Coroners and Justice Bill

I am speaking a little sooner than I expected, but there we are. I begin with Government amendment 25, which is at the heart of this grouping on data sharing and data protection, and the associated consequential amendment 153. They will remove from the Bill the power to establish new information-sharing gateways by secondary legislation. The proposal in clause 154 for information-sharing orders stemmed from a recommendation of the independent data-sharing review, conducted by the commissioner, Richard Thomas, and Sir Mark Walport, the director of the Wellcome Trust. They recommended changes to the legal framework for data sharing, in part to support better public service provision. To counterbalance that power, the review recommended that there should be a transparent and consistent mechanism ensuring greater scrutiny while reducing the scope for confusion. Following the spirit of those recommendations, clause 154 included a raft of safeguards to ensure an appropriate level of public and parliamentary scrutiny. However, in Committee and elsewhere, we heard and understood the concerns that hon. Members and others expressed about the information-sharing gateway proposal, including that the power was open to misuse. It is important to make it clear that it was never the Government's intention to allow indiscriminate information sharing, regardless of any protections set up by the Data Protection Act. After a thorough consideration of the views expressed by Members of this House and by such outside organisations as the British Medical Association, which I met to discuss this very point, we have concluded that a more in-depth analysis of the features of an information-sharing power was needed. It is therefore right that we withdraw clause 154 from the Bill while we undertake that further work. That is a good example of how scrutiny in this place works, and although those who spoke for the Opposition parties had a small go at gloating, they did not go overboard. I appreciate that and I am grateful to them. We accept the humble pie that they proffered to us. The Government are clear that there are many benefits to sharing data, as I said in Committee. To deliver high-quality public services, Departments need to share personal information in a secure and appropriate fashion. Through such data sharing we can improve opportunities for the most disadvantaged, provide customer-focused public services, reduce the burden on businesses, implement policies effectively and detect fraud. We do not underestimate the risks attached to information sharing, nor will we let them blind us to the potential benefits. I assure the House that in taking the matter forward we will consider carefully the views expressed by all interested parties. The other Government amendment in this group, amendment 152, requires a brief explanation. New section 41A of the Data Protection Act 1998, inserted by clause 153 of the Bill, provides the Secretary of State with the power to designate, by order, those public authorities subject to the assessment notice regime. As our published delegated powers memorandum makes clear, we intended that that order-making power be subject to the negative resolution procedure. However, owing to an oversight we omitted to amend section 67 of the Data Protection Act, which determines the level of parliamentary scrutiny for all delegated powers in that Act. The amendment makes good that omission. Let me now move on to the other amendments that relate to assessment notices. They deal with three issues: the scope of the assessment notice regime, the sanctions for non-compliance and their relationship with civil penalties under section 55A of the Data Protection Act. Amendments 23 and 24, in the name of the hon. Member for Cambridge (David Howarth), and amendment 133, tabled by my hon. Friend the Member for Hendon (Mr. Dismore), deal with scope. Assessment notices constitute an important step towards improving public trust and confidence in the handling of personal information by public sector data controllers. They will create a formal system based upon the current arrangement of spot checks undertaken on Government Departments by the Information Commissioner, which aim to raise the awareness and compliance of public bodies with data protection principles. Clause 153 represents the statutory base for the commitment made by the Prime Minister in November 2007, after the loss of the data from Her Majesty's Revenue and Customs to which the hon. Member for North-West Norfolk (Mr. Bellingham) referred, to provide the Information Commissioner with the power to spot check Departments. That power is therefore a specific answer to a specific issue. As the clause stands, it is already possible to include certain private or third sector data controllers within the scope of assessment notices. That would be in cases where those data controllers appear to the Secretary of State to exercise functions of a public nature, or are providing, under a contract made with a public authority, any service whose provision is a function of that authority. There are sound arguments for applying a higher level of scrutiny to public sector bodies. Data controllers in the public sector handle a variety of sensitive personal information that is necessary to fulfil their responsibilities, such as providing health and social services, fighting crime, and detecting fraud. Most of the information handled by public sector data controllers, or those working on their behalf, is vital to determine entitlements, responsibilities, and obligations. That citizens must provide their personal information to access essential services is, in this context, a defining feature of the relationship between the citizen and the public authority. For the private sector, the ability of the public to choose to go somewhere else is a powerful driver, encouraging businesses to look after personal information. Extending assessment notices to the private sector could, as a result, act as a significant additional regulatory burden. While I remain to be persuaded of the case for applying the assessment notice regime to all data controllers, we will continue to consider the points made by the Information Commissioner and by some Members of this House in support of those amendments. However, any move to include all data controllers within the scope of assessment notices would need to be carefully considered. We consider that clause 153 strikes a fair balance between the need to enhance the Information Commissioner's powers and the potential impact of those changes in view of the wider regulatory framework. Amendments 78 and 79 and new clause 38 deal with the issue of non-compliance. Specifically they seek to deal with non-compliance with an assessment notice as if it were a contempt of court. Again, I remain to be persuaded that a bespoke sanction for non-compliance with an assessment notice is needed. In practice, it is difficult to envisage a public sector body refusing to comply with an assessment notice, considering the bad publicity that would ensue from such a notice. That said, the Information