Coroners and Justice Bill

This group of amendments deals with the new assessment notices provided for in Clause 156, and I thank all noble Lords who have gone some way to praise the Government for moving in some direction towards assessment notices. Assessment notices are an important step towards building public confidence in the handling of personal data by public-sector data controllers. They go beyond the scope of the current "spot checks" arrangement. They extend the power of the Information Commissioner to assess not only government departments but other designated public authorities. One of the main features of this new power is that it is precautionary in the sense that the Information Commissioner may issue an assessment notice without the need for any suspicion of non-compliance with the data protection principles by the data controller, subject of course to the implicit requirements for the Information Commissioner to act reasonably and comply with the public law duties of that office. During the debates in the other place, we listened to the arguments about the blurred distinction between the public and private sectors and the need to extend assessment notices to all data collectors, and we are grateful for the conversations that have been had since then. In response, we explained that, as the Bill stands, it is possible in certain circumstances to include some private or third-sector data controllers within the scope of assessment notices. This designation would be by order made by the Secretary of State when a person exercises public functions or provides, under a contract with a public authority, a service the provision of which is a function of the public authority. However, we have listened to the arguments made in favour of further extending the scope of assessment notices to the private sector. We recognise that there are genuine concerns about the private sector’s handling of personal data—indeed, the noble Baroness, Lady Miller, referred to them—and that there are certain categories of private-sector data controller whose circumstances merit the application of assessment notices. Government Amendments 198A, 199A and 199C address those scenarios. We remain unpersuaded that the assessment notice regime should apply automatically to all data controllers. Such an approach would be a little excessive and impose disproportionate burdens on business. Instead, our amendments enable the Secretary of State to designate by order certain descriptions of private-sector data controller as liable for assessment notices. The amendments provide the Secretary of State with the power to make an order following a recommendation from the Information Commissioner. Where the Secretary of State was minded to accept such a recommendation, we would be able to proceed to make an order, which would be subject to the affirmative procedure, only following consultation with the affected sectors. Such consultations would be accompanied by a full impact assessment. The Secretary of State and the Information Commissioner will have to be satisfied that designation is necessary, taking into account the nature and quantity of data under the control of such persons and the damage or distress that may be caused by a contravention by such persons of the data protection principles. This amendment does not provide for the designation of a particular data controller but for a description of a data controller. This means that the designation would not single out or list individual data controllers but would provide a description of a class of data controller—for example, credit reference agencies, which have been referred to in the debate—as liable to assessment notices. In addition, we are introducing a requirement for the Secretary of State to review, at least every five years, whether it continues to be appropriate for a public authority and necessary for a description of a private-sector data controller to be subject to the assessment notice regime. Amendment 199D in the name of the noble Lord, Lord Henley, would amend government Amendment 199C and would require the Information Commissioner and the Secretary of State, before making an order under new Section 41A(2)(c) of the Data Protection Act, to consider the public function of the data under the control of those private-sector data controllers to be designated in such an order. We are not persuaded that this amendment is necessary. Data controllers exercising public functions may already be brought within the assessment notice regime by virtue of an order under new Section 41A(2)(b). That is the context in which this class of data controllers should be considered, not the context of the new order-making power introduced by the government amendments. We are confident that our amendments to Clause 156 provide for an extension that is in tune with the need for enhancing the current supervisory powers of the Information Commissioner without creating a disproportionate regulatory burden. Amendments 194, 196, 198 and 199 in the name of the noble Baroness, Lady Miller, similarly seek to extend the categories of data controllers who are liable to an assessment notice. Amendment 199, for example, would make assessment notices directly applicable to public authorities without the need for an order. However, we do not consider such an extension across the whole public sector to be justified. The definition of "public authority" in the Bill relies on an order being made. Without an