Coroners and Justice Bill: Crime and Data Protection Research paper 09/06, 22.1.2009 Clause 152 only.
B. Information sharing
At least in so far as data protection is concerned, clause 152 contains the most
controversial measures of the Bill. While some reports have suggested that the clause
would remove the barriers to the bulk sharing of personal data across government
departments, it would be more accurate to say the barriers would be lowered (albeit
significantly) – and with some in-built safeguards.
The Government has, for some years,272 been developing a strategy on data-sharing
across government departments – motivated as a means of providing more efficient and
accessible public sector services. Data sharing represents a significant arm of the
“Transformational Government” strategy published by the Cabinet Office in November
2005 (Cm 6683) which comments: “Modern government – both in policy making and in
service delivery – relies on accurate and timely information about citizens, businesses,
animals and assets. Information sharing, management of identity and of geographical
information, and information assurance are therefore crucial.” It further observes: “data
sharing is integral to transforming services and reducing administrative burdens on
citizens and businesses. But privacy rights and public trust must be retained. There will
be a new Ministerial focus on finding and communicating a balance between maintaining
the privacy of the individual and delivering more efficient, higher quality services with
minimal bureaucracy.”273 A Transformational Government Implementation Plan was
subsequently published in March 2006.274 In July 2008 the Cabinet Office published its
second annual progress report on Transformational Government.275 One obvious
impediment to increased data sharing is the second data protection principle, repeated
below:
Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes.276
Although the Data Protection Act 1998 (DPA) provides for a number of exemptions and
exceptions to this, few of which are blanket in nature,277 greater comfort to would-be
information sharers can be provided by legislation. Recent examples of data sharing
powers can be found in, among others, the following:
• Digital Switchover (Disclosure of Information) Act 2007
271 Coroners and Justice Bill: A commentary from the Information Commissioner’s Office – Second Reading
26 January 2009, Information Commissioner’s Office, 22 January 2009
272 Privacy and Data Sharing, Performance and Innovation Unit, April 2002
273 Transformational Government, Cabinet Office, Cm 6683, November 2005
274 Transformational Government – Implementation plan, Cabinet Office, March 2006
275 Transformational Government Annual Report 2007, Cabinet Office, 16 July 2008
276 Data Protection Act 1998, Schedule 1, Part I
277 Not even national security: see Tolley’s Data Protection Handbook, 4th Edition, 2006, chapter 20.
107
• Serious Crime Act 2007
• Education and Skills Bill 2007-08
• Pensions Bill 2007-08
• Counter-Terrorism Bill 2007-08
Clause 152 of the Coroners and Justice Bill would obviate the need for primary
legislation to enable personal data sharing, providing instead a secondary legislation
route. It inserts a new Part (5A) on information sharing in the DPA. In particular, a new
section (50A) would enable Ministers to make “information-sharing orders” enabling “any
person” to share information which consists of or includes personal data. Quite what
constitutes personal data is the subject of ongoing debate,278 but it is defined in section 1
of the DPA as follows:
“personal data” means data which relate to a living individual who can be
identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is
likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of
the intentions of the data controller or any other person in respect of the individual
New section 50A includes a definition of sharing that explicitly overrides the second data
protection principle:
For the purposes of this Part a person shares information if the person […]
consults or uses the information for a purpose other than the purpose for which
the information was obtained.279
However, among the conditions attaching to the contents of an information-sharing order
is one that requires specification of the purposes for which the information is to be
shared.280 Constraints are also placed on when a particular Minister can make an
information-sharing order281 and this “designated authority”282 – in general the
appropriate Minister in Whitehall or one of the devolved administrations – must further be satisfied that the following conditions are met:
(a) that the sharing of information enabled by the order is necessary to secure a
relevant policy objective,
278 Some assistance comes from Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007
by the Article 29 Data Protection Working Party (an independent European advisory body on data
protection and privacy).
279 New section 50A(3), DPA
280 New section 50A(5)
281 New section 50C, DPA
282 A definition of “designated authority”, taking into account devolution arrangements, appears in New
section 50A, DPA
108
(b) that the effect of the provision made by the order is proportionate to that policy
objective, and
(c) that the provision made by the order strikes a fair balance between the public
interest and the interests of any person affected by it.283
The orders would be able to, among other things, impose conditions on informationsharing,
“provide for a person to exercise a discretion in dealing with any matter” and
“modify any enactment”.284 An information-sharing order could also provide for the
creation of offences; obvious possibilities would include serious breaches of the
conditions imposed by any such order on information-sharing.
New section 50D requires the designated authority to consult affected persons in
advance of making an information-sharing order. A draft of such an order would also
have to be submitted to the Information Commissioner. The latter would have 21 days to
submit, should he so choose, a report to the designated authority. Any such report
would state whether or not the Information Commissioner was satisfied that the draft
order was proportionate and had achieved a fair balance between the public interest and
the interests of affected persons. The draft order, with any report by the Information
Commissioner, would then be laid before Parliament or, as appropriate, the Scottish
Parliament, National Assembly for Wales or the Northern Ireland Assembly. In all cases,
it would be subjected to the relevant affirmative resolution procedure.
