§ Lord Lester of Herne Hill
asked Her Majesty's Government:
Whether the legislation governing data protection principles applies to prevent the disclosure of personal data gathered by Transport for London for the purposes of the congestion charge to other public authorities for purposes unrelated to the congestion charge. [HL1821]
§ The Parliamentary Secretary, Lord Chancellor's Department (Baroness Scotland of Asthal)
The data protection principles—a form of statutory code of good information handling practice—are set out in the Data Protection Act 1998. Among other things, the principles require personal data to be processed fairly and lawfully; and to be obtained only for specified and lawful purposes and not further processed incompatibly with those purposes. The term "processing" covers disclosure.
The Act provides exemptions from its nondisclosure provisions in circumstances where it recognises that the public interest requires disclosures of personal data which might otherwise be in breach of its requirements. In particular, Section 29 of the Act provides an exemption from the non-disclosure provisions in cases where their application would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax, duty or similar imposition.170WA
Section 35 provides an exemption from the non-disclosure provisions where the disclosure is required by law or is necessary for the purposes of legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights.
Additionally, Section 28 provides a wide exemption from the Act's provisions, including the data protection principles, to the extent required for the purpose of safeguarding national security.
It is for Transport for London to ensure that its processing of personal data complies with the data protection principles or meets the terms of a relevant exemption. The Data Protection Act is administered independently of the Government by the Information Commissioner. Any directly affected person may request the commissioner to make an assessment as to whether it is likely that any processing of personal data has been or is being carried out in compliance with the Act.