David Howarth (Cambridge, Liberal Democrat)

I beg to move amendment 105, in clause 151, page 96, line 40, leave out ‘within subsection (2)’.

Frank Cook (Stockton North, Labour)

With this it will be convenient to discuss the following: amendment 373, in clause 151, page 97, line 2, at end insert—

‘(1A) If a data controller has failed to comply with an assessment notice as requires steps to be taken, the Information Commissioner may certify in writing to the court that the government department or public authority has failed to comply with that notice.

(1B) For the purposes of this section, a data controller which, in purported compliance with an information notice—

(a) makes a statement which it knows to be false in a material respect, or

(b) recklessly makes a statement which is false in a material respect,

is to be taken to have failed to comply with the notice.

(1C) Where a failure to comply is certified under subsection (13)(a), the court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the public authority, and after hearing any statement that may be offered in defence, deal with the authority as if it had committed a contempt of court.

(1D) In subsections (1A) to (1C), “the court” means the High Court or, in Scotland, the Court of Session.’.

Amendment 106, in clause 151, page 97, leave out lines 3 to 7.

Amendment 355, in clause 151, page 97, line 42, at end insert—

‘(6A) Non-compliance with any assessment notice will be treated as a contempt of court.’.

Amendment 107, in clause 151, page 98, line 24, at end insert—

‘( ) A County Court may make a compliance order against a data controller if satisfied on application by the Commissioner that—

(a) an assessment notice has been properly made against the date controller,

(b) the data controller has failed without reasonable excuse to comply with the assessment notice.

( ) A person who fails to comply with a compliance order may be proceeded against for contempt of court.’.

Amendment 364, in schedule 18, page 175, line 23, leave out sub-paragraph (2) and insert—

‘(2) In subsection (1) for “he may serve” to the end substitute “he may serve the data controller, or a data processor, with a notice (in this Act referred to as an ‘information notice’) requiring the data controller, or data processor, to furnish the Commissioner with specified information relating to the request or to compliance with the principles.”’.

Amendment 365, in schedule 18, page 175, line 27, after ‘(1)’, insert

‘“data processor” refers to a third party handling data on behalf of—

(a) a government department, or

(b) a public authority designated for the purpose of this section by an order made by the Secretary of State, other than an excluded body, as set out in section 41A(12);’.

New clause 20—Data controller to comply with assessment notice—

‘If a data controller fails to meet the requirements of the Information Commissioner as set out in an assessment notice, the Commissioner may apply to the county court for an order requiring the data controller to comply with the notice either in its original form or in such amended form as the court may require.’.

New clause 21—Data controller to comply with assessment notice (No. 2)—

‘If a data controller fails to meet the requirements of the Information Commissioner as set out in an assessment notice, the Commissioner may apply to the Information Tribunal for an order requiring the data controller to comply with the notice either in its original form or in such amended form as the court may require.’.

New clause 32—Removing immunity of government departments from prosecution—

‘(1) Section 63 of the Data Protection Act 1998 (application to Crown) is amended as follows.

(2) In subsection (5) for “a government department” substitute “the Crown Estate Commissioners”.’.

David Howarth (Cambridge, Liberal Democrat)

The Committee now turns to the data-sharing provisions of the Bill. Later we shall discuss the highly controversial clause 152, which grants extraordinarily broad powers to Ministers to allow data sharing. Before that, however, there is an issue of great importance to the Information Commissioner that has not received as much publicity: the extent of the powers of the Information Commissioner to regulate the holders of data. It is often said that information is power. That starts with data; data are, to some extent, potential power. The regulation and proper use of data and upholding the safeguards in the Data Protection Act 1998 and the eight principles of data protection are important functions of the Information Commissioner.

Clause 151 helps the Information Commissioner by introducing assessment notices. An assessment notice is a method whereby the commissioner can require information from holders of data to ensure that they are complying with the principles of data protection. There are, however, two problems with the clause—problems that the Information Commissioner has pointed out. First, the power to issue an assessment notice covers only the public sector. Secondly, there appears to be a gap in the clause, in that it does not provide for any enforcement power.

Amendment 105 would remove the restriction whereby assessment notices apply only to Government Departments and public authorities. It should be removed because the power that holding vast amounts of data gives is not restricted to the public sector. We have only to think about Google, Tesco or the banks to realise that private organisations hold vast amounts of data, which could be misused, either deliberately or, as is more likely, accidentally. People who are locked out of their own bank accounts and unable to purchase utilities from privatised utility companies are in as bad a position as people whose data are interfered with in a way that removes them from, say, benefits lists.

The powers granted to the commissioner should apply to those vast private sector organisations as well. Over the past generation, we have seen a lot of privatisation of public services or at least contracting out of public services to either the private or voluntary sector. Under the clause, those organisations would not be covered because they are not public authorities or Government Departments.

The Information Commissioner points out that the majority of complaints about violations of the principles of data protection are not directly against Departments or public authorities, but the rest of the economy in the private or voluntary sector. Amendments 105 and 106 would deal with that problem.

David Kidney (Stafford, Labour)

I am acting in the spirit of finding out information rather than putting across a point of view. I usually expect the Opposition to be against interferences with private businesses, except on a warrant—as under existing law—and against imposing new burdens on businesses, yet the provision would put a new burden on them. Given that we have all received an e-mail from the CBI saying that it is strongly opposed to the amendment, why do the Opposition want to go down that road?

David Howarth (Cambridge, Liberal Democrat)

I thought that I explained precisely why we should go down that road. In fact, I have always supported extending the scope of the Human Rights Act 1998 to organisations that run contracted-out public services. They should count as public authorities. I do not understand why the Government have constantly opposed attempts to extend the scope of the Human Rights Act, as put forward by the hon. Member for Hendon (Mr. Dismore).

