HC Deb 19 May 1989 vol 153 cc652-8

Motion made, and Question proposed, That this House do now adjourn.—[Mr. Chapman.]

2.30 pm
Mr. Harry Cohen (Leyton)

I have just come from the opening of a sheltered housing project in my constituency. It was opened by Frank Bruno and halfway through my speech big Frank boomed out, "Thank you Harry." I do not think that the Minister will be saying that at the end of the debate.

I welcome the debate because it gives me the opportunity to draw to the attention of the House the Government's neglect of the Data Protection Act 1984. The Government are riding roughshod over that Act and in many cases using the loopholes in it to undermine individual privacy. As my hon. Friend the Member for Manchester, Blackley (Mr. Eastham) has said, it is not only the Government who do that. Individual privacy is also seriously damaged by organisations such as the Economic League, which keeps a blacklist of names and details of thousands of people who may be active, perfectly legally, in the trade union movement, in CND, the anti-apartheid movement and in many other lawful organisations.

I shall start by dealing with the Government's abuse of the Data Protection Act by reminding them of the words in the 1975 White Paper "Computers and Privacy", which stated what then seemed obvious: The time has come when those who use computers, however responsible they are, can no longer remain the sole judges of whether their own systems adequately safeguard privacy". What do those resounding words imply? They imply that the controller, owner or collector of data, even if they are the Government, cannot be the sole judge and jury with respect to the personal data that are collected, processed, used or disclosed. As I hope to demonstrate, the Government are currently active as both judge and jury on this personal information and they have a record of disregarding all eight of the data protection principles.

The first data protection principle is, in theory, supposed to let people know what happens to their personal data. To guide data users, the data protection registrar in his guideline No. 4 has advised them to Explain to the individual why information was required". He has also advised people to ensure that individuals are not misled as to why the information is required, or why it will be used or disclosed". That advice is ignored by the Government, who daily mislead people with respect to the poll tax and the electoral register. According to the Scottish Office, none of the departmental propaganda distributed by the Government informs Scottish poll tax payers how their personal data will be collected and compiled from hitherto confidential sources to form the poll tax register. That information is contained in Hansard of 5 May 1988 at column 534. The same is true of the "Ridleyspeak" poll tax publication from the Department of the Environment.

I do not wish to cover a lot of ground unnecessarily, so I refer the Minister to the explanatory memorandum of my Poll Tax (Restoration of Individual Privacy) Bill, which attempts to give poll tax data the same legal protection as data for the national census. Aptly introduced on St. Valentine's day, it also commemorates the Government's massacre of individual privacy. I refer the Minister to Hansard of 5 March 1987, which shows that the Government have continually refused my request that voters he told when their details are sold on to third parties. The Government have also refused to redesign electoral registration forms to give voters the option of saying whether they want their names and addresses to be sold.

The second data protection principle relates to the need to register all the specified purposes for which information on individuals is kept with the data protection registrar. It comes as no surprise that the second largest Government Department, the Ministry of Defence, has one of the smallest numbers of registrations—only 16. The reason given is national security. In exploring this subject, it is important to repeat what the report of the Lindop committee on data protection said about public trust. In section 23.21, Lindop said that, with independent supervision, the security services would be open to the healthy—and often constructive—criticism and debate which assures for many public servants that they will not stray beyond their allotted functions. Instead, the opposite occurs, and section 27 of the Data Protection Act is designed to give the national security apparatus a free hand. Thus, many personal data details are kept from the registrar's minimal supervisory powers, and the Government act as judge and jury on how this applies for national security purposes. That undermines the status of the second data protection principle.

The third data protection principle deals with disclosures of personal data. The legal position with regard to disclosing personal data is positively dangerous. In many cases, a "non-disclosure" exemption applies. This awful piece of jargon means that the disclosure is not subject to the requirements of the third data protection principle, that it need not be registered with the data protection registrar and that because of section 26(3)(b) of the Data Protection Act, it is not subject to the enforcement powers of the registrar in relation to all eight data protection principles. In short, the registrar does not know when these disclosures take place, and if he did know, he would have no powers in relation to them.

