Friday, 23 January 2009

Coroners and Justice Bill: Crime and Data Protection Research paper 09/06, 22.1.2009 Clause 152 only.

B. Information sharing

At least in so far as data protection is concerned, clause 152 contains the most

controversial measures of the Bill. While some reports have suggested that the clause

would remove the barriers to the bulk sharing of personal data across government

departments, it would be more accurate to say the barriers would be lowered (albeit

significantly) – and with some in-built safeguards.

 

The Government has, for some years,272 been developing a strategy on data-sharing

across government departments – motivated as a means of providing more efficient and

accessible public sector services. Data sharing represents a significant arm of the

“Transformational Government” strategy published by the Cabinet Office in November

2005 (Cm 6683) which comments: “Modern government – both in policy making and in

service delivery – relies on accurate and timely information about citizens, businesses,

animals and assets. Information sharing, management of identity and of geographical

information, and information assurance are therefore crucial.” It further observes: “data

sharing is integral to transforming services and reducing administrative burdens on

citizens and businesses. But privacy rights and public trust must be retained. There will

be a new Ministerial focus on finding and communicating a balance between maintaining

the privacy of the individual and delivering more efficient, higher quality services with

minimal bureaucracy.”273 A Transformational Government Implementation Plan was

subsequently published in March 2006.274 In July 2008 the Cabinet Office published its

second annual progress report on Transformational Government.275 One obvious

impediment to increased data sharing is the second data protection principle, repeated

below:

 

Personal data shall be obtained only for one or more specified and lawful

purposes, and shall not be further processed in any manner incompatible with

that purpose or those purposes.276

 

Although the Data Protection Act 1998 (DPA) provides for a number of exemptions and

exceptions to this, few of which are blanket in nature,277 greater comfort to would-be

information sharers can be provided by legislation. Recent examples of data sharing

powers can be found in, among others, the following:

 

Digital Switchover (Disclosure of Information) Act 2007

271 Coroners and Justice Bill: A commentary from the Information Commissioner’s Office – Second Reading

26 January 2009, Information Commissioner’s Office, 22 January 2009

272 Privacy and Data Sharing, Performance and Innovation Unit, April 2002

273 Transformational Government, Cabinet Office, Cm 6683, November 2005

274 Transformational Government – Implementation plan, Cabinet Office, March 2006

275 Transformational Government Annual Report 2007, Cabinet Office, 16 July 2008

276 Data Protection Act 1998, Schedule 1, Part I

277 Not even national security: see Tolley’s Data Protection Handbook, 4th Edition, 2006, chapter 20.

 

 

 

 

 

 

107

Serious Crime Act 2007

Education and Skills Bill 2007-08

Pensions Bill 2007-08

Counter-Terrorism Bill 2007-08

 

Clause 152 of the Coroners and Justice Bill would obviate the need for primary

legislation to enable personal data sharing, providing instead a secondary legislation

route. It inserts a new Part (5A) on information sharing in the DPA. In particular, a new

section (50A) would enable Ministers to make “information-sharing orders” enabling “any

person” to share information which consists of or includes personal data. Quite what

constitutes personal data is the subject of ongoing debate,278 but it is defined in section 1

of the DPA as follows:

 

“personal data” means data which relate to a living individual who can be

identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is

likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of

the intentions of the data controller or any other person in respect of the individual

 

New section 50A includes a definition of sharing that explicitly overrides the second data

protection principle:

 

For the purposes of this Part a person shares information if the person […]

consults or uses the information for a purpose other than the purpose for which

the information was obtained.279

 

However, among the conditions attaching to the contents of an information-sharing order

is one that requires specification of the purposes for which the information is to be

shared.280 Constraints are also placed on when a particular Minister can make an

information-sharing order281 and this “designated authority”282 – in general the

appropriate Minister in Whitehall or one of the devolved administrations – must further be satisfied that the following conditions are met:

 

(a) that the sharing of information enabled by the order is necessary to secure a

relevant policy objective,

278 Some assistance comes from Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007

by the Article 29 Data Protection Working Party (an independent European advisory body on data

protection and privacy).