As for the other part of the question of the hon. Member for Stafford, that is probably better directed at the Conservative party rather than the Liberal Democrats.

George Howarth (Knowsley North & Sefton East, Labour)

It is not the party of Gladstone.

David Howarth (Cambridge, Liberal Democrat)

In reference to the painting that hangs on the wall behind the Chair, the right hon. Gentleman points out from a sedentary position that perhaps the Liberal Democrats are not the party of Gladstone, but they are certainly the party of Lloyd George and Asquith.

The second issue is the power of the Information Commissioner to enforce his or her will on assessment notices. There is a gap in the clause in respect of enforcement. Oddly, there is a power to appeal, but why  should anyone appeal when nothing will happen to them if they do not bother to comply with an assessment notice? The commissioner does not intend heavy-handed interference with organisations under the provisions. Therefore, the best approach to inserting a sanction for non-compliance would be to go down the freedom of information route and that proposed by the Government with regard to the powers of the Electoral Commission under the Political Parties and Elections Bill.

If an assessment notice is made and its subject does not comply, there is no immediate sanction. The commissioner goes to the court. We believe that it should be the county court, but are open to other suggestions on the type of court. The court then decides whether the assessment notice was properly issued and whether there was a reasonable excuse for not complying with the assessment notice. If the court decides for the commissioner on both issues, it orders the subject of the assessment notice to comply with it. If there is no compliance, it will become contempt of court. That is a fair and balanced way in which to enforce the assessment notices. I am open to other suggestions on how to introduce sanctions, but it is pointless to introduce assessment notices with no sanctions for non-compliance.

Alun Michael (Cardiff South & Penarth, Labour)

I am a member of the Justice Committee, which has recently considered data protection in some detail, although I have taken an interest in data protection over many years. One problem is that we end up with complexity upon complexity when we try to achieve what we need—a balanced arrangement, in which people make a judgment. The problem is that when something goes wrong with data sharing, people either say, “We shouldn’t share anything. We should have greater restrictions,” or, as was the case in Soham, that everything should be shared without delay. In that case, there was a technical problem of systems talking to systems, rather than a problem of data sharing, but the issue is the way in which things were perceived.

Such swings in general public debate are a real problem in dealing with the issues before us. We should try to avoid over-complicating the legislation. At the end of the day, a judgment must be made about sharing data: what is in the public interest, what is against the individual interest and how do we balance the two? We will run into great problems if we lurch from saying that not sharing is the safer option to saying that sharing is the safer option.

In my amendments, I want to tease out a number of points about Ministers’ intentions. I hope that we will get some clarity about those intentions and perhaps get an undertaking to clear up some of the drafting and remove one or two of the anomalies.

Amendment 106, which has a number of signatures to it, is intended to tease out why the assessment notice process should apply only to public bodies. The hon. Member for Cambridge has expressed concerns about that, and I share them primarily for one reason. The line between public and private bodies—and, indeed, charities—is no longer as clear as it was. Many private companies do an enormous amount of work, control an enormous amount of data and serve the public sector. I would require a bit of convincing that the burden of compliance, which is set out in the present clauses, should apply only to the public sector.

My response to the intervention by my hon. Friend the Member for Stafford is that we should try to avoid adding to the burdens on both public and private bodies, as well as charities and non-governmental organisations. However, where a burden is needed in the public interest—to protect the public or individuals—it should apply fairly across the sectors. We should not imply that we can return to the old situation, in which it was clear that the public sector could be regulated and that there was no overlap with other sectors.

David Kidney (Stafford, Labour)

Does my right hon. Friend foresee there being a label saying “public interest contract” and, therefore, that the assessment notice process would apply, or does he expect there to be a blanket imposition on all public and private bodies?

Alun Michael (Cardiff South & Penarth, Labour)

There are two points there. First, I am sure that the Minister will tell us what mechanism will ensure that there is no way in which information can go outside the ambit of the legislation if a private body or charity is handling it on behalf of a public body. I would want some reassurance that that will be dealt with equitably.

The other point is that a vast amount of information that affects the public and individuals is now handled and owned by the private sector, including financial information and information about the way in which people take personal, commercial and purchasing decisions. At one time, an enormous amount of information would have been only in the public sector because it was gathered by or on behalf of authorities, or because the public sector undertook surveys and research, but that information is now very much part of the private sector’s day-to-day activities.

To put the other side of the argument back to my hon. Friend, if we feel that there is a burden on businesses—that we are imposing a bureaucratic burden that is not productive or proportionate—we should ask whether it is right to put such a burden on the public sector, too. There is question of proportionality.

Jennifer Willott (Cardiff Central, Liberal Democrat)

Does the right hon. Gentleman agree that the main burden is compliance with the Data Protection Act 1998? Nobody is querying whether private sector organisations should comply with the Act when they hold the data to which he referred. A company or voluntary sector body that complies will not have to deal with the bureaucracy about which the hon. Member for Stafford is concerned—it would not be an issue if they were complying with enforcement notices.

Alun Michael (Cardiff South & Penarth, Labour)

The hon. Lady makes a good point. That is why I am increasingly concerned about the complexity of the requirement. I dealt with data protection and criminal justice when local authorities and the police were not sharing information about, for instance, disruptive and difficult tenants and people who needed to be relocated, and their housing requirements. The law was that it was acceptable to share the information to prevent or reduce crime, but data protection officers,  and local authority and police lawyers, would say, “If in doubt, don’t share.” That is not acceptable. It is a simple principle. People have to make a judgment and balance the requirements. The problem with increasing the complexity of the requirements is that it gets people away from the necessity of making such judgments. If there is a need to have specific requirements, it ought to be equitable and as simple as possible, and to apply in all circumstances. We should not pretend that there is a clear line between public and private bodies.

