A series of amendments to the Data Protection Bill were drafted by the Campaign for Freedom of Information and tabled by Richard Shepherd MP at the bill’s report stage in the House of Commons on 2 July 1998. The amendments (which appeared as numbers 15-17 on the order paper) were all debated, but none of them was passed. This briefing explains their purpose.
The amendments reflect concern about a new prohibition on the release of information in clause 59 of the Bill. This will make it an offence for the Data Protection Commissioner (as the present Data Protection Registrar will be known) or her staff to disclose information about any identifiable business or individual, other than in very limited circumstances. The offence would be committed even if the disclosure caused no harm, for example, to commercial confidentiality. No such offence exists under the current Data Protection Act.
The clause is likely to prevent the Commissioner from publicly identifying business which have been found to be misusing personal data about individuals, for example, by obtaining data through deception or selling private information for commercial purposes. The Commissioner may be unable to reveal that:
she has received large numbers of complaints about a particular company
a company has failed to respond to requests to improve its practices
an enforcement notice has been served against a firm
Equally, it may be an offence to reveal that:
a business has agreed to correct a problem without formal action
a complaint had proved unfounded.
The Registrar has herself expressed concern at this new provision, which she says may “require her and her staff to be unnecessarily guarded in future“.1 The result may be both to deny the public information which it ought to have, and to undermine public confidence in the Commissioner’s work by preventing her for explaining what action she has taken to deal with complaints relating to matters of public concern.
The offence is not limited to disclosures likely to cause actual harm, but will be caused by any disclosure of any information about an identifiable business. This :
* contradicts the policy established by the last government. Its 1993 Open Government white paper provided that in any new offences involving the disclosure of information “the presumption will be in favour of the inclusion of a harm test“.2
* is also inconsistent with the present government’s proposals for a Freedom of Information (FOI) Act. The FOI white paper proposes that information should only be withheld where disclosure would cause either “harm” or “substantial harm” to specified interests. Existing statutory restrictions on disclosure are being reviewed with a view to repealing or amending those which do not reflect the proposed harm tests.3
During the Data Protection Bill’s Committee stage in the House of Commons, an amendment was tabled by Mr John Greenway to restrict the offence to information which “is potentially damaging”. This was not accepted by the Government.4
The Government says that the new offence is required by the European Data Protection Directive, which states that national supervisory authorities must be subject to “a duty of professional secrecy”. However:
* the Registrar’s view, as expressed this January, is that this obligation can be met without a new criminal offence.
* The Directive itself contains a number of pro-disclosure provisions would permit a far more balanced approach. These include Recital 72, which states: “this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive” and Recital 63 which states that supervisory authorities “must help to ensure transparency of processing“.
The Government maintains that the restriction is not as serious as it appears because the Commissioner has a discretion to release information under Clause 51(2). This states:
“The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act…”
However, precedent under similar provisions suggests that this may be of limited value. For example, the Health and Safety Commission and Executive are prohibited from disclosing information unless it is for the purpose of their functions 5 but are also required to ensure that people concerned with matters relevant to the purposes of the Health and Safety at Work Act are “kept informed of, and adequately advised on” those matters.6 It interprets these two requirements restrictively, and says that it is prohibited from revealing information about individual premises unless to do so “would directly prevent risk…[or] is necessary to protect health and safety“.7 Requests for information about identifiable premises from people who are not themselves in danger – including Members of Parliament, researchers and journalists – are usually refused.
The explicit prohibition on releasing information about identifiable businesses is therefore likely to override the Commissioner’s general discretion to release information, unless under clause 59(2)(c), disclosure is “for the purposes of, and is necessary for, the discharge of…any functions under this Act“. It will be extremely difficult to demonstrate that a particular disclosure is necessary for any function under the Act. If the function can be discharged without the disclosure, the disclosure will not be necessary – and would be illegal.
Clause 59(2) also permits disclosure in certain other limited circumstances, for example, where the information is publicly available already; the individual or business concerned consents to the disclosure; or where disclosure is made in connection with legal proceedings. It also provides a limited, and highly restrictive, public interest defence.
The proposed amendments
The amendments would:
1. require the Commissioner to maintain a public register of enforcement notices. The disclosure of these notices might otherwise be an offence
2. permit (but not require) the Commissioner to reveal the results of an assessment of whether a particular business is complying with the Act. At present, this information can only be revealed to the person asking for the assessment. Its disclosure to an MP or journalist could be an offence
3. strengthen the public interest defence available to the Commissioner or her staff
Page 24, line 28, [Clause 40] at end insert:
‘(7A) The Commissioner shall maintain a register containing:
(a) a copy of every enforcement notice issued under this section;
(b) such other particulars relating to such notices as the Secretary of State may by order prescribe.
(7B) The provisions of sections 19(6) and (7) shall apply in relation to the register maintained under this section as they do in relation to the register maintained under section 19(1).’
Under clause 40(1) the Commissioner may serve an enforcement notice where it appears to her that a data controller is contravening any of the data protection principles.8 The notice may require the controller to take specified action or stop processing data.