A small list of "non-disclosure" exemptions shows the full extent of the registrar's impotence in law to control disclosures. These are the exemptions. The first relates to any disclosure of personal data held by any organisation if it is required by law for the poll tax register. Even the Minister of Social Security can breach a previous duty of confidentiality. Second is any disclosure from any Government Department to the police for the purpose of prevention and detection of crime. That is almost open-ended. Third is any disclosure from any Government Department to the Inland Revenue or to VAT officers for the purpose of assessment of any tax or any duty. Forth is any disclosure from any Government Department for the purpose of national security. Fifth is any disclosure to or from any Government Department to or from any other organisation if there is a legal power authorising the disclosure. I shall not dwell on this small list of illustrative disclosures that the registrar cannot oversee, as their breadth and scope speak for themselves.

The fourth data protection principle deals with the adequacy and relevance of personal data to the specified purpose for keeping it. In the debate on the new housing benefit regulations, my hon. Friend the Member for Livingston (Mr. Cook) and the hon. Member for Southwark and Bermondsey (Mr. Hughes) both pointed out that, due to the lateness of the DSS regulations, local authorities would not have the complete software to administer the regulations, and staireciuld not be properly trained. In the same debate, my hon. Friend the Member for Newham, North-West (Mr. Banks) said that the tardy performance of the DSS meant that Newham council software could not accept manual corrections.

These problems have repeated themselves with the social fund and poll tax rebates in Scotland. According to the lead story in Computer Weekly on 3 November last year, claimants are being left in the dark about their repayments because the software producing their figures is unreliable and faulty. A reply to my hon. Friend the Member for Bradford. West (Mr. Madden) on 5 December 1988 shows that the Government had to wait until version six of the software before there were significant reductions in software difficulties. In other words, the Government admit that they have inflicted the unreliable versions one to five on the public, in the knowledge that inaccuracies would result. They have also tolerated contraventions of the fifth data protection principle by casting considerable doubt on the accuracy of data held for benefit purposes. In their indecent haste to short-change the poor, the Government have a track record of ensuring that personal data required to administer their new regulations are inadequate or inaccurate for the purpose of providing benefit. So much for the fourth and fifth principles.

Another example of the Government's disregard for the spirit of the fourth data protection principle arises in the Scottish poll tax regulations, under which everyone must provide his date of birth for the reason of identification. There may be two John Smiths living at the same address in Edinburgh, but the Government do not say that it is only if there is more than one person with the same name that dates of birth should be provided. Instead, they prefer the authoritarian solution of making everybody supply a date of birth. In the vast majority of cases, therefore, the poll tax officials have information that is excessive for the purpose of collecting the poll tax. That has sinister implications as the information could be used to compile a data network covering everyone.

The sixth data protection principle calls for personal data to be deleted if it is no longer required, but that, too, is being disregarded. I refer the Minister to my Adjournment debate on 20 February 1987. The police still keep all criminal records for at least 20 years. Many of those records are on line and available to all police officers in all circumstances when they tap into the police national computer. That is a breach of the spirit of the sixth data protection principle and undermines it because the data is hardly ever deleted. That practice certainly undermines the Rehabilitation of Offenders Act 1979. Some of those old records are inconsequential, but are now being regurgitated in job-vetting procedures which are being increasingly adopted by the Government, local authorities and health authorities.

The seventh principle allows for subject access, but there is a perverse aspect in that third parties are obliging people to use their right of access to police records before those third parties confer employment or benefit to them. The Minister knows full well that some English local authorities are vetting taxi drivers before they apply for licences. That sort of vetting should not arise through the back door of an Act that is supposed to extend liberties, not deny them.

Access itself is far too costly, as was shown by the answers to my parliamentary questions in October 1987. It costs a data subject a maximum of about £900 to have access to all the register entries from the Department of Employment; £720 for those from the Scottish Office; and from the Minister's Department it is a snip—real value for money—at a maximum of £700. That is to be compared with the registrar's suggested fee in his third annual report of between £3 and £5 for access to all files on an individual held by a data user. That figure was based on a comprehensive survey of members of the public, but it has been ignored by the Government.

Recent surveys at the end of last year by the National Consumer Council, the consumer magazine Which? and the Freedom of Information Campaign have all shown that the cost of subject access is seriously deterring data subjects from exercising their rights under the law. With only millionaires eligible to regard subject access to Government files as an option, it is not surprising that ordinary members of the public are not springing into action to exercise their rights. In March last year, I was told that the Home Office had received 16 requests when it had expected between 5,000 and 50,000. Such is the scale of the Government's undermining of one of the basic rights of the Data Protection Act.