The Government commissioned work that the Justice Committee looked at with interest. I want to examine specifically the work by Sir Mark Walport and Richard Thomas—the hon. Member for Cambridge has already talked about the views of the Information Commissioner. In his submission to the Committee, Sir Mark made some telling points. He said:

“There is no doubt the Information Commissioner’s powers need strengthening—as we concluded in the Report, ‘there is strong evidence that his bite needs sharpening’...but I am concerned that this is not yet achieved in the draft legislation.”

I hope that the Minister can reassure us about the intentions of the measure. Of course, there is still time to improve the drafting of the Bill as it continues its passage. The debate was going on right up to the publication of the legislation, so I would be grateful if the Minister could reassure me that the drafting can still be improved.

One of Sir Mark Walport’s points is in relation to the draft provisions on assessments. He said:

“As we stated in the report, distinguishing between public, private and voluntary sectors makes little sense, especially as more information is shared across sectors whose boundary lines are forever shifting.”

In other words, delineating the lines is not only more difficult now, but it will become more difficult in future. He also said:

“I would argue that the provisions relating to the Assessment Notice should be extended to include organisations outside the public sector...There are also no meaningful sanctions for failure to comply with the requirements of an Assessment Notice: this needs strengthening in order for it to be taken seriously.”

His final point is particularly telling—it relates to the dangers and the simple principle of balancing the public interest and the interests of private individuals when it comes to data protection. He said:

“Data sharing is shrouded in confusion, and public confidence is evaporating. I hope that, as a Committee, you will be able to ensure that there is a legislative mechanism that ensures greater scrutiny and allows beneficial data sharing with appropriate safeguards in a transparent, consistent and proportionate manner. In particular, I encourage you to ensure that the Information Commissioner’s powers are fully strengthened.”

The work of the Information Commissioner has improved immeasurably during Richard Thomas’s time in office, which still has a few months to run. He has introduced a degree of balance and clarity. Much of the lack of confidence in the public domain is due to the confusion in media coverage rather than being a genuine concern. There have been improvements in data handling. It is clear that improvement is still needed in the culture within many Departments, as well as an understanding from the top to the bottom of how things apply. I suspect that it is not a high priority for permanent secretaries and director generals within Departments to understand that their leadership is important in setting the culture for the whole Department.

My new clauses, in a way similar to the amendments tabled by the right hon. Member for Knowsley, North and Sefton, East, aim to probe the question of how the provision should be enforced; I am sure that the Minister would agree that it should. I have suggested that an application could be made to the county court or, alternatively, to the Information Tribunal, which would mean that non-compliance would become contempt of court, a suggestion that appears in one of the other Opposition amendments.

I believe that the Minister should be in a position to deal with such genuine and reasonable concerns during the Bill’s passage, and that we should be able to get back to the principles of keeping it simple and making clear the necessity for a balanced judgment. The Information Commissioner, Mr. Richard Thomas, said in his comments on the Bill:

“We would prefer it...if the legislation made it clear that organisations benefiting from an information-sharing order must take the code of practice into account. As it stands, there is no direct link between the order and the code of practice.”

That is my final point of great concern. It should not be the situation that an information-sharing order can lead an organisation to disregard the terms and requirements of the code of practice. The code of practice might be deeply embedded in some organisations’ work, and they might observe it in pursuing the information-sharing order, but I suspect that that might not always be the case. It would be of great benefit to everybody if information-sharing orders also included a requirement to observe the good practice with which the guidance will concern itself. Making that link in legislation would greatly strengthen the Bill.

In discussing the question of applying the measures beyond the public sector, I quote the Information Commissioner:

“We need to be able to serve notices on anyone who may hold relevant information, sometimes to identify who the responsible data controller is and sometimes to collect evidence of breaches.”

In other words, there is a need for greater transparency across the boundaries between the public, private and voluntary sectors. In his comments, the Information Commissioner also referred to the danger of too clear a delineation:

“Private and third sector bodies frequently carry out work for public sector ones. It is common for charities, for example, to carry out functions on behalf of local government. As it stands, we could inspect the local authority, but not the charity.”

I am more concerned that he should be able to inspect the private companies that often hold major contracts. Those are of as much concern as the data held by public departments. Therefore, I hope that that power of the Information Commissioner will be extended.

I do not believe that we can ever turn back the clock and avoid the complex issues of data retention and data sharing. They are with us for the future, and they will get ever more complex. We need to keep clear the principle that the balance must always be between the public interest and the interest of those individuals whose data might be shared. It is important that that clear principle is not hidden in a lot of complexity. People holding data have the responsibility to make those judgments, and they cannot escape it.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

As the hon. Member for Cambridge has pointed out, the key to the clause is to give the commissioner more  power over data controllers to enter premises, to view data and to talk to key people, all of which will be brought about by assessment notices.

The Bill relates only to public bodies, and private, charitable or voluntary bodies are excluded, which is an omission because private and voluntary bodies collect a great deal of data. In fact, looking forward to the next clause, which we shall discuss later today, designated authorities will have the power to share data with other private bodies and the public sector, and vice versa.

I take on board the point made by the right hon. Member for Cardiff, South and Penarth about the ever-greater involvement of the private sector with Departments, public agencies and Government bodies. I shall give two examples of Departments that use the private sector on a significant scale. First, the Crown Prosecution Service and the Solicitor-General have a large contract with what was LogicaCMG, covering the provision, support and maintenance of hardware and software applications used by the CPS, including management of a number of large databases—for example, the witness management system and the graduated fee scheme for counsel. However, Logica is a private sector company, which obviously handles a great deal of data in that Department—I have mentioned that example because it is relevant to the Ministry of Justice. Secondly, the Department for Business, Enterprise and Regulatory Reform owned 165 databases on 1 June last year, 75 of which were maintained by departmental staff and 90 of which were maintained by external companies.

