on storing and handling data. We are concerned not only by the Government's incompetence; of far greater concern are the fundamental flaws in their entire data policy. Only today we heard reports that ContactPoint, the Government's child protection database, is in disarray. It was designed to help protect Britain's 11 million children, but its launch has been delayed again after local authorities discovered loopholes in the system that was to hide the details of the most vulnerable young people in this country. ContactPoint has been described as almost entirely illegal by the Joseph Rowntree Reform Trust, and a spokesman for the Department for Children, Schools and Families said that it was working to resolve the problem.
You couldn't write the script, and it gets worse. A recent report by Ross Anderson, professor of security engineering at Cambridge, concluded that at least 11 of the Government's databases could be illegal. He went on to point out that the Government are spending a staggering £16 billion a year on data gathering and plan to spend another £105 billion on it in the next five years. Furthermore, almost every one of those database projects has signally failed to remain on budget.
In 2002, the then Prime Minister Tony Blair launched Connecting for Health, a massive £6.2 billion database for medical records; since then, the costs have more than doubled to £12.7 billion, two of the four contractors have pulled out and the launch has been put back to 2015. At the time, the then PM said:
"If I live in Bradford and fall ill in Birmingham, I want the NHS to be able to treat me".
However, as Ross Clark, author of "The Road to Southend Pier: One man's struggle against the surveillance society" said, thank goodness Mr. Blair did not fall ill in Stafford. As the Healthcare Commission made clear in its report, it was the Mid Staffordshire NHS Foundation Trust's obsession with targets and data that critically undermined clinical judgment and the treatment of patients. The problem is that time and again the Government's default position when faced with a crisis is to announce yet more databases and more infringements on our civil liberties.
There is no doubt that there is a serious terrorist threat in this country, but the Government's response to the
Only yesterday morning, the Minister of State, Ministry of Justice, Mr. Wills, was opining in an extraordinary manner on the Sean Hodgson case. He pointed out that Mr. Hodgson would never have been released or won his freedom if it were not for DNA testing and databases. Of course Mr. Hodgson was released only because of DNA testing, but that had absolutely nothing to do with DNA databases; all that was needed was one DNA sample from him that did not match any of the key exhibits. The right hon. Gentleman was getting completely carried away. The problem is that when it comes to a crisis, the Government's default position is to react in the only way they know: to announce yet further extensions of databases.
I should like to quote from the former Director of Public Prosecutions, Sir Ken Macdonald, who was referring to the proposed communication database when he said:
"We need to take very great care not to fall into a way of life in which freedom's back is broken by the relentless pressure of a security state."
Of course we welcome the Government's withdrawal of clause 154. However, as I mentioned, our joy is tempered and coloured by that appalling catalogue of failings. We need not only a cultural change, but a fundamental change of Government. We welcome what the Government have done, but there is still a long way to go.
As Mr. Bellingham intimated, the most important amendment in this group is amendment 25. The hon. Gentleman gloated a little, so perhaps I will be allowed to: I was glad that one of my amendments—the one to remove clause 154—had been signed not only by the representatives of the Joint Committee on Human Rights, but by the Government. I am glad that they have promoted my modest amendment into Government amendment 25.
The Government are entirely right to withdraw the data-sharing proposals, which were far too broad for the problem that they were meant to solve. As Ministers repeatedly said, some data sharing can be beneficial. No one denied that; the question was about the power that had been created to deal with that particular point. The Bill proposed—and continues to propose until amendment 25 goes through—to allow orders from the Secretary of State to permit data sharing between any people anywhere in the world, for the purposes of furthering any Government policy. The orders were capable of overriding the Data Protection Act 1998, the Human Rights Act 1998 and any other relevant legislation. That final point, especially the possibility that the data-sharing orders would override the Data Protection Act, was the key problem and the point at which the Government rightly decided to give way. Clause 154—or clause 152, as it was—was never proportionate and never had adequate safeguards.
The hon. Member for North-West Norfolk is right to point to the context—one in which Governments collect vast amounts of data and then use them badly, incompetently or in many cases, as Ross Anderson from the university of Cambridge observed, illegally. The Government need to be aware of that context when they return to the data-sharing proposal. As I understand it, they intend to do that not in this Bill but at a later point. I urge them to consult properly, not only with the usual suspects but with all the organisations that felt deeply that clause 152—now clause 154—was the wrong way to go, including the British Medical Association and all the Opposition parties. Otherwise, their next attempt to write a clause to do with data sharing may well turn into a colossal waste of time, as this one has proved to be.