279 New section 50A(3), DPA

280 New section 50A(5)

281 New section 50C, DPA

282 A definition of “designated authority”, taking into account devolution arrangements, appears in New

section 50A, DPA

 

 

 

 

 

 

 

108

 

 

(b) that the effect of the provision made by the order is proportionate to that policy

objective, and

(c) that the provision made by the order strikes a fair balance between the public

interest and the interests of any person affected by it.283

 

The orders would be able to, among other things, impose conditions on informationsharing,

“provide for a person to exercise a discretion in dealing with any matter” and

“modify any enactment”.284 An information-sharing order could also provide for the

creation of offences; obvious possibilities would include serious breaches of the

conditions imposed by any such order on information-sharing.

 

New section 50D requires the designated authority to consult affected persons in

advance of making an information-sharing order. A draft of such an order would also

have to be submitted to the Information Commissioner. The latter would have 21 days to

submit, should he so choose, a report to the designated authority. Any such report

would state whether or not the Information Commissioner was satisfied that the draft

order was proportionate and had achieved a fair balance between the public interest and

the interests of affected persons. The draft order, with any report by the Information

Commissioner, would then be laid before Parliament or, as appropriate, the Scottish

Parliament, National Assembly for Wales or the Northern Ireland Assembly. In all cases,

it would be subjected to the relevant affirmative resolution procedure.

 

In the light of an adverse report by the Information Commissioner, a Minister might

choose not to lay the draft order (or the report) before Parliament:

If the Commissioner submits a report under subsection (4) and the designated

authority proceeds to lay the draft order before Parliament, the designated

authority must at the same time lay a copy of the report before Parliament.285

New section 50E provides an additional hurdle in relation to the making of information sharing orders in that it provides for oversight by the Secretary of State having primary

responsibility for government policy on data protection – the Secretary of State for

Justice. His consent is necessary when an appropriate (Whitehall) Minister wishes to

make an order; in the case of the devolved administrations he must be consulted. An

appropriate Minister wishing to make an order which would impact on either information

sharing or legislation in Scotland, Wales or Northern Ireland would have to obtain the

consent of the appropriate devolved government.

 

Liberty “strongly opposes” these proposed amendments to the DPA, commenting

adversely on “such broad and sweeping powers to make secondary legislation.”286 Its

second reading briefing on the Bill cites in support the Joint Committee on Human

Rights.287  

 

On the other hand, the Information Commissioner’s Office believes the Data

283 New section 50A(4), DPA

284 “modify” includes amend, add to, revoke or repeal – new section 50F, DPA

285 New section 50D(6), DPA

286 Liberty’s Second Reading Briefing on the Coroners and Justice Bill in the House of Commons, January

2009

287 Joint Committee on Human Rights, Data Protection and Human Rights, HL 72/HC 132, 2007-08 para 20

 

 

 

109

Protection Act 1998 as it stands, and the introduction in the present Bill of

Commissioner’s reports on draft information-sharing orders, provide appropriate

safeguards for personal privacy.288

 

 

 

Clause 153 would insert five new sections (52A-52E) into the Data Protection Act 1998.

These deal with the preparation, approval, publication and effect of a data-sharing code

and any subsequent modifications to it. This clause represents the Government’s

response to the following recommendation in the Data Sharing Review Report of Richard Thomas (Information Commissioner) and Mark Walport (Director of the Wellcome Trust) published on 11 July 2008:

 

Recommendation 7(a): We recommend that new primary legislation should place

a statutory duty on the Information Commissioner to publish (after consultation)

and periodically update a data-sharing code of practice. This should set the

benchmark for guidance standards.289

 

Such a code would contain practical guidance on the sharing of personal data, both to

meet the requirements of the DPA and to promote good practice having regard to the

interests of data subjects and others. Provision is made for the Information

Commissioner to consult both data controller and data subject interests.

