June 2, 1998

Dear Mr Howarth,

I am writing to express our concern about the confidentiality clause in the Data Protection Bill, which we believe is likely to lead to considerable unnecessary secrecy about the operation of the data protection legislation.

Under clause 56 of the Bill it will be an offence for the Data Protection Commissioner (as the Data Protection Registrar will be known) or her staff to disclose information about an identifiable business or individual except in limited circumstances. The offence will be committed even where the disclosure causes no harm to the commercial interests of the business, or the privacy of the individual. There is no provision for any such offence under the present Data Protection Act.

Equivalent offences already exist under other legislation, and their damaging impact is well documented. They prevent statutory bodies from explaining the basis of their regulatory decisions. Authorities may not be able to say whether a complaint has been found to be justified, or explain why no action has been taken when, to an outside observer, legal requirements appear to have been breached. The result is both to deny the public information about problems and create suspicion about the diligence of the authority, whose inability to offer a proper explanation for apparent inaction is likely to damage its public reputation.

This new secrecy provision appears to contradict the policy established by the last government in its 1993 Open Government white paper. This provided that in any new offences relating to the disclosure of information "the presumption will be in favour of the inclusion of a harm test" [Open Government, Cm 2290, para 8.40]. This implies that such offences should apply only to disclosures likely to damage the commercial interests of a business (for example by revealing commercially valuable information which a competitor could exploit) or the privacy of an individual. It should not apply, as clause 56 does, to any and every disclosure relating to identifiable businesses and individuals including those that have no harmful effects.

More importantly, clause 56 undermines the approach of the freedom of information (FOI) white paper (Cm 3818, para 3.20). Under the FOI Act, information held by public authorities will have to be be publicly available unless its disclosure would cause "substantial harm" to specified interests such as commercial confidentiality or personal privacy. Information whose disclosure is prohibited by law will not be accessible, but existing statutory restrictions are now being reviewed with a view to repealing them or amending them to reflect the proposed substantial harm test. Clause 56 goes against this trend, not only by establishing a new secrecy provision while government policy is to remove them, but by applying its scope so widely and indiscriminately. The effect will be to exclude from access under the FOI Act information about the Commissioner's work, although similar information would have to be disclosed by other authorities.

Under the Bill, the Commissioner's staff will commit an offence by disclosing information about an identifiable business or individual unless (i) the information is publicly available already (ii) the individual or business consents to the disclosure (iii) the disclosure is made in connection with legal proceedings or (iv) the disclosure is "for the purposes of, and is necessary for the discharge of....any functions under this Act" [clause 56(2)(c)(i)]. There is also a limited public interest defence.

Although the Commissioner will have certain duties relating to the dissemination of information, under clause 50(2), these appear to be too limited to permit the release of information whose disclosure is expressly prohibited by clause 56.

The provision could prevent the Commissioner from explaining what action has been taken against a business which has been the subject of publicly reported complaints that it has misused personal data. Although the complainant could, under clause 41, presumably be told what action the Commissioner was taking, it is questionable whether even this limited disclosure could be made to anyone else, for example to a journalist or MP.

The Commissioner would therefore be prohibited from revealing:

• the details of any misuse of data that had been discovered

• the fact that a particular company had been the source of a large number of complaints

• that the Commissioner had asked a company to improve its handling of personal data but that it had failed to do so

• that an enforcement notice had been served against a particular business

• that a business had agreed to correct a problem without formal action

• that a complaint had proved unfounded.

Although it could be argued that such disclosures were "for the purposes of" a statutory function, it would be difficult to establish that they were "necessary" for that purpose. If they are not "necessary" they will be illegal. The prospect of committing an offence is likely to prevent the Commissioner disclosing any information about such matters. This is the view of the Data Protection Registrar, who in January stated:

"...where a journalist queries the lawfulness of a company's processing activities, a member of the Commissioner's staff could commit a criminal offence simply by confirming that the company had discussed the processing in question with the Registrar because this disclosure is clearly not absolutely necessary for the discharge of the Commissioner's functions under the Act. The Registrar has always sought to be as open as possible with the Press. She is aware of no evidence that this has caused any individual or company significant harm. She is therefore concerned that this clause could require her and her staff to be unnecessarily guarded in future." [Data Protection Bill: Criminal Disclosures by the Commissioners Staff, 29.1.98]

Although some modifications to clause 56 have been made since the Registrar made this statement, I understand from recent discussions with her office that she remains unhappy about it.

One of the changes made in the House of Lords was to limit the offence to disclosures "knowingly or recklessly" made in contravention of this requirement. This may, for example, protect an "office temp" who through oversight has not been made aware of the legal situation, but it is unlikely to be relevant in the case of the Commissioner and her staff who will be well aware of this restriction.

If prosecuted, the Commissioner would have a form of public interest defence, under clause 56(2)(e), but this is drafted in extremely restrictive terms. The Commissioner would be required to show that:

"having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary for reasons of substantial public interest"

This means that it would have to be established that:

• the disclosure was "necessary", not just desirable, in the public interest;

• the public interest related to the "rights and freedoms or legitimate interests" of others - a term which does not on the face of it acknowledge the public interest in the accountability of the Commissioner's work; and

• the public interest itself would have to be "substantial".

It is hard to see why this public interest test should be set out so strictly, particularly as most of the Bill's other public interest tests are less demanding. There is no requirement that the public interest be "substantial" before:

• a newspaper can publish personal data, under the public interest test in clause 31(1)(b).

• a person can defend himself, on public interest grounds, against a charge that he obtained, disclosed or sold personal data without the data controller's consent [clause 54(2)(d)]

• individuals can be refused access to information about themselves in order to avoid prejudice to a function "exercised in the public interest" [clause 30(3)(c)]

• personal data can be processed without the data subject's consent in connection with functions of a public nature exercised "in the public interest" [Schedule 2, paragraph 5(d)]

We appreciate that clause 56 is an attempt to implement Article 28(7) of the Data Protection Directive, which requires that national supervisory authorities be subject to "a duty of professional secrecy". However, compliance with this Article does not require such an absolute prohibition on disclosure, particularly in light of the following provisions of the Directive:

• Recital 63, which states that supervisory authorities "must help to ensure transparency of processing"

• Recital 72 which states "this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive"

• Article 21(1) which provides for the publicising of processing operations, and which clearly goes beyond the requirement (separately set out in 21(2)) to establish a register.

The Registrar's view as set out in January was that the obligation of professional secrecy could be imposed without creating a criminal offence, and we would of course prefer this option. If an offence is felt to be unavoidable, it should apply solely to disclosures causing "substantial harm", thus bringing it in line with the government's freedom of information proposals. This approach would in our view still be compatible with Article 28(7).

We hope it will also be possible to extend the Commissioner's functions in relation to the dissemination of information to permit her to publicise the findings and outcome of investigations into complaints involving identifiable organisations. Finally, a less onerous form of public interest defence to charges under clause 56 would be desirable.

I am copying this letter to the Chancellor of the Duchy of Lancaster, and may also make it public.

Yours sincerely,

Maurice Frankel
Director