With that small amount of gloating over, let me turn to the amendments.
More gloating!
The hon. and learned Gentleman requests more, but I am sure that that is enough for the time being.
I want to speak briefly to amendments 23 and 24, which are similar to amendment 133, tabled by members of the Joint Committee on Human Rights. As the hon. Member for North-West Norfolk said, they seek to extend to the private sector the Information Commissioner's new inspection powers under the new assessment notice procedure. As things stand, assessment notices have two problems, the first of which—it was mentioned by Mr. Dismore—is that there is no enforcement mechanism for the new assessment notices. The obvious way to solve that is the application to court route, because that is more challengeable and more open than a warrant route. I therefore support amendments, such as new clause 38, which attempt to change that situation.
The other problem addressed by the amendments is the coverage of the assessment notice system. For reasons that remain obscure, but which might have had something to do with the lobbying by the CBI and business interests that broke out when my hon. Friend Jenny Willott and I moved amendments in Committee, the assessment notice procedure is confined to the public sector, and even within that it is confined to directly controlled organisations and does not cover even private organisations carrying out public functions under contract. That is unacceptable. Private organisations control vast amounts of data, and there is constant concern about how they use them. The Information Commissioner is clear that there are more complaints about the use of data by private sector organisations than use of data by the public sector. Sometimes the Government's defence in response to examples of their incompetence in dealing with data such as those cited by the hon. Member for North-West Norfolk is to say, "Well, the Government are no worse than the private sector at this sort of activity." That is a somewhat feeble defence, but it illustrates the point that these problems are not confined to the public sector.
As I understood it in Committee, the Government's case for leaving out the private sector is that it collects data voluntarily, which makes it different from the public sector in that regard. I cannot accept that, for three reasons. First, there are the reasons given by the hon. Member for North-West Norfolk, which are dealt with in amendments 87 and 88. There are many examples of private organisations working under contract to the Government and which have collected information from the Government that the Government got on a non-voluntary basis.
Does my hon. Friend agree that the number of people who are getting caught out by that is increasing? For example, people who are facing unemployment in the current economic crisis have had their information passed to private sector companies for assistance with getting back into work. Given that they number 2 million and rising, every day there are more and more people whose data, not voluntarily given, has been passed to the private sector.
Yes, that is the case. One has to take into account the interaction of different Government policies. The more the Government want to use the private sector and the voluntary sector to a greater extent in the delivery of services, the worse the problem will get.
The second reason I do not accept the Government's point is illustrated by the recent controversy about Google Street View, where Google supplements its maps with photographs of every house and building in many towns and cities. That demonstrates that private organisations, even when acting purely as such and not working for the Government, do not confine themselves to data they acquire voluntarily. My house is on Street View; Google did not ask me about it, and I am sure that it did not ask anybody else.
Thirdly, what worries people about data is what can be done with them, especially data they gave voluntarily at some point in the past without realising how they could be used at some future point—for example, data about which websites someone has visited or which products they have bought from a shop. Bringing all those forms of data together using sophisticated data-mining techniques and analysis can reveal vast amounts about people that they did not intend to reveal, even though technically they voluntarily allowed the data to be handed over to private organisations.
Liberal Democrat Members think that there is an overwhelming case to extend the scope of the assessment notice system beyond the public sector, as narrowly defined. That view is also taken by the Information Commissioner. After all, the assessment notice system introduced by the Bill is a very gentle form of preventive intervention, not the full panoply of the law. Given that, and given the other options that the Information Commissioner has, there is a strong case for the broader extension of these powers. I urge the Government to resist the lobbying that has been going on and to look at the point of principle from the position of ordinary members of the public who are worried about what is being done with the data they handed over.
I rise briefly to speak to the two amendments tabled in my name and those of the hon. Members for Hendon (Mr. Dismore) and for Ealing, Southall (Mr. Sharma), as members of the Joint Committee on Human Rights. As we have heard, amendment 133 is analogous to amendments 23 and 24.
The CBI told the Public Bill Committee that there were not sufficient safeguards to protect the privacy of individual data controllers in the private sector, but we concluded, after examination, that the safeguards already in the Bill are significant; indeed, they provide greater protection than other compulsory powers of entry, search and seizure in the Bill. For instance, an assessment notice must specify the time at which a search or other inspection will take place and the time within which an individual data controller must comply. Rights to appeal against the term of any notice are provided, and there is express protection for legally privileged material. Those are all safeguards that we had called for in respect of other Bills when the Government had said that they would put them only in secondary legislation. In this case, they are in the Bill and yet the CBI is still concerned.