In the light of an adverse report by the Information Commissioner, a Minister might
choose not to lay the draft order (or the report) before Parliament:
If the Commissioner submits a report under subsection (4) and the designated
authority proceeds to lay the draft order before Parliament, the designated
authority must at the same time lay a copy of the report before Parliament.285
New section 50E provides an additional hurdle in relation to the making of information sharing orders in that it provides for oversight by the Secretary of State having primary
responsibility for government policy on data protection – the Secretary of State for
Justice. His consent is necessary when an appropriate (Whitehall) Minister wishes to
make an order; in the case of the devolved administrations he must be consulted. An
appropriate Minister wishing to make an order which would impact on either information
sharing or legislation in Scotland, Wales or Northern Ireland would have to obtain the
consent of the appropriate devolved government.
Liberty “strongly opposes” these proposed amendments to the DPA, commenting
adversely on “such broad and sweeping powers to make secondary legislation.”286 Its
second reading briefing on the Bill cites in support the Joint Committee on Human
Rights.287
On the other hand, the Information Commissioner’s Office believes the Data
283 New section 50A(4), DPA
284 “modify” includes amend, add to, revoke or repeal – new section 50F, DPA
285 New section 50D(6), DPA
286 Liberty’s Second Reading Briefing on the Coroners and Justice Bill in the House of Commons, January
2009
287 Joint Committee on Human Rights, Data Protection and Human Rights, HL 72/HC 132, 2007-08 para 20
109
Protection Act 1998 as it stands, and the introduction in the present Bill of
Commissioner’s reports on draft information-sharing orders, provide appropriate
safeguards for personal privacy.288
Clause 153 would insert five new sections (52A-52E) into the Data Protection Act 1998.
These deal with the preparation, approval, publication and effect of a data-sharing code
and any subsequent modifications to it. This clause represents the Government’s
response to the following recommendation in the Data Sharing Review Report of Richard Thomas (Information Commissioner) and Mark Walport (Director of the Wellcome Trust) published on 11 July 2008:
Recommendation 7(a): We recommend that new primary legislation should place
a statutory duty on the Information Commissioner to publish (after consultation)
and periodically update a data-sharing code of practice. This should set the
benchmark for guidance standards.289
Such a code would contain practical guidance on the sharing of personal data, both to
meet the requirements of the DPA and to promote good practice having regard to the
interests of data subjects and others. Provision is made for the Information
Commissioner to consult both data controller and data subject interests.
New section 52B requires that the data-sharing code be submitted to the Secretary of
State for approval – though this could only be withheld on grounds relating to the United
Kingdom’s international obligations. The Secretary of State would have to publish his
reasons for withholding approval. Alternatively, if approval were granted, the Secretary
of State would have to lay the code before Parliament. Its subsequent issue by the
Information Commissioner would be dependant on neither House of Parliament passing
a resolution, within 40 days, refusing approval – akin to the “negative resolution
procedure” for statutory instruments.290
If the Information Commissioner’s code is refused approval, either by the Secretary of
State or Parliament, he would have to prepare another one. New section 52C requires
the Information Commissioner to keep the data-sharing code under review and allows
him to prepare an alteration or a replacement. An altered or replacement code would be
subject to the same ministerial and Parliamentary approval procedures as set out in new
section 52B taking into account that an accepted code would already be in place were
approvals to the proposed alterations or replacement withheld.291
Under new section 52E, the data-sharing code would be admissible in evidence in any
legal proceedings but would not of itself render a person liable to such proceedings. The
explanatory notes to the Coroners and Justice Bill 2008-09 provide examples of what
this could mean in practice:
288 Coroners and Justice Bill: A commentary from the Information Commissioner’s Office – Second Reading
26 January 2009, Information Commissioner’s Office, 22 January 2009
289 Richard Thomas and Mark Walport, Data Sharing Review Report, 11 July 2008
290 House of Commons Information Office Factsheet L7, Statutory Instruments, May 2008
291 New section 52C(4)
110
New section 52E(1) to (5) provides that although the code is not legally binding, a
person’s breach or compliance with the Code is to be taken into account by the
courts, the Information Tribunal and the Commissioner whenever it is relevant to
a question arising in legal proceedings or in connection with the exercise of the
Commissioner’s functions. So, for example, the Information Commissioner is
entitled to consider levels of compliance with the Data-sharing Code when
evaluating whether to instigate enforcement action in relation to an instance of
data-sharing. Equally a court would be entitled to have regard to levels of
compliance with the code where it was attempting to resolve an issue relating to
whether or not a particular person had fulfilled their legal obligations by complying
with good practice and not acting negligently.292
As noted above, the Government believes that data sharing has an important role in
improving public services while, at the same time, acknowledging the privacy rights of
individuals. A leading article in the Independent provided one of the more hostile
responses to the information-sharing proposals in the Bill:
The Coroners and Justice Bill , published yesterday, proposes to give ministers
the right to allow public bodies to exchange sensitive data about each of us
between themselves. The effect would be to free organisations such as the Inland
Revenue and the National Health Service from the present data protection laws
which state that such information can only be used for the purpose for which we
originally handed it over. Ministers would even be able, in theory, to transfer
public records to private companies. If this Bill is passed by Parliament, it will
represent yet another encroachment by the state into areas in which it has no
business.