 

New section 52B requires that the data-sharing code be submitted to the Secretary of

State for approval – though this could only be withheld on grounds relating to the United

Kingdom’s international obligations. The Secretary of State would have to publish his

reasons for withholding approval. Alternatively, if approval were granted, the Secretary

of State would have to lay the code before Parliament. Its subsequent issue by the

Information Commissioner would be dependant on neither House of Parliament passing

a resolution, within 40 days, refusing approval – akin to the “negative resolution

procedure” for statutory instruments.290

 

 

If the Information Commissioner’s code is refused approval, either by the Secretary of

State or Parliament, he would have to prepare another one. New section 52C requires

the Information Commissioner to keep the data-sharing code under review and allows

him to prepare an alteration or a replacement. An altered or replacement code would be

subject to the same ministerial and Parliamentary approval procedures as set out in new

section 52B taking into account that an accepted code would already be in place were

approvals to the proposed alterations or replacement withheld.291

 

Under new section 52E, the data-sharing code would be admissible in evidence in any

legal proceedings but would not of itself render a person liable to such proceedings. The

explanatory notes to the Coroners and Justice Bill 2008-09 provide examples of what

this could mean in practice:

 

288 Coroners and Justice Bill: A commentary from the Information Commissioner’s Office – Second Reading

26 January 2009, Information Commissioner’s Office, 22 January 2009

289 Richard Thomas and Mark Walport, Data Sharing Review Report, 11 July 2008

290 House of Commons Information Office Factsheet L7, Statutory Instruments, May 2008

291 New section 52C(4)

 

 

110

 

New section 52E(1) to (5) provides that although the code is not legally binding, a

person’s breach or compliance with the Code is to be taken into account by the

courts, the Information Tribunal and the Commissioner whenever it is relevant to

a question arising in legal proceedings or in connection with the exercise of the

Commissioner’s functions. So, for example, the Information Commissioner is

entitled to consider levels of compliance with the Data-sharing Code when

evaluating whether to instigate enforcement action in relation to an instance of

data-sharing. Equally a court would be entitled to have regard to levels of

compliance with the code where it was attempting to resolve an issue relating to

whether or not a particular person had fulfilled their legal obligations by complying

with good practice and not acting negligently.292

 

As noted above, the Government believes that data sharing has an important role in

improving public services while, at the same time, acknowledging the privacy rights of

individuals. A leading article in the Independent provided one of the more hostile

responses to the information-sharing proposals in the Bill:

 

The Coroners and Justice Bill , published yesterday, proposes to give ministers

the right to allow public bodies to exchange sensitive data about each of us

between themselves. The effect would be to free organisations such as the Inland

Revenue and the National Health Service from the present data protection laws

which state that such information can only be used for the purpose for which we

originally handed it over. Ministers would even be able, in theory, to transfer

public records to private companies. If this Bill is passed by Parliament, it will

represent yet another encroachment by the state into areas in which it has no

business.

[…]

There is a good reason why government agencies have hitherto not been allowed

to pass around our personal data at will. And that is because it belongs to us, not

the state. We provide this information to receive certain specified benefits and

services, on the understanding that it will be kept strictly confidential. If ministers

are unable to recognise why it is inappropriate for them to undermine our privacy

in this way, they simply reveal themselves to be unfit to govern.293

 

 

C. Further data protection measures

 

Clause 154 introduces Schedule 18 which details further amendments to the Data

Protection Act 1998. Some of these are related to and enhance the wider audit and

inspection powers the Information Commissioner’s Office is to be given by the Bill. The

effective application of these is likely to require an increase in resources: according to a

talk given by the Deputy Information Commissioner on 17 September 2008, the

Information Commissioner’s Office had four people in its audit team.294

 

Part 1 of Schedule 18 contains the potential for increased funding.