We thought that the CBI's objections were insufficient, and possibly even invalid, and reinforced the point, which has just been made, that there is a significant amount of contracting out of public functions to private data controllers. There should therefore be no exemption or lower degree of protection in respect of the powers of the Information Commissioner in those cases, at the very least. I would be grateful if the Minister addressed those arguments.
Our other point relates to new clause 38. The Information Commissioner has called for the power of sanction, and we consider the additional powers for the commissioner to be a human rights-enhancing measure. We noted the Government's view that it would be unusual for a Department or other public body to ignore an assessment notice or fail to comply with its terms, but there is no reassurance in the Bill that that will not be the case, which is why we tabled the new clause. I hope that the Minister will respond to that point.
I am speaking a little sooner than I expected, but there we are. I begin with Government amendment 25, which is at the heart of this grouping on data sharing and data protection, and the associated consequential amendment 153. They will remove from the Bill the power to establish new information-sharing gateways by secondary legislation. The proposal in clause 154 for information-sharing orders stemmed from a recommendation of the independent data-sharing review, conducted by the commissioner, Richard Thomas, and Sir Mark Walport, the director of the Wellcome Trust. They recommended changes to the legal framework for data sharing, in part to support better public service provision. To counterbalance that power, the review recommended that there should be a transparent and consistent mechanism ensuring greater scrutiny while reducing the scope for confusion.
Following the spirit of those recommendations, clause 154 included a raft of safeguards to ensure an appropriate level of public and parliamentary scrutiny. However, in Committee and elsewhere, we heard and understood the concerns that hon. Members and others expressed about the information-sharing gateway proposal, including that the power was open to misuse. It is important to make it clear that it was never the Government's intention to allow indiscriminate information sharing, regardless of any protections set up by the Data Protection Act.
After a thorough consideration of the views expressed by Members of this House and by such outside organisations as the British Medical Association, which I met to discuss this very point, we have concluded that a more in-depth analysis of the features of an information-sharing power was needed. It is therefore right that we withdraw clause 154 from the Bill while we undertake that further work. That is a good example of how scrutiny in this place works, and although those who spoke for the Opposition parties had a small go at gloating, they did not go overboard. I appreciate that and I am grateful to them. We accept the humble pie that they proffered to us.
The Government are clear that there are many benefits to sharing data, as I said in Committee. To deliver high-quality public services, Departments need to share personal information in a secure and appropriate fashion. Through such data sharing we can improve opportunities for the most disadvantaged, provide customer-focused public services, reduce the burden on businesses, implement policies effectively and detect fraud. We do not underestimate the risks attached to information sharing, nor will we let them blind us to the potential benefits. I assure the House that in taking the matter forward we will consider carefully the views expressed by all interested parties.
The other Government amendment in this group, amendment 152, requires a brief explanation. New section 41A of the Data Protection Act 1998, inserted by clause 153 of the Bill, provides the Secretary of State with the power to designate, by order, those public authorities subject to the assessment notice regime. As our published delegated powers memorandum makes clear, we intended that that order-making power be subject to the negative resolution procedure. However, owing to an oversight we omitted to amend section 67 of the Data Protection Act, which determines the level of parliamentary scrutiny for all delegated powers in that Act. The amendment makes good that omission.
Let me now move on to the other amendments that relate to assessment notices. They deal with three issues: the scope of the assessment notice regime, the sanctions for non-compliance and their relationship with civil penalties under section 55A of the Data Protection Act. Amendments 23 and 24, in the name of David Howarth, and amendment 133, tabled by my hon. Friend Mr. Dismore, deal with scope. Assessment notices constitute an important step towards improving public trust and confidence in the handling of personal information by public sector data controllers. They will create a formal system based upon the current arrangement of spot checks undertaken on Government Departments by the Information Commissioner, which aim to raise the awareness and compliance of public bodies with data protection principles.
Clause 153 represents the statutory base for the commitment made by the Prime Minister in November 2007, after the loss of the data from Her Majesty's Revenue and Customs to which Mr. Bellingham referred, to provide the Information Commissioner with the power to spot check Departments. That power is therefore a specific answer to a specific issue. As the clause stands, it is already possible to include certain private or third sector data controllers within the scope of assessment notices. That would be in cases where those data controllers appear to the Secretary of State to exercise functions of a public nature, or are providing, under a contract made with a public authority, any service whose provision is a function of that authority.
