Role of the Information Commissioner

‘(1) The Information Commissioner shall have full jurisdiction over the workings of the Personal Accounts Delivery Authority and the Pensions Regulator.

(2) The Secretary of State must prepare, and keep under review, a code of practice with respect to the disclosure of information relating to pensions by public authorities.

(3) Before preparing or altering the code, the Secretary of State must consult—

(a) any specified public authority;

(b) the Information Commissioner; and

(c) such other persons as the Secretary of State considers appropriate.

(4) A public authority must have regard to the code in (or in connection with) disclosing information relating to pensions.

(5) Nothing in this section applies in relation to any disclosure by a relevant public authority of information whose subject-matter is a matter about which provision would be within the legislative competence of the Scottish Parliament if it were included in an Act of the Scottish Parliament.

(6) The Secretary of State must—

(a) lay a copy of the code, and of any alterations to it, before Parliament; and

(b) from time to time publish the code as for the time being in force.’.—[Paul Rowen.]

Motion made [this day], That the clause be read a Second Time.

I would like to quote from a statement made by the Prime Minister.

And you were doing so well.

I will not go there. The Prime Minister said:

“We will give the Information Commissioner the power to spot-check Departments, to do everything in his power and our power to secure the protection of data. In other words, we will do everything in our power to make sure data are safe.”

That was the statement he made following the very shocking loss of information from HMRC.

What this new clause does is to set up a mechanism for ensuring that the Information Commissioner has a role in protecting data. Over 6 million people will be signing up for personal accounts. The pensions authorities will therefore have a considerable number of personal details about these people, and it is quite important that this information is protected. The code  of practice that this clause sets up will enable a dialogue to take place between the Secretary of State and the Information Commissioner on what sort of changes in attitude the Information Commissioner wishes to see from Departments like the DWP to ensure that data are protected.

Perhaps I should remind members what the House of Commons Justice Committee had to say in its report earlier this year. They pointed out that the Data Protection Act 1998 applies to private organisations and individuals and they can be held criminally liable if data are lost. But it does not currently apply to Government Departments. On 3 January, the Information Commissioner, Sir Richard Thomas, said in response to this that losing data should be a criminal offence. New clause 7 does not introduce that: that presumably will come when the reviews by the chairman of PricewaterhouseCoopers and the Information Commissioner, set up by the Prime Minister, are published.

What this new clause does do—and I think it is an important clause and the sort of clause that should apply to all public bills which grant Government Departments more access to private individuals’ information—is require the Department and other bodies it sets up to think very clearly how that data should be handled. I think that is a fair and reasonable point.

To quote from the Chairman of the Justice Committee, my right hon. Friend the Member for Berwick-upon-Tweed (Mr. Beith), about the scale of the problem at the moment:

“The scale of the data loss by Government bodies and contractors is truly shocking. But the evidence we have had points to further hidden problems. It is frankly incredible, for example, that the measures Revenue and Customs has put in place were not already standard procedure.”

This particular new clause has a requirement that there is a set of standard procedures for handling data loss relating to personal accounts before the pensions authorities actually begin to collect that data. So we are saying very clearly at the beginning that we regard this as vital and so important that we have sought to include the clause in the Bill. I do not see why the Minister cannot support that.

I hope that the review will introduce criminal charges for Departments that lose data, but we are proposing setting a standard and saying that, in future, when the DWP is collecting data—in this case about pensions—there will be clear guidance. People, including the Information Commissioner, will be involved in setting out that guidance, and it will follow from the review that there will be consequences if that personal data is not adequately protected. By having a code of practice, following up the review that the Prime Minister has commissioned and having legislation that makes data loss a criminal offence for Departments, we can provide people with a level of security for their personal data which they are not getting at the moment, and to which I believe they are entitled.

I have no problem with the broad thrust of the hon. Gentleman’s proposal: that the Information Commissioner should be able to cover this, and that the Freedom of Information Act 2000 and data protection  provisions will apply in the normal way. They already do. We do not need this. That is the problem. The Government already have the necessary provisions in place. Indeed, section 44 of the Bill strengthens the sanctions for unlawful disclosure of personal data by staff of the Pensions Regulator. These sanctions will extend to the delivery authority in the event that it is required to handle personal data on the regulator’s behalf. Our view is that the measures in the hon. Gentleman’s amendment will generally replicate safeguards already in place. The Information Commissioner already has powers to oversee the data handling of all present and future data controllers including the regulator, the scheme, and also the delivery authority if it becomes responsible for any personal data.

Under section 51 of the2000 Act, it is the duty of the Information Commissioner to

“promote the following of good practice by data controllers and in particular so to perform his functions under the Act as to promote the observance of the requirements of this Act by data controllers.”

The commissioner has a legal duty which involves promoting the use of codes of practice for data protection, and is keen to be involved in further developing and amending them. It is in fact the commissioner who will do a lot of work to develop those codes.

I was listening with interest to what the Minister said. Is he aware of clause 71 of the Serious Crime Act 2007? It is relevant because my new clause is modelled on it. In other words, in a Bill that has just gone through the House, the Government have put in place very clear and explicit arrangements—in this case the code of practice for disclosures of information to prevent fraud. The Home Office has said very clearly that it will draw up a clear code of practice in conjunction with the Information Commissioner. It is not just relying on existing legislation, it is actually making a clear statement. If that is Government policy in the Home Office, does the Minister not accept that there is a very clear case for doing it here, which is what our amendment seeks to do?

The problem is that in respect of the area we are now covering—the pensions legislation and the bodies it is setting up—the Pensions Regulator and the DWP already have documents which are effective codes of practice. We work closely with the Information Commissioner in ensuring that they give full coverage. I say very clearly to the hon. Gentleman that we are satisfied, and the advice I have been given is, that PADA, the Personal Accounts Board that we are setting up, the Pensions Regulator and the Department are already covered. We do not need the new clause. Further, we have consulted the Information Commissioner; he has indicated that he is not seeking a statutory code of practice on the matter in addition to what he already has.

In effect, the Liberal Democrats are offering something that is not only covered by existing legislation but is not particularly wanted by the Information Commissioner. On that basis, I hope that the hon. Gentleman is duly reassured that what he is seeking to do is not in dispute—in the broad thrust at  least, although I might quarrel with some of the detail. The broad thrust is not in dispute and is already covered. If the hon. Gentleman looks at the detail, he will find that what he seeks is already, generally, going to happen.

I listened carefully to the Minister and cannot say that I am reassured, because the DWP’s record in the area is hardly exemplary.

What record is the hon. Gentleman referring to? HMRC is not part of the DWP, but of a different Department. I am not sure what his “record” of the DWP specifically is. There have been one or two issues, but they have not been on the scale that he seems to be alluding to.

The Minister is aware of the data found on the roundabout in Torbay. I regard any loss of data, whether on 1 million people or on 10, as a serious issue. My view is that, yes, there are codes of practice across Government as a whole that are not operating to the level of security that they should be. Accepting that, I am more reassured by what the Information Commissioner said and I am sure that when we get the Prime Minister’s review we will have a further opportunity to pursue the matter. Therefore, I beg to ask leave to withdraw the motion.

Motion and clause, by leave, withdrawn.