COMMENTS OF THE DATA PROTECTION REGISTRAR ON
DATA PROTECTION: THE GOVERNMENT'S PROPOSALS (CM 3725)
1. We generally welcome and support the Government's proposals especially the way in which they are set in the context of fundamental rights and the Government's policy of bringing rights home. Clearly much work has still to be done on the important detail of the legislation and we look forward to working constructively with Home Office officials on those outstanding matters.
Chapter 1 - Introduction
2. We welcome the Government's decision to implement the EU Data Protection Directive ('the Directive') by primary legislation and to continue the present seamless data protection regime by establishing a 'single overall data protection framework, with appropriate provision for activities outside the scope of EC law' (para 1.13).
3. paras 1.4-1.6 Particularly pleasing is the clear recognition in the proposals of individuals' right to privacy in respect of personal data which is derived from individuals' right to respect for their private life as set out in Article 8 of the European Convention on Human Rights. In our view it would be helpful to controllers and data subjects alike if the Bill could include a direct reference to Article 1.1 of the Directive which requires Member States to 'protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data'. This would help draw attention to the context in which the new UK data protection legislation is placed and to the general approach which should be adopted when the legislation is implemented.
4. para 1.7 We are concerned that legislative proposals for introducing Freedom of Information should take full account of the points where freedom of information and data protection and privacy issues meet and where there is potential tension between the two regimes. We look forward to continuing to contribute to discussions with those working on these related issues.
5. para 1.9 Data protection legislation requires the balancing of different interests. The issue is how to strike the balance. We understand the Government's wish ' as far as it possibly can...to avoid placing additional burdens on business and other users of personal data'. We support this approach, provided that it is subject to respect for the privacy of individuals' personal information and the proper handling of that information.
6. para 1.10 We wish to simplify the present administrative arrangements where possible, provided this can be achieved without diminishing the protection afforded by the existing legislation or undermining the effective enforcement of the new law. Indeed to the extent that it is possible within the present law, we have already begun simplifying the registration system.
Chapter 2 - Definitions, Scope and Extent
7. paras 2.8-2.14 Personal data filing system: The proposals relating to manual (ie non-automated) records are indeed 'complex' (para 2.14). We hope that the detailed drafting in the Bill will produce a formula of sufficient clarity for data users as they seek to determine whether their manual records come within the scope of the legislation.
8. para 2.21 National security: We recognise that the new law should make provision corresponding to section 27 of the 1984 Act. But we repeat the concern expressed in 'Our Answers' (para 10.30): 'The extension of the role of the Security Service into areas of traditional policing should not carry with it an extension of the exemptions provided by section 27'.
9. para 2.23 Geographical Extent: We acknowledge that further work has to be done on the application of Article 4 of the Directive to our law.
Chapter 3 - The Main Rules Governing Processing
10. paras 3.1-3.2 Safeguards: The Government proposals for possible safeguards would provide a useful starting point for drawing up a list from which appropriate safeguards could be drawn. In our view this should be a dynamic list with additional safeguards being added as required by, for example, changing circumstances, new processing operations or the use of new technologies. At this point we suggest the addition of two safeguards to the Government list. The first is that a privacy impact assessment be undertaken by the controller of the proposed processing operation at the design stage to establish what risks the particular processing operation poses to individuals' privacy and to identify what safeguards are required. The second is that as part of the design process formal consideration be given to identifying how the system design could incorporate the Privacy Enhancing Technologies' design philosophy.
11. paras 3.3-3.8 The Data Protection Principles: We believe the retention of the eight data protection principles and statutory interpretation provisions, amended to reflect the requirements of the Directive, will helpfully emphasise the continuity between the present and new laws. That retention should assist data users and help to preserve flexible enforcement.
12. para 3.14 Enforced Subject Access: The practice of enforced subject access has been of concern to us for a considerable period of time. It is our firmly held view that the most effective mechanism to address the problem is to make enforced subject access a criminal offence. This deals with the mischief whilst protecting the right of subject access. We hope that consideration of the responses to the recent consultation will soon be concluded and we look to see a speedy resolution of this long running and difficult problem .
Chapter 4 - Special Cases
13. paras 4.6-4.7 Medical research: We note the suggestion that the obligation to obtain the prior approval of a research ethics committee for the processing of personal data for medical research might satisfy the requirements of Article 8.4 by providing a suitable safeguard. We are anxious that there should be no confusion here in the light of the requirement of Article 6.1(a) for personal data to be processed fairly and lawfully. Satisfying an exemption provided by Article 8.4 for reasons of substantial public interest would not provide a legitimate basis for processing personal data in breach of a duty of confidence. The public interest in the confidentiality of personal data held for medical purposes will not be overridden simply because a research ethics committee judges that it is in the public interest for particular research to be carried out.