Those examples give us some idea of Her Majesty’s Government’s view on the private sector, which means that more and more private sector organisations and businesses are storing our data. The data belong to taxpayers—our constituents—which is why the commissioners should have the power to issue assessment notices on private organisations. In fact, the right hon. Gentleman might have pointed out that the recent House of Lords Constitutional Affairs Committee report made that recommendation in paragraph 238. He has put forward a strong argument for amendments 105 and 107—amendment 106 is consequential. Our amendments achieve almost exactly the same outcome as those tabled by the Liberal Democrats.

I know what the CBI note says, and I have read the letter by Matthew Fell and the head of knowledge economy at the CBI, Sarah Draper. They say that they are concerned about giving extra powers to the commissioner to search the private sector without a warrant—to enter premises where there is no suspicion or evidence of wrongdoing without any need to justify such intrusive measures. That is going a bit too far, and I think that they are unnecessarily concerned. They have to trust the commissioner and his team to use common sense.

David Kidney (Stafford, Labour)

Will the hon. Gentleman explain why he, as a Conservative, is not concerned that the notice would permit entry of premises without a warrant? I have been on many Bills when Conservative Members have argued that it is important that there should not be entry without a warrant. In fact, I even saw a Conservative amendment to part 1 of the Bill about senior coroners having to get a warrant before entering premises.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

The hon. Gentleman makes a perfectly good point. I am an arch-deregulator, and I could name a number of Bills on which I have championed the cause of the CBI. However, when one is close to an organisation, such as the CBI, which I have been in the past, that gives one the right from time to time to disagree with it.

David Howarth (Cambridge, Liberal Democrat)

It is worth pointing out that there is no such suggestion of entry being forced in any way. The assessment notice process does not allow entry to be made by the commissioner’s agents; all it does is ask for that entry. We suggest that, if entry is refused, the commissioner should be able to get a court order, which is the precise procedure that the Government suggested for the electoral commissioner when dealing with similar notices under the Political Parties and Elections Bill. The Government and I think that that system is more protective of the rights of the individual than the warrant procedure.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

In theory, entry could be made without a warrant, but in practice it would be on a voluntary basis, if the firm agrees. However, if it did not agree, and insisted on the commissioner’s personnel not entering, the chances are that the matter would go to court, as the hon. Gentleman pointed out. I think, therefore, that safeguards are in place. On this occasion, I must disagree with the CBI.

David Kidney (Stafford, Labour)

We have talked a lot about voluntary entry, but proposed new section 41A(3) reads:

“An assessment notice is a notice which requires the data controller to...permit the Commissioner to enter any specified premises”.

That is not voluntary. I understand the argument that there is no sanction, but the provision is not voluntary.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

In practice, the Information Commissioner will not send his personnel into firms in the hon. Gentleman’s, my or any other constituency, having not held lengthy discussions and gone through the correct protocol. We must trust the organisation to behave in a way that is proportional, sensitive and appropriate in the circumstances, bearing in mind the Government’s commitment to lessen the burdens on business.

I shall move on to the next part of the amendment group. The clause needs proper teeth and sanctions. Amendment 107, tabled by the hon. Member for Cambridge, which is very similar to our amendment 355, would establish in the Bill that deliberate non-compliance with any assessment notice, and refusal to co-operate under any circumstances, will be treated as “contempt of court”. The Bill needs teeth, and although his amendment goes slightly further than ours, amendment 355 would do roughly the same. Will the Minister comment on that? What is the point of the clause handing the commissioner extra powers if no sanctions are in place? Under our amendment 373, when, or if, a data controller knowingly, or recklessly, makes a false statement, it would be deemed a failure to comply. That is fair enough. At the moment, the Bill is not clear on that point. We would put that clarity in the Bill.

Surprisingly, our amendments 364 and 365, relating to schedule 18 and the power to require information, are in this group, so I shall quickly deal with them. Obviously, that relates to section 43 of the Data Protection Act 1998. Amendment 364 would leave out paragraph 6(2) of schedule 18 and insert

“In subsection (1)...he may serve the data controller, or a data processor, with a notice...requiring the data controller, or data processor, to furnish the Commissioner with specified information relating to the request or to compliance with the principles.”

Amendment 365 reads:

“‘data processor’ refers to a third party handling data on behalf of...government...or...a public authority designated for the purpose of this section”.

That would make it crystal clear that information notices can be served on anyone storing relevant data, and obviously it would cover third parties handling data on behalf of Government Departments and public authorities. I hope that the Minister agrees that those two modest amendments are sensible. Perhaps she will consider accepting them.

New clause 32, which we tabled, is important, because it would remove the immunity from prosecution enjoyed by Government Departments. The Bill is not sending the right message. The Government do not have a good record on handling, storing and dealing with confidential data. I will not go into a huge amount of detail because I do not want to embarrass the Government, but there is a long list of examples of different Government Departments that have lost relevant data. We have had appalling losses of data from the Home Office, the Ministry of Defence, and not so much from the Ministry of Justice but certainly from the Department for Communities and Local Government and the Department for Culture, Media and Sport. Subsequent inquiries often reveal lax security procedures and a lack of proper chains of command. Those matters are often dealt with by quite junior civil servants. There is a lack of any proper sanction in place. The protection of our data should be taken a lot more seriously. There is a need for proper accountability. We need to include in the Bill a very strong signal that cavalier attitudes towards personal privacy will not be tolerated.

There is a recent precedent in the Corporate Manslaughter and Corporate Homicide Act 2007, which states that Crown bodies can be prosecuted for offences of corporate manslaughter. I will not make too direct a parallel, but that removed Government immunity in one particular area. There is a need for immunity to be removed in the data protection area as well. It will send a strong signal.