There are sound arguments for applying a higher level of scrutiny to public sector bodies. Data controllers in the public sector handle a variety of sensitive personal information that is necessary to fulfil their responsibilities, such as providing health and social services, fighting crime, and detecting fraud. Most of the information handled by public sector data controllers, or those working on their behalf, is vital to determine entitlements, responsibilities, and obligations. That citizens must provide their personal information to access essential services is, in this context, a defining feature of the relationship between the citizen and the public authority.
For the private sector, the ability of the public to choose to go somewhere else is a powerful driver, encouraging businesses to look after personal information. Extending assessment notices to the private sector could, as a result, act as a significant additional regulatory burden. While I remain to be persuaded of the case for applying the assessment notice regime to all data controllers, we will continue to consider the points made by the Information Commissioner and by some Members of this House in support of those amendments. However, any move to include all data controllers within the scope of assessment notices would need to be carefully considered. We consider that clause 153 strikes a fair balance between the need to enhance the Information Commissioner's powers and the potential impact of those changes in view of the wider regulatory framework.
Amendments 78 and 79 and new clause 38 deal with the issue of non-compliance. Specifically they seek to deal with non-compliance with an assessment notice as if it were a contempt of court. Again, I remain to be persuaded that a bespoke sanction for non-compliance with an assessment notice is needed. In practice, it is difficult to envisage a public sector body refusing to comply with an assessment notice, considering the bad publicity that would ensue from such a notice. That said, the Information Commissioner made it clear that he would like some kind of penalty or sanction for refusal to comply.
Of course, the Information Commissioner already has a range of enforcement powers available to him for a failure to comply with the Data Protection Act. Information notices can be used alongside assessment notices if he reasonably requires information to assess compliance with data protection principles. If he discovers a breach of those principles during an assessment, he can issue an enforcement notice to compel the data controller to comply with data protection obligations. He also has powers to apply for a search warrant under schedule 9 to that Act. Arguably, any greater powers would be disproportionate and inconsistent with broader Government policy about the investigatory powers of regulators. Again, however, I am prepared to reflect carefully on the arguments that have been made as the Bill makes further progress.
Amendment 88 would remove the proposed exemption from liability for a civil monetary penalty for serious breaches of the data protection principles in cases where information about such a breach comes to light following the issue of an assessment notice. Those monetary penalties, which are provided for in section 55A of the Data Protection Act, will apply in cases of deliberate breach and when a data controller is aware that there is a risk of serious breach but fails to take reasonable steps to prevent it.
By contrast, as I have indicated, assessment notices are a valuable tool to raise compliance levels and to educate public bodies that are being assessed. That is why they do not require the existence of suspicion of non-compliance, or actual non-compliance, with the data protection principles. They are random spot checks. Given the nature of the assessment notice regime, we do not consider it appropriate for information gathered through that process to render a data controller liable to a civil monetary penalty. In any case, the commissioner can still employ his other enforcement tools as and when required throughout an assessment. For example, if he discovered a breach of the Data Protection Act during an assessment, he could still take enforcement action. As I have said, he could issue an enforcement notice under section 40 of that Act.
New clause 19 would limit the existing Crown immunity under the Data Protection Act so that Government Departments would be open to prosecution under it. As the hon. Member for North-West Norfolk will know, Crown immunity means that emanations from the Crown are not ordinarily liable to prosecution for offences created either in statute or in common law. That includes Government Departments, and the limitation on the prosecution of Departments includes the offences in that Act.
That is not to say, however, that Departments are not subject to adequate sanctions for breaches of data protection principles. They can still be subject to enforcement notices, claims for damages in a civil court or civil monetary penalties. That last point is particularly important because it means that financial penalties can be imposed on Government Departments. That range of other sanctions and penalties is sufficient for me to remain unconvinced that disapplying the normal rules on Crown immunity would make any material difference.
Amendments 80 to 84 would make the Information Commissioner's codes of practice on assessment notices and data sharing subject to the affirmative resolution procedure. The assessment notice code of practice is not subject to any parliamentary procedure, whereas the data-sharing code is subject to the negative resolution procedure. Given the scope of those codes, I believe that we have probably got the level of parliamentary scrutiny right. They are not on a par with, for example, the codes of practice issued under the Police and Criminal Evidence Act 1984. However, if we have misjudged the level of scrutiny for those two codes of practice, I am pretty confident that the Delegated Powers and Regulatory Reform Committee in the other place will be quick to tell us that. We will, of course, consider carefully any recommendations that it makes.