With regard to the last data protection principle, I am concerned that the Government seem to equate the eighth principle, which deals with the security of personal data, with individual privacy. For example, in the one debate on the Government's data network, the Government stated that privacy is related to "unauthorised access". Government Departments, it is said, will have to authorise disclosures which will be logged, scrutinised and audited to ensure privacy.

That is not good enough. The carefully abridged specification for the Government's data network, as placed in the House of Common's Library, anticipates new data interchanges between Departments of state. In relation to the Government's data network, I repeat my earlier point that those activities are not subject to the independent scrutiny of the data protection registrar. The registrar cannot see the detailed list to which I referred earlier. Until an element of independent scrutiny is introduced, the Government data network should not proceed another step. The current position is best described by a parody of the White Paper statement—the time has come for the Government to be sole judge as to how far the Government's data network can invade privacy.

My final comments relate to codes of practice. As the Minister is aware from his recently legalised readings of "Spycatcher", page 360 states: the main interest F Branch of MI5 had in the Computer Working Party was to establish widespread computer links, principally with the National Insurance computer in Newcastle. Concerned by that, I asked the Home Secretary on 9 March 1988 about a code of practice for national security purposes. I was told that there was no advantage in a code of practice in this area."—[Official Report, 9 March 1988; Vol. 129, c. 195.] I then asked whether some information, which would not compromise national security, could be given to the data protection registrar. I was told: Such arrangements are not required by the Data Protection Act".—[Official Report, 31 March 1988; Vol. 130, c. 679.] That completely undermines the concept of codes of practice. If MI5 holds much personal data about an individual's political activities—on 6 April last year The Guardian estimated that data was held on 1 million individuals—if MI5 can link to Government Departments such as the DHSS computer at Newcastle and we can only read about that in books which the Government want to ban, and if the Government data network will link the Home Office to other Departments when the Home Office is responsible for internal national security issues, I think that some code of practice is essential to restore public confidence.

Before I finish, I must state that my expectations are not high. The Government have a track record of invading the BBC, cajoling the IBA, promoting identity cards, legalising burglary, tightening official secrecy and introducing the poll tax. Systematically undermining the Data Protection Act is about par for the course.

2.48 pm
The Minister of State, Home Office (Mr. Tim Renton)

I congratulate the hon. Member for Leyton (Mr. Cohen) on securing this afternoon's debate and for the cogent manner in which he set out his concerns. At the risk of breaking with the practices of the House, I will echo the words of Frank Bruno and, with the exception of the hon. Gentleman's final few sentences say, "Thank you, Harry."

If I may say this without being patronising, the hon. Member for Leyton has built up a very good knowledge of the intricacies of the Data Protection Act 1984 which is not a subject on which many hon. Members are expert. He has also built up a great knowledge of its underlying principle of the protection of the privacy of individuals in respect of personal data which is processed automatically. I know that he has tabled a number of parliamentary questions on the question because it has fallen to me regularly over the past two years to answer them. He further demonstrated his concern when he introduced the Data Protection Act 1984 (Amendment) Bill 1987. There is no question of the Government neglecting the Data Protection Act 1984 or of breaking it in spirit or deed.

As to the community charge, the Local Government Finance Act 1988 is very restrictive on the sources from which data can be obtained and on the disclosures that can make use of that data. The Department of the Environment was mindful of the views of the data protection registrar and of others when that legislation was prepared, and the registrar issued guidelines that go beyond the Act's statutory requirements.

On the question of whether the same principles should apply to security or crime investigations, sections 27 and 28 of the Act set out limited exceptions to the normal operation of the legislation, and section 29, which deals with mental health, makes the point that the nondisclosure rule is in the interest of data subjects. Most right hon. and hon. Members, including, I hope, the hon. Member for Leyton recognise the prime importance attached to national security—not least in tackling crime —and that it is not feasible to apply exactly the same constraints to such activities as to the generality of data use.