I am aware that I might be making a rod for the back of some of my colleagues as we prepare for government, but I do not mind because we must send a strong signal. I hope that the Minister agrees that the Government’s record needs to improve. She can go among her ministerial colleagues and be a champion of constituents who want their privacy and data properly looked after. She can say to her colleagues that if there is a lax situation and cavalier attitudes leading to loss of data in their Departments, those Departments will have to be properly accountable.

Edward Garnier (Shadow Minister, Justice; Harborough, Conservative)

My hon. Friend will remember that during the deliberations on the Criminal Justice and Immigration Bill—the last  Criminal Justice Bill that the Government brought forward out of a total of about 64 or 65 that we have had to deal with over the past 10 years—a new clause or amendment was tabled that attempted to provide a similar sanction for the reckless loss of private data by Government agents. Unfortunately the Government did not think that that was an attractive idea. I suspect that my hon. Friend will disagree with that.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

I am grateful to my hon. and learned Friend—he is absolutely right. At the eleventh hour, in the House of Lords, the Government agreed with some changes to that Bill. My hon. and learned Friend pushed it very hard in Committee. Their lordships introduced amendments to the Data Protection Act 1998 that gave the Information Commissioner the power to issue monetary penalties for deliberate and reckless loss of data. That is an important tool in data security, but the provisions have not yet come into force. Before they come into force, the Information Commissioner needs to issue guidance on how to use the power. There also needs to be secondary legislation detailing the maximum fines and the issues about procedure.

Will the Minister tell us when those orders will be laid before Parliament? The House of Lords changed the Data Protection Act 1998 in response to widespread public concern and yet little has happened. Will the Minister update us on what is happening? It may be that the combination of our new clause, plus the implementation of those changes, will lead to the culture change that we are keen to bring about. Will the Minister also tell us what discussions she has had with the Information Commissioner to amend section 60(3) by order to increase the penalties for section 55, which refers to the unlawful obtaining of data. In the past, she has pledged that she would make those changes. Will she give an update on exactly what is happening?

As I pointed out—I do not want to delay the Committee any longer—we feel that the Government have a serious, cultural problem. In the new technological age, much more data are being stored by Departments and the private sector, and much more technology is being used to translate data into different types, and to store, pass around and share data. Bearing in mind the huge powers contained in clause 152, which we will discuss later, we need proper sanctions in place. We also need proper procedures to ensure that clause 151 is tightened up, so that the commissioner will get the powers that he has asked for. If we combined the powers in the clause with the extra powers that we suggest in new clause 32, the Bill would be improved. I hope that the Minister will indicate that the Government have listened to us.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

The Government are strongly committed to improving public trust and confidence in the handling of personal information by public sector data controllers. The hon. Member for North-West Norfolk highlighted a number of previous examples, but the assessment notices are an important step towards regaining that confidence, and they represent a fair balance between the need for the Information Commissioner to have more effective powers and the burden on data controllers; I will come to the private sector in a moment.

The assessment notices will create a formal system based on the current arrangement of spot checks undertaken on central Government Departments by  the commissioner. Additionally, the scope of the assessments will be expanded to cover other public bodies. We are already expanding the powers in a way that previously had not been available.

Amendments 105 and 106 would represent an unwarranted extension of the scheme, which is designated for public sector data controllers only. Those controllers handle personal information that is necessary to fulfil their responsibilities, such as providing health and social services, fighting crime, and detecting fraud. Those who provide information to a data controller normally cannot refuse to do so, if they want to access a public service or have entitlement to a benefit. The public generally have no choice in that relationship, which is not exactly the same as that with the private sector. If people are unhappy with how their bank or supermarket is handling their personal information—I suspect that Sainsbury’s knows more about me than anybody else does—they have the choice of switching, although they do not have a choice of switching to another Department for Work and Pensions.

David Howarth (Cambridge, Liberal Democrat)

If that is the Minister’s defence, there are two points that she must deal with. First, how does that defence apply to the private sector or voluntary organisations that fulfil public authority functions that have been contracted out? That seems to be exactly the same situation as that of a public authority. Secondly, with regard to what might be called fully private organisations, how do we know that our data are being used properly? If there is no proper enforcement mechanism in the Information Commissioner’s Office—the assessment notice is a crucial part of that—how will we know, in the first place, that what is being done is proper? If we do not know, and have no information, the market cannot work.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

On the hon. Gentleman’s first point, in the examples that I have given, it is important to recognise that there is a qualitative difference regarding the level of scrutiny that public sector bodies should have for matters of data protection. The fact that citizens must provide personal information to access essential services is a defining feature in the relationship between the citizen and the public authority. In the private sector, the ability for someone to choose to go elsewhere should be a powerful driver that encourages businesses to look after personal information.

Alun Michael (Cardiff South & Penarth, Labour)

I understand the distinction that my hon. Friend makes in cases where people can exercise choice. In the commercial sector, however, it is difficult to exercise choice if someone does not know how things are undertaken. That is where the role of the Information Commissioner, acting on behalf of the public, is crucial. That should be a balanced role, not one that is important only on one side. I am not sure that I accept my hon. Friend’s argument that everybody can make the sort of choices that she suggests. I understand her point in relation to large organisations or specific services, but not in general terms. That brings us back to the point about private companies and others which act on behalf of public bodies and which are, in a sense, within the ambit of public service, even though they are not public bodies per se.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

One of the reasons why we are resistant to extending the measure further into the private sector is because we believe that the additional burdens would be in conflict with the Hampton principles, which play a central role in ensuring that risks are adequately assessed and redressed. I will not go into the details of what the CBI has said, as that has been expressed in the Committee already. It feels—there is some merit in this argument—that extending assessment notices would distract companies from taking the right approach to data handling. It feels that a co-operative approach between businesses and the Information Commissioner is more desirable. That is the CBI’s view. It is not one that would necessarily run the full length in Committee, but it is a generally held view.

