That is exactly the purpose of all our amendments to clause 37: to ensure that any independent person, as described in the Bill—whether the assurer,
the certification officer’s staff, or an investigator that might be appointed by the certification officer—is covered by existing data protection law and the European convention on human rights. That was a timely intervention, as it is important to run through the schedules to the Data Protection Act and relate them directly to our amendments, and the overlaying of clause 37 and other clauses in part 3.
Schedule 1 of the Data Protection Act lists the data protection principles in the following terms. I realise this is slightly technical, but it is worth running through them to ensure that we have got it absolutely right.
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met…”—
I will come back to that a little later, and, crucially, that—
“(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”
It is a condition of schedule 2 that, because trade union membership is classed as sensitive personal data it has to have a category in schedule 3 too. Sensitive data includes trade union membership, so we have to take that category into account overriding schedule 2.
Interestingly, section 4 of schedule 1 to the Act states clearly that
“Personal data shall be accurate and, where necessary, kept up to date.”
This is a strong requirement of the Act and in this context trade unions must abide by that condition as a data controller. There is already a strong obligation on trade unions under the current legislation, the Trade Union and Labour Relations (Consolidation) Act 1992—I wish there was a shorter way of saying that—to keep membership lists up to date. We have discussed that at length this afternoon in terms of legislation already in place to deal with many of the issues that the Minister deems to be a problem that have to be dealt with in the Bill.
Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data, and against accidental loss, destruction of, or damage to, personal data. That accidental loss could be a significant hurdle when being processed by independent assurers or independent investigators appointed by the certification officer, is a key concern for many stakeholders. The responsibility for the data under the Data Protection Act lies with the data controller at the trade union. They will be responsible for the actions of independent bodies looking at that trade union’s membership list.
5.30 pm
That is a genuine concern, of which the Political and Constitutional Reform Committee stated in its recommendations:
“The Government must address these concerns during the course of proceedings on the Bill.”
I do not think they have, which is the reason for some of our amendments in this grouping. As we have said, trade union membership falls under “sensitive personal data”, which means personal data consisting of information about many aspects of a person, including—these are the important aspects for this Bill—their political opinions and whether they are a member of a trade union, within
the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992. The presumption is that because information about such matters could be used in a discriminatory fashion and is likely to be of a private nature, it needs to be treated with greater care than other personal data. The nature of those data is also a factor in deciding what security is appropriate in securing them. That is the purpose of amendments 116 and 117.