[…]
There is a good reason why government agencies have hitherto not been allowed
to pass around our personal data at will. And that is because it belongs to us, not
the state. We provide this information to receive certain specified benefits and
services, on the understanding that it will be kept strictly confidential. If ministers
are unable to recognise why it is inappropriate for them to undermine our privacy
in this way, they simply reveal themselves to be unfit to govern.293
C. Further data protection measures
Clause 154 introduces Schedule 18 which details further amendments to the Data
Protection Act 1998. Some of these are related to and enhance the wider audit and
inspection powers the Information Commissioner’s Office is to be given by the Bill. The
effective application of these is likely to require an increase in resources: according to a
talk given by the Deputy Information Commissioner on 17 September 2008, the
Information Commissioner’s Office had four people in its audit team.294
Part 1 of Schedule 18 contains the potential for increased funding.
292 Explanatory Notes to the Coroners and Justice Bill, 15 January 2009, para 728
293 “Riding roughshod over our privacy”, Independent, 15 January 2009
294 Bird and Bird, Data Protection Update, 17 September 2008
111
Under section 17(1) of the Data Protection Act personal data must not be processed
(e.g. obtained, held or disclosed) unless the data controller has registered with the
Information Commissioner’s Office. A data controller who contravenes this section is
guilty of an offence. The process is called notification; an annual fee of £35 is payable;
and it applies to a wide range of both public and private bodies. It is intended295 that this
flat rate fee be replaced with a tiered fee system, the level being determined by
information provided by data controllers under notification regulations. This information
about data controllers would not be subject to the public disclosure provisions that apply
to other “registrable particulars”; this may be because such information might be
commercially sensitive.
Part 3 of the schedule would enhance existing information-gathering powers the
Information Commissioner has by virtue of section 43 (information notices) and section
44 (special information notices)296 of the DPA. Most particularly, sections 43 and 44
would be amended to allow the Information Commissioner to specify the time and place
at which specified information would have to be furnished.
Part 4 would place further restrictions on the use to which information gathered by the
Information Commissioner’s Office could be put. The intention is, taking into account the
expanded information-gathering powers, to preserve the level of protection from selfincrimination that data controllers currently have under the DPA. For example, in relation to information notices, section 43(8) of the DPA already provides:
A person shall not be required by virtue of this section to furnish the
Commissioner with any information if the furnishing of that information would, by
revealing evidence of the commission of any offence other than an offence under
this Act, expose him to proceedings for that offence.
The additional protection appears even to extend, in prescribed circumstances, to
offences under the DPA.297
Following a series of high-profile losses of personal data, both in the public and private
sectors, a late amendment to the Criminal Justice and Immigration Bill 2006-07
introduced section 55A into the DPA.298 On commencement this will allow the
Information Commissioner to issue a civil monetary penalty for serious breaches of the
data protection principles.
Part 5 of Schedule 18 of the current Bill would exempt data
controllers if such a breach came to light either as a result of one of the new assessment
notices or where a data controller has consented to an assessment under existing
provisions299 of the DPA. The rationale for this, at least in connection with the latter of
these exemptions, was given in a Ministry of Justice consultation response in November
2008:
295 Explanatory Notes to the Coroners and Justice Bill, 15 January 2009, para 732
296 Special information notices relate to the processing of data for journalistic, artistic and literary purposes
297 For information notices, see new sections 43(8B-C)
298 “Information Commissioner gets power to fine for privacy breaches”, OUT-LAW News, 12 May 2008
299 Section 51(7), DPA
112
Government proposes to legislate to exempt a data controller who has consented
to a GPA [Good Practice Assessment] from the new civil penalty should a breach
of the DPA be found in the course of that assessment. The ICO will, however,
retain the power to use existing powers to issue Enforcement and Information
Notices and powers to undertake prosecutions.
This measure is designed to promote good practice, allowing data controllers to
invite scrutiny, safe in the knowledge that no penalty would be imposed for
problems identified.300
Schedule 9 of the DPA provides for a circuit judge to grant a warrant to the Information
Commissioner; such a warrant provides the Commissioner or any of his officers to enter
and search premises where breaches of the data protection principles or an offence
under the DPA is reasonably suspected.
Part 6 of the Schedule would extend the powers such a warrant may authorise. The additions to the range of existing provisions primarily comprise the imposition of a requirement on any person on the premises to provide relevant explanations and information – essentially allowing interviews to be conducted. An offence would be committed in respect of responses that were either intentionally or recklessly false.
There are also qualified restrictions on self-incrimination.300
The Information Commissioner’s inspection powers and funding arrangements under the Data Protection
Act 1998 - Summary of responses,
Ministry of Justice, 24 November 2008
113 All 113 Pages on
114 http://www.parliament.uk/commons/lib/research/rp2009/rp09-006.pdf
115