The amendment would require a register of such notices to be set up (new subclause 7A). The register would have to be available to the public free of charge at all reasonable times Certified copies of entries from the register could be obtained on payment of any prescribed fee. This is done by new subclause 7B, which applies the existing provisions of clause 19(6) and (7) which relate to the main Data Protection Register, to this new register. Those provisions are as follows:
19 (6) The Commissioner –
(a) shall provide facilities for making the information contained in tthe entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and
(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.
(7) The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.
The amendment would bring the Data Protection Bill into line with existing legislation such as the Environment and Safety Information Act 1998 and the Environmental Protection Act 1990 9 which require the establishment of public registers of enforcement notices about environmental and safety hazards.
Subparagraph (b) of the amendment would allow the Secretary of State, by order, to require that other information relating to such notices be included on the register. This would allow the fact that a notice had been cancelled (under clause 41), or was the subject of an appeal (under clause 48) to also be recorded. It might also permit the person on whom the notice had been served to add a statement of explanation or mitigation to the register.
Page 41, line 4, [Clause 67], at end insert “section 40(7A)(b)”
The preceding amendment would create a new order making power. This will require a consequential amendment to clause 67, which deals with the procedures by which orders are to be introduced. The amendment indicates that this order would be made under the affirmative procedure.
Page 25, line 20 [clause 42] at end insert –
‘and may, if he considers it appropriate, inform any other person’
Under clause 42(1) a person who believes that he or she has been directly affected by any processing of personal data may ask the Commissioner for an assessment of whether the processing breaches the Act’s requirements. After carrying out the assessment the Commissioner must inform the applicant “to the extent that he considers appropriate…of any view formed or action taken as a result” [clause 42(4)(b)].
However, while the applicant must be informed of the outcome, the Commissioner may commit an offence under Clause 59 by revealing the same information to any other person. Thus, even though there may have been a well publicised complaint about a particular practice, the Commissioner may not tell anyone (including a journalist, MP or another potentially affected person) about her findings.
The amendment allows (but does not require) the Commissioner to make such disclosures. (However, a requirement may arise under the proposed Freedom of Information Act).
The discretion is appropriate in this case, since where a complaint relates purely to the circumstances of an individual applicant, wider disclosure may not be appropriate. However, where the issue is of general concern, and affects large numbers of people, disclosure may be justified – for example, if it reveals that a bank is failing to safeguard personal data about its customers.
(Note: There is no reason why the level of disclosure proposed in the amendment should be thought to contravene the “obligation of professional secrecy” required by the Directive, given that the Directive also provides that supervisory authorities “must help to ensure transparency of processing” [Recital 63])
Page 36, line 44 [Clause 59]
leave out “necessary for reasons of substantial” and insert “in the”
A public interest test is available, under clause 59(2)(e), should the Commissioner (or a member of her staff) be prosecuted for an offence relating to the disclosure of information. The test is particularly restrictive. Amendments 17 and 18 both seek to remove some of the restrictive features.
Clause 59(2)(e) provides that no offence is committed if:
“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary for reasons of substantial public interest”
This means that it would have to be established that:
* the disclosure was “necessary”, not just desirable, in the public interest;
* the public interest related to the “rights and freedoms or legitimate interests” of others – a term which does not on the face of it acknowledge the public interest in the accountability of the Commissioner’s work; and
* the public interest itself would have to be “substantial”.
It is hard to see why this public interest test should be set out so strictly, particularly as most of the Bill’s other public interest tests are less demanding. For example, there is no requirement that the public interest be “substantial” before a newspaper can publish personal data, under the public interest test in clause 32(1)(b).
Amendment 17 would remove the requirement that the disclosure be “necessary” and that the public interest be “substantial”. The defence as amended would read:
“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is in the public interest”
Page 36, line 44 [Clause 59]
leave out “substantial”
This is an alternative to Amendment 17. It would delete the word “substantial” but retain the word “necessary”. The amended provision would then read:
“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary for reasons of public interest”
It is effectively identical to Amendment 46 tabled by the Home Secretary. Under the Home Secretary’s amendment the provision would read:
“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”
The word “necessary” would remain a problem under both Amendments 18 and 46. A disclosure which was only “desirable” in the public interest, but not “necessary” would not be permitted, under these amendments.
Campaign for Freedom of Information, July 2, 1998
1. Data Protection Registrar, ‘Data Protection Bill: Criminal Disclosures by the Commissioner’s Staff’, 29.1.98
2. Open Government, July 1993, Cm2290, para 8.40
3. Your Right to Know, December 1997, Cm 3818, para 3.20
4. Data Protection Bill, Standing Committee D, 10th sitting, 2 June 1998 (morning) cols 266-270
5. Health and Safety at Work Act 1974, sections 28(3)(b) and 28(7)(a)
6. Health and Safety at Work Act 1974, section 11(2)(b)
7. Health & Safety Executive, General Administrative Procedures, No. 1, August 1995, para 1.B11
8. Eg if personal data is being obtained unfairly or unlawfully, in contravention of the First Data Protection Principle
9. See section s20(1), 64(1) and 122(1) of the 1990 Act which require registers containing enforcement notices relating to premises subject to Integrated Pollution Control, waste disposal and genetically modified organisms.