It absolutely would. Given the evidence of blacklisting that has emerged over the past few years, particularly in relation to the inquiry by the Scottish Affairs Select Committee, it would be perfectly reasonable to assume either that someone might not wish to join a trade union, or that an existing member might wish to leave, on the ground that their membership could affect their employment prospects. That matter has not been dealt with in the Bill, as a result of the slapdash way in which it has been put together and placed before the House.
The Data Protection Act imposes strict conditions for processing sensitive personal data. Anyone processing such data must satisfy one of more of the conditions for processing that apply specifically to such sensitive data, as well as one of the general conditions that apply in every case relating to non-sensitive data. It is arguable that the Bill does not satisfy those conditions, which merely emphasises how incompatible it is with the Data Protection Act.
The conditions in schedule 3 of the Act for processing sensitive personal data are as follows. First, it is necessary for the data subject to have
“given his explicit consent to the processing of the personal data.”
The members would therefore have to consent explicitly, meaning that the assurer would have to contact all the members on the membership list, should they require the data. That would surely be impractical and, as my hon. Friend the Member for Aberdeen North (Mr Doran) said earlier, a requirement that the assurer contact everyone to obtain their explicit consent would impose an onerous burden of cost and bureaucracy on the trade unions.
The second condition in the Act states that the processing should be
“necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.”
Unless I am mistaken, however, the proposal in the Bill has nothing to do with employment law. The third condition states that the processing must be necessary
“(a) in order to protect the vital interests of the data subject or another person, in a case where—
(i) consent cannot be given by or on behalf of the data subject, or
(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject”.
That should not apply in the case of a trade union member. The processing must also be necessary
“in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.”
I would imagine that, in relation to trade union membership, those conditions could be satisfied fairly easily. It is not clear that any of the proposed process is designed to protect the individual. It could therefore be argued that the Government have failed to tell us what problem they are trying to resolve, and what process they are trying to protect.
The fourth condition states that the processing must be carried out by a not-for-profit organisation and should not involve disclosing personal data to a third party unless the individual consents. Extra limitations apply to this condition, in that individual consents are required for disclosure to a third party. Will the Minister tell us whether the assurer or the certification officer are third parties? Would any investigator appointed by the certification officer be deemed to be a third party, given that they are deemed in the legislation to be independent? That would not be compatible with the responsibility of the data controller in the trade union.
In addition to those conditions in the Data Protection Act, regulations set out several other conditions for processing sensitive personal data. Their effect is to permit such processing for a range of other purposes—typically, those cases that are substantially in the public interest and that must necessarily be carried out without the explicit consent of the individual. The Government would have to put up a strong argument to convince us that checking a trade union’s membership list was substantially in the public interest, and I cannot see how the provisions in part 3 of the Bill can be deemed to be fulfil those conditions. It is difficult to construct a public interest test in relation to the annual membership list of a trade union. The nature of the consent required to satisfy the condition for processing sensitive data must be explicit. The Act particularly mentions the word “explicit”, yet it is not mentioned in the proposed new clause in the Bill.
We have tabled amendment 108 to ensure that the assurer is a person of suitable calibre. The Secretary of State should explicitly set out regulations to ensure that the assurer can demonstrate a strong knowledge of and previous compliance with the Data Protection Act and other regulations relating to data protection. Our amendment 109 provides for the removal of an assurer if they are in breach of any of the confidentiality conditions, or if the trade union has any reason to believe that it would be inappropriate for them to remain in post. Amendment 118 would raise the bar on confidentiality, requiring the assurer to take “all steps necessary”, instead of the present “all reasonable steps”, to secure obligations under the Data Protection Act and other legislation.