14. para 4.8 Criminal records: The Government proposes to allow the processing of personal data relating to offences, criminal convictions and security measures not only under the control of official authority but also in 'other circumstances' subject to suitable specific safeguards being complied with. It is not yet clear what those 'other circumstances' might cover. The Police Act 1997 provides for the Secretary of State to issue individuals with a Criminal Conviction Certificate. There are no regulations governing the use that is made of these certificates, nor of information extracted from them. However, 'registered persons' obtaining information by virtue of Criminal Record Certificates and Enhanced Criminal Records Certificates from the Secretary of State will be required to comply with a code of practice. It is possible that the 'other circumstances' might permit those such as employers, to whom Criminal Conviction Certificates could be offered, to process information extracted from the certificates. If this were to be so, we suggest that a suitable safeguard would be to require all those processing such data to comply with a code of practice analogous to that applying to 'registered persons'.
15. paras 4.10-4.12 Journalistic and artistic or literary expression: There are no specific exemptions from the current data protection legislation for journalistic purposes or for the purpose of artistic or literary expression. Use of highly sophisticated automated information processing systems, when used for the processing of personal data, clearly brings journalists, editors and others working in the media within the scope of the current law. The need to implement the Directive provides a timely opportunity to reassess the situation.
16. The Government's paper speaks of striking the right balance between 'the individual's legitimate expectations of privacy against the public's right to know'. We take this as referring in other words to the requirement of the Directive that exemptions from the substantive elements of data protection legislation should be provided 'for journalistic purposes or for the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression'. (Article 9) We agree with the Government that the balance is far from easy to strike. Further, the new law will have to reflect the European Convention on Human Rights which the Government plans to incorporate into UK law. If the right balance between respect for private life and the right to freedom of expression is not achieved, the courts will be able to comment adversely on the new law either because there is too much privacy or because there is not enough.
17. Perhaps the core of a suitably balanced exemption in the new law might be expressed as a general formula granting exemptions to the extent necessary to preserve the right to freedom of expression. In the past, we have sought to encourage a balanced discussion of the issues. We remain ready to contribute to discussion of these issues in the future.
Chapter 5 -Notification/Registration
18. In its paper the Government proposes that the supervisory authority should draw up the new notification scheme, based on the one we are currently developing, and that the scheme should be submitted for approval by the Secretary of State. A scheme-making power could be a valuable and flexible system. That depends on the level of detail intended for inclusion in the scheme. It is important that these arrangements should not prejudice the independence and operational flexibility of the supervisory authority. We wish to explore further with officials the detail of the Government's proposals.
Chapter 6 - Enforcement
19. paras 6.14-6.15 The Supervisory Authority: We are pleased that the Government has recognised the experience of this office in overseeing the operation of the present data protection regime and therefore proposes that the Data Protection Registrar should become the national supervisory authority for the new legislation. We believe the new title 'Data Protection Commissioner' will be more helpful for controllers and data subjects alike than the existing one.
20. In 'Our Answers' we asked for an audit power. The Government proposes that 'the Commissioner will be enabled to carry out quality assessments of controllers' data protection systems (but without the power to compel controllers' involvement)'. This does not go as far as we proposed and does not address the issues of Europol and similar cases. Nevertheless we welcome the proposal as a valuable step in the right direction.
21. We are pleased that the Bill will make clear that the Commissioner has a general duty to promote good data protection practice. Seeking to encourage the adoption by controllers of a positive approach to information handling is our preferred way to encourage compliance with data protection requirements as we move into the twenty-first century with its challenge of an increasingly sophisticated electronic environment.
22. para 6.10 Prior checking: We recognise the importance to the controller of prior checks being undertaken quickly. However, fifteen working days creates a very tight timetable to carry out the kind of checks that might be required.
Chapter 7 - Transfer of Personal Data to Third Countries
23. We await the outcome of continuing discussions at European and international levels on ways of achieving compliance with the requirements of Article 25.
Chapter 8 - Transitional Arrangements
24. We are concerned to see as smooth a transition to the new regime as is possible.
25. para 8.3 We repeat our concern expressed in 'Our Answers' (para 14.9) that it is not clear to us on what legal basis the Government will be proposing a reserve power in the new law to deal with any problems which may arise after the end of the extended transitional period for existing manual records.
29 August 1997