As the noble Lord is aware, Concentrix was not the only incident in which there were data breaches. They have happened not only in the context of parties operating with government but also entirely in the private sector. So far as I am aware, no one has made a claim for infallibility where data protection is concerned. Albeit that we aspire to the highest standards in data protection, we are not making claims of infallibility.
The noble Lord, Lord Collins, also referred in the present context to the GDPR, which will come into effect as a European regulation in May 2018. I reiterate that the provisions in Part 5 of the Bill are compatible with the GDPR. The noble Lord appeared to take some issue with that term, but let me be clear: the provisions of Part 5 are drafted in such a way as to be compatible with the regulation. When the regulation comes into direct force, we will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it. That is the way in which these things are done. The regulation is not yet in force and will be applied to the existing statutory structure from May 2018. I reassure him that it has always been intended that Part 5 of the Bill should be compatible with the regulation, for very obvious reasons.
Then there is the matter of the draft codes of practice. At this stage they are, of course, a draft. Those drafts have incorporated comments and advice from practitioners right across the public sector, from the Information Commissioner and from the devolved Administrations, so they have brought in that body of knowledge at this stage.
4.30 pm
We are of course aware that the Delegated Powers Committee has made a series of observations on these matters. As the noble Lord so ably anticipated, we are considering its recommendations. With regard to timescale, we fully intend to respond to those recommendations before we reach the Report stage of the Bill. I cannot be more precise at this stage but clearly it is in everyone’s interest that we should be able to respond within such a timescale. That certainly is our present intention.
Perhaps I may move on just a little. Amendment 80 requires that additional approval be obtained where information received under the powers is to be used for purposes other than the specified objective. Again, one is reading this against the background of the DPA. While we appreciate the need for limitations on these powers, this amendment would undermine the policy rationale behind including these exceptions. Information-sharing could highlight problems or issues where public authorities would be expected to act. Exceptions included in our powers include investigating criminal activities, safeguarding vulnerable adults or children, and protection of national security. These exceptions are included to enable action to be taken in respect of matters of pressing public interest.
As I mentioned earlier, the second data protection principle of the Data Protection Act requires that data shall be obtained only for a specified purpose and shall not be further processed in a manner incompatible with that purpose. If a data controller wishes to make use of information for a purpose other than the one for which it was originally gathered, fairness will be a key consideration in deciding whether the additional purpose is compatible with the original purpose. The restrictions on use of personal information in these clauses are therefore intended to be consistent with this approach, and all processing of data under the powers must, I repeat, be compliant with the DPA. The combination of the restrictions in our gateways and the existing rules under the DPA mean that, in our view, this additional approval requirement, as set out in the proposed amendment, is not required.
I turn to Amendment 80A, which seeks to remove the provision from the public service delivery power which enables persons providing services to a public authority, such as charities and private companies, to be listed as “specified persons” permitted to make use of the power to share information. This in effect would mean that only public authorities can be “specified persons” as defined by the Bill.
We posed the question of whether such bodies should be included within the definition of specified persons within our public consultation on these powers. The majority of respondents supported their inclusion. After all, effective public service delivery depends on multi-agency co-operation, and increasingly this involves charities and private and third-sector organisations. Bodies outside the public sector provide public services in a way that often leaves them holding valuable information about public services. It is important that public authorities can access this information to improve public service delivery. These powers provide for a consistent and transparent framework for sharing information. Removing the ability of public authorities
to share with charities and private sector organisations in this way would significantly restrict the effectiveness of the public service delivery provisions.
I turn to Amendment 85, tabled by my noble friend Lady Byford. This amendment intends to restrict the exceptional purposes for which personal information may be used or disclosed for purposes other than the specified objective by limiting the existing exceptions to circumstances where the information has already been made lawfully available to the public or the data subject consents. I remind noble Lords that public authorities would need to apply the DPA, and specifically its third principle of data minimisation, to the processing of personal information under these powers. As such, only personal information that is necessary to fulfil the specified purpose will be shared.
The noble Baroness, Lady Byford, raised the question of power suppliers having certain powers. Those powers are circumscribed by the principles enunciated in the Data Protection Act. It is in that context that these powers have to be considered. That includes the reference to anti-social behaviour, a point taken up by the noble Baroness, Lady Hamwee. As she perhaps anticipated, I was going to quote the fact that Article 8 of the convention refers not just to “crime” but to “disorder or crime”. One has to remember that there is a need for respect for private life, but that need for respect for private life works in two directions. Those who are victims of anti-social behaviour also have a right to a private life. It is in that context that we have to consider these provisions.
The noble Baroness, Lady Hamwee, then embraced all the remaining amendments in the group, and I shall respond to them shortly. Amendments 94 to 98, 122 to 127, 142 to 146 and 164 to 168 relate to the public service delivery, debt, fraud and research powers and seek to impose tighter controls restricting the onward disclosure of personal information disclosed under these powers. Clauses 34, 43, 51 and 59 prohibit the onward disclosure of personal information disclosed under the powers. Anyone who knowingly or recklessly breaches that prohibition will commit an offence. The limited exceptions to this general prohibition are set out in subsection (2) of each clause and have been drafted with input from other government departments to ensure that the Government comply with their obligations—for example, in terms of disclosing documents following court orders—and that our unlawful disclosure provisions do not have unintended consequences for operational arrangements, such as those supporting the police and other emergency services.
Amendments 94, 122, 142 and 164 propose limiting some of these exceptions to what is “required by” rather than “permitted by” existing legislation. The remaining amendments restrict further disclosure of such personal information to where its disclosure is necessary in certain circumstances, such as for the purposes of a criminal investigation or national security. I respectfully suggest that these amendments are not necessary. The principle of data minimisation, which I have already alluded to, applies to the processing of personal information under these powers, and so only that which is necessary to fulfil that purpose will be shared. Preventing the use of these powers for the
onward disclosure of information where it is already permitted under existing legislation would simply introduce unnecessary complexity and could inhibit the disclosure of information for legitimate purposes.
On that basis, I invite the noble Lord to withdraw the amendment. I say very fully that these are well-intentioned amendments because we understand what lies behind them and why the probing amendments in this group have been tabled.