Alun Michael (Cardiff South & Penarth, Labour)

I am sorry to disagree with my hon. Friend, but if a co-operative approach would work with those organisations, why would it not work with public bodies? Private sector organisations are often as large or larger, and as bureaucratic, as public sector bodies. Some are lean and efficient, but not all.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

My right hon. Friend makes a good point. I reiterate that the Government feel that the public sector has a higher level of responsibility, because there is no choice as far as this is concerned. We can discuss the matter further and discussions are continuing.

Edward Garnier (Shadow Minister, Justice; Harborough, Conservative)

The right hon. Member for Cardiff, South and Penarth made a point about the distinction between the private and the public sector. That distinction is being blurred by the public sector’s use of the private sector to carry out public functions. Should we not concentrate on the function rather than on the description of the body carrying out that function?

Under the Identity Cards Act 2006—another terrible piece of legislation introduced by this Government—and the Government business case that was published alongside the legislation, 40,000 private companies or agents were said to be part of the process of data recovery through the national identity register. The public had no access to that; it was not possible for a member of the public to audit the trail of information in the national identity register, which is a large Government bucket of private information. Some of that information would be in the hands of public bodies, and some in the hands of private companies. It is essential that we understand the principle and similarity of function, rather than getting tied up with whether something is a private or public sector body.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

The hon. and learned Gentleman makes a very good point. It is appropriate, therefore, for me to consider in detail at this point who could be given an assessment notice. Obviously, that includes Government Departments, publicly owned companies under the Freedom of Information Act 2000 and so on. Any person exercising a function of a public nature could be included in an order under section 5 of the Act. I think that that covers the examples from DBERR given by the hon. Member for North-West Norfolk.

A person providing, under a contract with a public authority, a service whose provision is a function of the public authority—that would include the private sector  and the voluntary and third sector—could also be included under section 5. The powers can cover bodies that the definition of public authority covers where a person is providing, under a contract with a public authority a service whose provision is a function of the public authority. That covers any contracting out of public services, because proposed new section 41A(12) of the Data Protection Act 1998 provides that a body can be designated under new section 41A(2)(b), if it could be included in an order under section 5 of the Freedom of Information Act or its equivalent in Scotland. I hope that that provides some reassurance with regard to those valid concerns about cases in which the private sector is working within the public sector, which can be covered under assessment notices.

David Howarth (Cambridge, Liberal Democrat)

I cannot remember the details of those sections offhand, but I seem to remember that they are about powers to include, not obligations to include, and they would not necessarily lead to the Information Commissioner being able to issue an assessment notice, if the organisation had not been designated as included in the Act.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

My understanding is that the hon. Gentleman is right: they are powers to include; they are not obligatory. However, I will come back to him on whether there will be further discussions on that.

Amendments 105 and 106 would strike out the exemptions in proposed new section 41A(12), but included in those exemptions are such people as the security services and special forces, who handle sensitive security information. The provision also covers Ofsted, because of the sensitive personal data that it holds on children and young people. I am resisting the amendments, given the sensitive nature of that information, and striking out the provision entirely would be inappropriate. We must balance the need to enhance the Information Commissioner’s powers with the potential impact of the changes in the wider context of the regulatory framework. If I may, I shall now deal with the amendments on non-compliance.

David Kidney (Stafford, Labour)

The Hampton principles were about proportionate burdens that are assessed according to the level of risk involved. As my right hon. Friend the Member for Cardiff, South and Penarth has said, why should the public sector not have the same benefit of the Hampton approach as the private sector when we come to imposing new burdens? In his memorandum to us, the Information Commissioner states:

“We have no desire to undertake heavy handed or widespread inspections.”

So is it not possible to mirror the Hampton principles more closely in this power? Then the code of practice could amplify that when it is produced later.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

That is a very good point, and I certainly want to carry it forward. My hon. Friend has made a constructive contribution, because the Hampton principles provide an important structure for us to work to. Perhaps we can consider that in more detail and ensure that that aspect of the Bill complies with the principles, as he has outlined.

We propose to introduce assessment notices to raise the awareness and compliance of public bodies in respect of data protection principles. They are a complementary measure to support the existing investigatory and enforcement powers of the Information Commissioner. It is difficult to envisage a public sector body refusing to comply with an assessment notice, given the bad publicity that would ensue. That said, the Information Commissioner has told the Committee that he would like some kind of penalty or sanction for refusal to comply.

Let me outline the extensive enforcement powers that are already available to the commissioner, if a public sector body fails to comply with the Data Protection Act. Where there is a refusal to comply with an assessment notice, the Information Commissioner would, where appropriate, still be able to use his existing investigatory powers, including powers of entry and inspection under schedule 9 to the Act. If the commissioner then discovers a breach of the data protection principles during an assessment, he can issue an enforcement notice to compel the controller to comply with their data protection obligations.

Amendments 364 and 365 relate to information notices. Section 43 of the Data Protection Act provides the information commissioner with the power to issue a data controller with an information notice. That notice can require the controller to provide the commissioner with specified information in a specified form to assess compliance with data protection principles. The commissioner can also issue a notice to any data controller, as long as he reasonably requires information to determine their compliance. Failure to comply with an information notice is a criminal offence, so the commissioner already has a pretty powerful tool.

The amendments would extend the commissioner’s power to issue a notice served under section 43 to data processors as well as controllers. I am resistant to the amendments because the structure of the Data Protection Act places the responsibility for personal information on the data controller, not the data processor. Introducing a power to serve an information notice on a processor shifts the regulatory balance in the Act.