Commissioner made it clear that he would like some kind of penalty or sanction for refusal to comply. Of course, the Information Commissioner already has a range of enforcement powers available to him for a failure to comply with the Data Protection Act. Information notices can be used alongside assessment notices if he reasonably requires information to assess compliance with data protection principles. If he discovers a breach of those principles during an assessment, he can issue an enforcement notice to compel the data controller to comply with data protection obligations. He also has powers to apply for a search warrant under schedule 9 to that Act. Arguably, any greater powers would be disproportionate and inconsistent with broader Government policy about the investigatory powers of regulators. Again, however, I am prepared to reflect carefully on the arguments that have been made as the Bill makes further progress. Amendment 88 would remove the proposed exemption from liability for a civil monetary penalty for serious breaches of the data protection principles in cases where information about such a breach comes to light following the issue of an assessment notice. Those monetary penalties, which are provided for in section 55A of the Data Protection Act, will apply in cases of deliberate breach and when a data controller is aware that there is a risk of serious breach but fails to take reasonable steps to prevent it. By contrast, as I have indicated, assessment notices are a valuable tool to raise compliance levels and to educate public bodies that are being assessed. That is why they do not require the existence of suspicion of non-compliance, or actual non-compliance, with the data protection principles. They are random spot checks. Given the nature of the assessment notice regime, we do not consider it appropriate for information gathered through that process to render a data controller liable to a civil monetary penalty. In any case, the commissioner can still employ his other enforcement tools as and when required throughout an assessment. For example, if he discovered a breach of the Data Protection Act during an assessment, he could still take enforcement action. As I have said, he could issue an enforcement notice under section 40 of that Act. New clause 19 would limit the existing Crown immunity under the Data Protection Act so that Government Departments would be open to prosecution under it. As the hon. Member for North-West Norfolk will know, Crown immunity means that emanations from the Crown are not ordinarily liable to prosecution for offences created either in statute or in common law. That includes Government Departments, and the limitation on the prosecution of Departments includes the offences in that Act. That is not to say, however, that Departments are not subject to adequate sanctions for breaches of data protection principles. They can still be subject to enforcement notices, claims for damages in a civil court or civil monetary penalties. That last point is particularly important because it means that financial penalties can be imposed on Government Departments. That range of other sanctions and penalties is sufficient for me to remain unconvinced that disapplying the normal rules on Crown immunity would make any material difference. Amendments 80 to 84 would make the Information Commissioner's codes of practice on assessment notices and data sharing subject to the affirmative resolution procedure. The assessment notice code of practice is not subject to any parliamentary procedure, whereas the data sharing code is subject to the negative resolution procedure. Given the scope of those codes, I believe that we have probably got the level of parliamentary scrutiny right. They are not on a par with, for example, the codes of practice issued under the Police and Criminal Evidence Act 1984. However, if we have misjudged the level of scrutiny for those two codes of practice, I am pretty confident that the Delegated Powers and Regulatory Reform Committee in the other place will be quick to tell us that. We will, of course, consider carefully any recommendations that it makes. Amendment 85 would require the Information Commissioner to conduct an annual review of the data sharing code of practice. The Bill already obliges the commissioner to keep the code under review, and he is required to update it if he becomes aware that its content could result in the UK being in breach of any of its community or international obligations. My concern is that the amendment could prevent the code from being revised quickly once a breach has been identified. It might be a little too rigid in calling specifically for an annual review. The Bill will give the Information Commissioner scope to reconsider and review the code as and when he sees fit. We believe that that is right, given that his role as the independent data protection regulator is to provide the most up-to-date guidance to facilitate data controllers' compliance with the Data Protection Act. Finally, amendments 86 and 87 deal with information notices. Section 43 of the Data Protection Act provides the Information Commissioner with the power to issue a data controller with an information notice. That can require a data controller to provide the commissioner with specified information in a specified form, to assess compliance with the data protection principles. The commissioner can issue a notice to any data controller as long as he reasonably requires information to determine their compliance. Failure to comply with an information notice is a criminal offence. The amendments would extend the commissioner's power to issue an information notice to data processors as well as data controllers. The meaning of a data processor is limited to those handling data on behalf of Government Departments and designated public authorities. The structure of the Data Protection Act places the responsibility for personal information on the data controller, not the data processor. Introducing a power to serve a notice on a data processor could shift the regulatory balance of the Act. All data being processed by or on behalf of an organisation must be covered by the data controller's registration. It is the responsibility of the data controller to obtain the information that the commissioner requires. I fear that the amendments would represent a significant change to the data protection regime, so the matter might be better suited to consideration in the review of the European directive that is under way. I therefore hope that the Opposition will not press those amendments. The hon. Member for Cambridge expressed concern about the Information Commissioner and Google Street View. I have to say that I could not find my street on it, but that might be because I am sometimes technologically illiterate when it comes to such things. I understand that the commissioner is keeping the situation under review, and of course anyone can request to have their image removed. I understand that Google is quite surprised by how few people have so far asked to have their image removed, but that is another matter.