Clause 6 - Disclosure of information
Civil Contingencies Bill
4:15 pm
Mr Richard Allan (Shadow Spokesperson for the Cabinet Office, Cabinet Office; Sheffield, Hallam, Liberal Democrat)
Clause 6 is important but horribly technical. It is of interest to those who are interested in data protection legislation and the like, and I can see that the Minister is glad that someone is speaking to it for that reason. The clause is potentially of interest to the business community, because it will allow category 1 responders to insist that they are provided with information. Regulations 29 to 34 of the draft regulations govern that provision of information,
and it is worth examining how that will work in practice.
As we have already discussed, the nightmare scenario for a telecommunications provider would be if a local authority insisted on being provided with reams of information to plan for the failure of the telecommunications network, the provision of which was so onerous as to be potentially damaging to the provider's business interests. The question of what information has to be provided could be one of the crunch areas between the category 1 responders and commercial sector responders.
I have specific questions about the draft regulations that correspond to the clause under debate. Regulations 30 and 31 define the circumstances under which the provision of data under clause 6 can be refused. Certain circumstances are set out under which
''the responder must not comply with the request''.
It interesting that it does not say that a responder can choose not to supply data, but that they ''must not'' provide the data.
The provisions outlined in regulations 32 and 34 for the safeguarding of data that has been provided under clause 6 are welcome and should be in place. In particular, regulation 34 relates specifically to security. However, when we discuss these matters–the issue of data and information comes up in so many legislative contexts–the regulations often lack teeth because no penalties or sanctions are imposed if someone does not comply with them.
Under the Data Protection Act 1998, measures could be taken to deal with a breach of sensitive personal data. Therefore, if a category 1 responder requests data of a sensitive personal nature under clause 6 and discloses it inappropriately, Data Protection Act provisions would apply and action could be taken. However, a lot of other data, especially of a commercially sensitive nature, would not be covered under the Data Protection Act. Local authorities could ask a telecommunications provider for all of its data and could, either by accident or design, disclose one company's sensitive commercial data to a competitor company. That could cause all kinds of damage, yet there are no sanctions. They are mandated in the regulations not to do that kind of thing, but there is no sanction regime were they to do so. Someone who used the clause 6 powers inappropriately would not face action unless they had breached the sensitive personal data provisions of the Data Protection Act 1998.