I was surprised at the hon. Gentleman's assertion that only a millionaire can afford to exercise his access rights. That seems to be going too far. Up to £10 may be charged by a data user for granting subject access in an individual case.

Mr. Cohen

That charge can be imposed every time.

Mr. Renton

I know that it can be imposed for each right of access, but some data users charge nothing in certain circumstances. The hon. Gentleman said that only 16 requests for data access have been made to the Home Office. I suggest that that is not because of the £10 charge —even if the various Home Office departments do charge the maximum—but because there is a lack of interest on the part of data subjects in having access to their data files.

Of more general interest, which I am sure the hon. Gentleman shares, are the two reviews now being undertaken on the implementation of the Act. One is by the data protection registrar himself, for the purpose of monitoring and assessing the implementation of the legislation with whose enforcement he has been entrusted. In May 1988, the registrar circulated a registration document entitled "What are your views?" About 2,100 copies were distributed and responses on some or all the subjects covered were received from 149 persons, companies or associations. I understand that the hon. Gentleman himself was among them.

The registrar is analysing those responses and will compile his own views on the charges that might be appropriate in the light of experience. I understand that it is the registrar's intention to publish the analysis and his conclusions when his next annual report is published on 12 July. That will provide a helpful picture of the Act's effects and what respondents would like to see done for the future.

The registrar's analysis and conclusions will form part of the input to the interdepartmental review committee comprising officials of the Home Office, Department of Home and Industry and Department of Employment, with the data protection registrar serving as consultant and adviser, that was announced on 4 July 1988. Its terms of reference are: To review the Data Protection Act 1984 in the light of experience gained during its implementation, with particular reference to the impact on data users of the registration requirements; and to make recommendations. If we were serious about neglecting the Act, as the hon. Gentleman claims, we would not go so far as to encourage and help the registrar in producing his consultation document and to establish the interdepartmental committee. That is not the work of a Government who wish to neglect the Act.

The committee was set up to look at the representations about the burden of the registration arrangements which I know have been made to the Government and to the registrar by trade associations and individual companies, especially smaller companies—the data users—who in the early days said that the forms were excessively complicated. However, the work of the committee will go wider than that. It will examine all aspects of the Act's implementation and consider whether any changes are needed in the interests of data users, data subjects, or both.

As part of its work, the committee has also looked at the registrar's consultation document and its circulation to see whether, in its view, it adequately covered the field of interest or whether it needed to seek additional evidence. It has decided that the registrar's study, both in its scope and in its coverage of possible respondents, would render unnecessary any further consultation outside Government. Should the Government conclude, after completion of the review, that significant changes to the legislation were necessary, they would of course need to carry out their own consultation exercise on the basis of a set of specific proposals. The decision to rely on the registrar's very full consultation exercise will enable the review committee to make more rapid progress than would otherwise have been the case.

Mr. Cohen

I understand that the Government might want to do their own consultation after the registrar's. However, I hope that that will not be an excuse for a long delay in reforming and improving the Act. Will the Minister give a commitment that the registrar will be able to look in his review at sections 27 and 28 which I have described as inadequate and which, as I have said, run counter to the theme of the Lindop report?

Mr. Renton

The hon. Gentleman must not look for guile where there is none. The purpose of setting up the independent inter-departmental committee was, as I have said, to look specifically at the impact on data users of the registration requirements. The registrar is close to the end of his consultation exercise because the decisions are to be published on 12 July, which is just over two months away.

In order to make progress, the registrar—the adviser to the committee—has agreed that the committee may have sight of his preliminary conclusions. When those conclusions have been published, I am sure that the hon. Member for Leyton, with his expert knowledge of the issues, will avail himself of the opportunity, if he so wishes, to make further representations to the registrar.

I am not, of course, in a position today to foreshadow the contents of either the registrar's report or of the committee's conclusions. Equally, I am not in a position to say whether and when there would be amending legislation. But I can assure the hon. Gentleman that the points he has made today will be taken into account by the committee, and in turn by Ministers, before the Government announce their conclusions on the basis of experience to date of the operation of the Act.

I am grateful to hon. Gentleman for giving us a further opportunity to give this important subject an airing. I hope that what I have been able to say in this short debate may set at rest some of his doubts and suspicions.

Question put and agreed to.

Adjourned accordingly at two minutes to Three o'clock.