order, there would be uncertainty as to exactly which persons are covered. I hope that, having had an opportunity to consider our amendments and to hear what I briefly had to say about them, the noble Baroness may be persuaded that they offer a more balanced and proportionate approach and that she will not press her amendments to a vote today. Government Amendments 199B, 200A and 200B in large measure simply re-order existing provisions in Clause 156, but there is one notable change in that judges are added to the list of persons excluded from the assessment notice regime. The Committee will of course appreciate the very special constitutional position of the judiciary that has led to us tabling this amendment. Currently, the only inspection regime involving the judiciary is provided for in Section 59 of the Courts Act 2003. That is limited to the inspection of the system that supports the carrying on of the business of the courts and the services provided for those courts. It expressly does not permit scrutiny of anyone exercising judicial discretion or making judicial decisions. For judicial office-holders to be subject to the assessment notice procedure while exercising their professional judicial functions would compromise the constitutional principle of judicial independence, which this and every Government rightly have a statutory duty to uphold. There can be no disagreement that judicial impartiality and freedom from improper influence are at the heart of the fair administration of justice in this country. The Information Commissioner agrees with our making this special exception. Government Amendments 205B and 205C are consequential to the proposed changes to Clause 156. I turn now to sanctions for non-compliance with an assessment notice. Again, we have listened to the representations in the other place on this issue. The case for some express sanction in the event of non-compliance is reinforced now that private-sector data controllers can be brought within the scope of assessment notices. Our Amendments 206ZA to 206ZD would introduce changes to Schedule 18 to provide the Information Commissioner with the power to apply for a warrant under Schedule 9 to the Data Protection Act where a data controller had failed to comply with a requirement imposed by an assessment notice. As now, the Information Commissioner’s office would need to satisfy the judge that there were sufficient grounds for the issue of a warrant to search the data controller’s premises. We have taken a different approach to enforcement from that taken in Amendments 195, 200, 201, 203, and 204, tabled by my noble friend Lord Dubs and the noble Baroness, Lady Miller. The key difficulty with treating the failure to comply with an assessment notice as a contempt of court or as an offence is that ultimately it does not provide the Information Commissioner with access to the premises in question, which is exactly what a warrant does; it provides the Information Commissioner with access. The former Information Commissioner agreed with us that this would not provide him with the access he believed was required. Amendment 202, in the name of the noble Baroness, Lady Miller, would provide for an enforcement mechanism through the issuing of a warrant under Schedule 9 to the Data Protection Act to allow the Information Commissioner access to the data controller’s premises. I hope that noble Lords will agree that our amendments are intended in the same spirit and achieve a similar end. Part 5 of Schedule 18 amends Section 55A of the Data Protection Act to prevent the imposition of a civil monetary penalty based on information obtained from either a good practice assessment or an assessment notice. Amendment 206 would remove this exemption, which we believe will provide a strong incentive for data controllers to consent to a good practice assessment. This exemption will not—I emphasise, not—provide immunity to data controllers from all enforcement action in relation to breaches that might be discovered during a good practice assessment or an assessment notice. The commissioner will still be able to issue an enforcement notice under Section 40 of the Data Protection Act to compel the data controller to comply with their data protection obligations if he discovers a breach of the data protection principles during any of these assessments. As the noble Lord, Lord Henley, reminded us, these government amendments follow consultations that my ministerial colleague, Michael Wills, had with the Information Commissioner and the opposition spokespersons in the other place. I hope that the House will agree that this package of government amendments provides a workable scheme to bring those data controllers who need to be subject to additional scrutiny within the assessment notice regime and to provide the Information Commissioner with sufficient remedies where a data controller fails to comply with an assessment notice. In due course, I shall move the government amendments. The noble Baroness asked me, harking back to last year and the Criminal Justice and Immigration Act, why the increased penalties in those Acts are not yet commenced. This answer may not totally satisfy her, but we are, together with the Information Commissioner’s Office, monitoring the illegal trade closely. Should the position get worse, we will not hesitate to bring forward an order to increase the maximum penalty for this offence, but for the present we have no immediate intention to do so.