All data being processed by, or on behalf of, an organisation must be covered by the data controller’s registration. It is the data controller’s responsibility to obtain the information that the commissioner requires. It is the data controller who controls the personal data that would be the subject of an information notice, so it should be the controller who has to comply with a notice. A data processor does not control the personal data, so it would be inappropriate to make them responsible for it—it is for the data controller to take that responsibility.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

Will the Minister clarify that? Is she saying that third parties that handle the data on behalf of the data controller do not really need to be covered by the information notice? Is the nub of what she is saying that there is no need for amendment 365 to extend the powers in the Bill to such third parties?

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

That is the nub of what I am saying. It is the responsibility of the data controller, not the processor, to ensure compliance. For example, following the Hannigan data handling review, the Government introduced new standard contract clauses on information  assurance. Those clauses mean that any contractors working with the Government will have processes in place to ensure acceptable standards for the protection and handling of personal data. The onus is on the data controller—in this case the Government—to ensure that such standards are in place. Amendments 364 and 365 represent a significant change to that regime, and the hon. Gentleman might consider it more appropriate for the issue to be considered by the review of the European directive, which is currently under way.

Finally, new clause 32 seeks to limit existing Crown immunity under the Data Protection Act so that Government Departments would be open to prosecution. Crown immunity means that emanations of the Crown are not ordinarily liable to prosecution for offences created by statute or the common law—the hon. Member for North-West Norfolk mentioned the Corporate Manslaughter and Corporate Homicide Act 2007, which is a notable exception. That immunity includes Departments. For that reason, the limitation on the prosecution of Departments is included in relation to the offences in the Data Protection Act.

However, that does not mean that Departments are not subject to adequate sanctions for breaches of data protection principles. They may still be subject to enforcement notices, claims for damages in the civil courts and civil monetary penalties. That final point is particularly important, because it means that financial penalties can still be imposed on Departments. It is also important to note that the immunity does not extend to those who work for Departments.

The hon. Member for North-West Norfolk asked when the penalties will come into force. A number of steps need to be taken before they can be introduced. The commissioner needs to prepare guidance on how he proposes to exercise his functions with regard to the penalties, and a number of pieces of secondary legislation will be needed, for example, to set out the levels of penalty. We will also have to build in a 12-week lead-in period before imposing such burdens on business, but we are working closely with the commissioner on that. My right hon. Friend the Member for Cardiff, South and Penarth asked for reassurance that further discussions are taking place. I can give him that reassurance. Discussions are ongoing. In light of that, I invite the hon. Member for Cambridge to withdraw the amendment.

David Howarth (Cambridge, Liberal Democrat)

If I may sum up the situation, I raised two issues—scope and enforcement. The issue of scope breaks down into two separate matters. One is whether assessment notices should apply to purely private organisations such as Tesco, and the other is whether they should apply to private organisations that are carrying out public functions. As I understand it, the Government’s position is that they are not willing to move on the former but are considering moving on the latter. At the moment, there appears to be a power to include private organisations carrying out public authority functions, but no obligation to do so, and the Government are thinking about the situation.

The situation is therefore more encouraging than it might be, but it is not fully there yet. Purely private organisations have immense power. We should treat them as organisations with that much power when  thinking about how they ought to be regulated. The Government’s argument about the market sorting it out is precisely the sort of argument that we ought to be sceptical about, given the economic situation that we are in.

Even as a matter of economic theory, markets cannot work where people do not have the information to make choices. It seems to me that the Government have gone too far into a naive view of regulation and the market. In fact, in some cases—this is an example—regulation makes the market work better, because it produces more information for consumers, rather than closing the market down.

On the second issue, the Government’s position seems to be that the Information Commissioner has enough powers already and that, as they want to stick to a public sector view of assessment notices, there is no need for extra enforcement powers. I find that disappointing, but I ask the Government to consider the obvious point that if they extend the assessment notice process to private sector organisations carrying out a public function, their argument about enforcement no longer applies, because they will no longer be dealing purely with governmental organisations that they would expect to comply automatically. At that point, they should consider again the question of enforcement.

George Howarth (Knowsley North & Sefton East, Labour)

Is the hon. Gentleman not in danger of confusing data protection with the regulation of business? At times, they may be similar but, actually, they are distinct things.

David Howarth (Cambridge, Liberal Democrat)

I do not think so. I am trying to ensure that there is proper regulation of data protection, which sometimes involves the regulation of some businesses, because businesses hold data. That goes back to the point made by my hon. Friend the Member for Cardiff, Central: we are talking about the enforcement of existing obligations—they already apply—on the private sector, not about changing obligations.

Will the Government reconsider their position on enforcement as a consequence of reconsidering their position on scope? The two things are connected. I do not wish to detain the Committee further. I am sufficiently encouraged by the Government’s movement on private sector bodies carrying out public functions that I beg to ask leave to withdraw the amendment.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

I always listen carefully to the Minister. Obviously, there is a developing agreement between us on how the private sector should be controlled when it comes to assessment notices. She made a good point about section 41 of the Data Protection Act 1998.

Alun Michael (Cardiff South & Penarth, Labour)

On a point of order, Mr. Cook. I may have lost track, but I thought that the hon. Member for Cambridge had withdrawn his amendment. Did that not close the debate?

Frank Cook (Stockton North, Labour)

Let me clarify the situation for the Committee. I am yet to put the withdrawal to the Committee. At the moment, I am allowing the hon. Member for North-West Norfolk to make his points, which I hope he will do briefly.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

I will be brief, Mr. Cook, because the Minister has given us some encouragement. I hope that she will reply to me on the powers that will be included. Obviously, private sector organisations that are in contracts with various Departments and agencies are not necessarily included, but the powers to include them exist. I would be grateful if in due course we could have a discussion about that, perhaps in writing.

I take on board what the Minister said about new clause 32, but I urge her to push on with as much speed as possible to introduce the changes made by the other place to the Criminal Justice and Immigration Act 2008.