 

 

292 Explanatory Notes to the Coroners and Justice Bill, 15 January 2009, para 728

293 “Riding roughshod over our privacy”, Independent, 15 January 2009

294 Bird and Bird, Data Protection Update, 17 September 2008

 

 

 

 

111

Under section 17(1) of the Data Protection Act personal data must not be processed

(e.g. obtained, held or disclosed) unless the data controller has registered with the

Information Commissioner’s Office. A data controller who contravenes this section is

guilty of an offence. The process is called notification; an annual fee of £35 is payable;

and it applies to a wide range of both public and private bodies. It is intended295 that this

flat rate fee be replaced with a tiered fee system, the level being determined by

information provided by data controllers under notification regulations. This information

about data controllers would not be subject to the public disclosure provisions that apply

to other “registrable particulars”; this may be because such information might be

commercially sensitive.

 

 

Part 3 of the schedule would enhance existing information-gathering powers the

Information Commissioner has by virtue of section 43 (information notices) and section

44 (special information notices)296 of the DPA. Most particularly, sections 43 and 44

would be amended to allow the Information Commissioner to specify the time and place

at which specified information would have to be furnished.

 

 

Part 4 would place further restrictions on the use to which information gathered by the

Information Commissioner’s Office could be put. The intention is, taking into account the

expanded information-gathering powers, to preserve the level of protection from selfincrimination that data controllers currently have under the DPA. For example, in relation to information notices, section 43(8) of the DPA already provides:

 

A person shall not be required by virtue of this section to furnish the

Commissioner with any information if the furnishing of that information would, by

revealing evidence of the commission of any offence other than an offence under

this Act, expose him to proceedings for that offence.

 

The additional protection appears even to extend, in prescribed circumstances, to

offences under the DPA.297

 

Following a series of high-profile losses of personal data, both in the public and private

sectors, a late amendment to the Criminal Justice and Immigration Bill 2006-07

introduced section 55A into the DPA.298 On commencement this will allow the

Information Commissioner to issue a civil monetary penalty for serious breaches of the

data protection principles.

 

Part 5 of Schedule 18 of the current Bill would exempt data

controllers if such a breach came to light either as a result of one of the new assessment

notices or where a data controller has consented to an assessment under existing

provisions299 of the DPA. The rationale for this, at least in connection with the latter of

these exemptions, was given in a Ministry of Justice consultation response in November

2008:

295 Explanatory Notes to the Coroners and Justice Bill, 15 January 2009, para 732

296 Special information notices relate to the processing of data for journalistic, artistic and literary purposes

297 For information notices, see new sections 43(8B-C)

298 “Information Commissioner gets power to fine for privacy breaches”, OUT-LAW News, 12 May 2008

299 Section 51(7), DPA

 

 

112

Government proposes to legislate to exempt a data controller who has consented

to a GPA [Good Practice Assessment] from the new civil penalty should a breach

of the DPA be found in the course of that assessment. The ICO will, however,

retain the power to use existing powers to issue Enforcement and Information

Notices and powers to undertake prosecutions.

 

This measure is designed to promote good practice, allowing data controllers to

invite scrutiny, safe in the knowledge that no penalty would be imposed for

problems identified.300

 

Schedule 9 of the DPA provides for a circuit judge to grant a warrant to the Information

Commissioner; such a warrant provides the Commissioner or any of his officers to enter

and search premises where breaches of the data protection principles or an offence

under the DPA is reasonably suspected.

 

Part 6 of the Schedule would extend the powers such a warrant may authorise. The additions to the range of existing provisions primarily comprise the imposition of a requirement on any person on the premises to provide relevant explanations and information – essentially allowing interviews to be conducted. An offence would be committed in respect of responses that were either intentionally or recklessly false.

 

There are also qualified restrictions on self-incrimination.300

 

 

 

 

The Information Commissioner’s inspection powers and funding arrangements under the Data Protection

Act 1998 - Summary of responses,

 Ministry of Justice, 24 November 2008

 

 

 

 

 

 

 

 

 

 

113    All 113 Pages on

114      http://www.parliament.uk/commons/lib/research/rp2009/rp09-006.pdf

115