Amendment 85 would require the Information Commissioner to conduct an annual review of the data sharing code of practice. The Bill already obliges the commissioner to keep the code under review, and he is required to update it if he becomes aware that its content could result in the UK being in breach of any of its community or international obligations. My concern is that the amendment could prevent the code from being revised quickly once a breach has been identified. It might be a little too rigid in calling specifically for an annual review. The Bill will give the Information Commissioner scope to reconsider and review the code as and when he sees fit. We believe that that is right, given that his role as the independent data protection regulator is to provide the most up-to-date guidance to facilitate data controllers' compliance with the Data Protection Act.
Finally, amendments 86 and 87 deal with information notices. Section 43 of the Data Protection Act provides the Information Commissioner with the power to issue a data controller with an information notice. That can require a data controller to provide the commissioner with specified information in a specified form, to assess compliance with the data protection principles. The commissioner can issue a notice to any data controller as long as he reasonably requires information to determine their compliance. Failure to comply with an information notice is a criminal offence. The amendments would extend the commissioner's power to issue an information notice to data processors as well as data controllers. The meaning of a data processor is limited to those handling data on behalf of Government Departments and designated public authorities.
The structure of the Data Protection Act places the responsibility for personal information on the data controller, not the data processor. Introducing a power to serve a notice on a data processor could shift the regulatory balance of the Act. All data being processed by or on behalf of an organisation must be covered by the data controller's registration. It is the responsibility of the data controller to obtain the information that the commissioner requires. I fear that the amendments would represent a significant change to the data protection regime, so the matter might be better suited to consideration in the review of the European directive that is under way. I therefore hope that the Opposition will not press those amendments.
The hon. Member for Cambridge expressed concern about the Information Commissioner and Google Street View. I have to say that I could not find my street on it, but that might be because I am sometimes technologically illiterate when it comes to such things. I understand that the commissioner is keeping the situation under review, and of course anyone can request to have their image removed. I understand that Google is quite surprised by how few people have so far asked to have their image removed, but that is another matter.
Has the Minister asked the Information Commissioner to consider the implications for public services of some of the issues that have arisen from Google Street View? I know that it has been online for only a couple of days, and I have to confess that it is quite intriguing to play with, but I understand that in one case, a woman fleeing domestic violence was photographed outside her new house. There are therefore implications for the police, councils and so on. Has she asked the commissioner to look into that?
The hon. Lady makes a good point, and she is quite right. Although it may be fun playing about with these things on computers, there are potentially sensitive issues attached to them. I shall certainly ensure that the Information Commissioner takes up that point when he reviews the situation.
I wish to respond to some of the points that the hon. Member for North-West Norfolk made. He asked why we needed a data-sharing code of practice if we are dropping the data sharing order-making power. Of course, the code will be wider than the order-making power and contain practical guidance on the sharing of personal data and other guidance that promotes good practice in data-sharing. It will ensure that the availability of practical and up-to-date guidance about how to share personal data is in accordance with the requirements of the Data Protection Act.
The hon. Gentleman also asked about extending information notices to the private sector and suggested that his amendments might be seen as a compromise. Information notices already extend to private sector data controllers because they can be served on any data controller. I hope that that answers those points.
Although I cannot commend any of the amendments that my hon. Friend the Member for Hendon, and the hon. Members for North-West Norfolk and for Cambridge have tabled, I want to offer an assurance. We will continue to listen carefully to the arguments for extending the scope of assessment notices and providing some form of sanction for non-compliance. I do not want to raise expectations, but I also do not want to give the impression that clause 153, as drafted, represents the last word on the matter. I hope that, if and when we make further changes to that provision, the hon. Member for North-West Norfolk will remember that I said it here first.
We are sorry to learn that the Under-Secretary of State for Justice, Maria Eagle is not well. She has an inner ear infection—anyone who has had one knows how incredibly painful and horrible it is. We therefore wish her a speedy recovery and speedy return to her place in the Department.
The Minister has given her usual courteous and effective explanation of the Government's position. I accept her comments about Government amendment 25 and we are grateful for her remarks. Furthermore, her response to the new clause and amendments that we tabled was reasonably encouraging. There will be ample opportunity to revert to those matters in another place. We have a top Tory legal team in the Lords and they will revert to the issues. I am sure that they will be encouraged by her comments, and I therefore beg to ask leave to withdraw the motion.
Clause, by leave, withdrawn.