David Howarth (Cambridge, Liberal Democrat)

I beg to ask leave to withdraw the amendment.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

I beg to move amendment 372, in clause 151, page 99, line 30, leave out ‘without the approval of the Secretary of State’ and insert

‘until the code has been approved by a resolution of each House of Parliament’.

Frank Cook (Stockton North, Labour)

With this it will be convenient to discuss the following: amendment 367, in clause 153, page 107, leave out lines 37 and 38 and insert—

‘(4) The code must not be issued by the Commissioner until a statutory instrument containing the draft code has been approved by a resolution of each House of Parliament.’.

Amendment 368, in clause 153, page 107, line 40, after ‘must’, insert ‘not’.

Amendment 369, in clause 153, page 107, line 44, after ‘is’, insert ‘not’.

Amendment 370, in clause 153, page 108, leave out lines 8 to 14.

Amendment 371, in clause 153, page 108, line 17, after ‘under’, insert ‘annual’.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

The amendments ensure that a resolution of both Houses of Parliament is in place before the Information Commissioner issues the code of practice on enforcement notices. Clause 151 states that it is up to the Secretary of State to approve the code of practice, but why should there not be an affirmative resolution of both Houses? Why is Parliament being downgraded? Surely the affirmative resolution procedure should be in place.

We are talking about the code of practice on assessment notices, the importance of which we have already discussed. The code of practice is an important tool in the commissioner’s armoury in ensuring that we have better data protection in this country. Before the commissioner issues the code of practice, it should be subject to affirmative resolution. Why can that not happen? We are increasingly using the affirmative resolution procedure, which is good for Parliament, so I humbly suggest to the Minister that the amendments are positive. Why should the Secretary of State have the power, and why should Parliament not have more power?

We are discussing a very important part of what will be the interface between our constituents, their private data and lives and Her Majesty’s Government—a Government who are taking upon themselves more  powers, and want to interfere more in, and look at more aspects of, our lives and to have more control over our data. Surely, Parliament, not the Secretary of State, should be the ultimate sanction.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

Much as I would like to be positive towards the hon. Gentleman on this matter, given the relative narrow scope of the code, I am not persuaded that it needs to be subject to the parliamentary procedure that he has outlined. Obviously, the other amendments would also make the data-sharing code of practice subject to the affirmative procedure.

The Bill states that a draft data-sharing code must be laid before Parliament within 40 days, unless either House resolves not to approve the draft. Of course, we recognise that the code is important, given the need to provide clear, authoritative guidance to practitioners, which is why we have provided for the equivalent of the negative resolution procedure. That is probably the appropriate level of parliamentary scrutiny for what is, after all, a code of practice, rather than a statutory order, regulations or rules. If we have misjudged the level of scrutiny for the two codes of practice, I shall look with interest and pay close attention to what the Delegated Powers and Regulatory Reform Committee says when it considers the matter. We will, of course, consider its recommendations very carefully.

Amendment 371 would oblige the information commissioner to keep the code of practice under “annual” review. Proposed new section 52C to the Data Protection Act, inserted by clause 153, obliges the commissioner to keep the code under review, and he is also required to update the code if he becomes aware that its content could result in the UK breaching any of its Community or international obligations. It is possible to read amendment 371 as preventing the code from being amended quickly, once a breach has been identified, whereas proposed new section 52C gives the information commissioner the scope to reconsider and review the code as and when he sees fit. Given his role as the independent data protection regulator, we think that that is right and that tying them to an annual review would be unnecessarily restrictive.

David Kidney (Stafford, Labour)

I am sorry to slow my hon. Friend’s progress through amendment 371, but I want to return to amendment 372. She has answered the point about parliamentary approval of the code, but the other part of the amendment raised the question why the Secretary of State should have to give permission for the code to be issued in the first place. The Information Commissioner warned us that that is a dangerous imposition and fetter on his independence from Government. What is the justification for the Secretary of State approving the issue of the code in the first place?

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

My hon. Friend makes a fair point. The reason is that it gives the opportunity to ensure consistency across Whitehall Departments in relation to data protection matters. It also ensures that the burden on public bodies is both proportionate and fair. That is why it is in the hands of the Secretary of State.

Edward Garnier (Shadow Minister, Justice; Harborough, Conservative)

That is not an answer to the hon. Gentleman’s question. Consistency can be policed or applied by the commissioner, who has a wider remit than the Secretary of State across Whitehall. The Secretary  of State will be concerned primarily with his own Department. If he starts interfering with other people’s Departments, I dare say that jealous Ministers will complain. Surely the hon. Gentleman’s point needs to be considered rather more carefully than the Minister’s argument demonstrated.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

I am terribly sorry if the hon. and learned Gentleman thinks that I did not consider my hon. Friend’s question seriously enough. It is the answer to the question, but whether it is the answer that either the hon. and learned Member for Harborough or my hon. Friend wanted to hear is another matter. However, if it is something about which members of the Committee feel strongly, I am happy to reflect on it and see whether the responsibility should be handed over to the Information Commissioner rather than the Secretary of State. It is not something on which I intend to go to the wall about, but I will certainly have another look. The Delegated Powers and Regulatory Reform Committee in the other place still has to scrutinise that part of the Bill, and I shall pay close attention to what it says on the subject.

Edward Garnier (Shadow Minister, Justice; Harborough, Conservative)

May I say how grateful I am to the Minister?

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

I am deeply delighted that the hon. and learned Gentleman is grateful to me, at least until the end of today.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

On a dull Thursday morning, I regard the Minister’s commitment to look at the matter and to talk to the Delegated Powers and Regulatory Reform Committee as a minor triumph. I shall quit while I am ahead. I beg to ask leave to withdraw the amendment.