Clause 6 is important but horribly technical. It is of interest to those who are interested in data protection legislation and the like, and I can see that the Minister is glad that someone is speaking to it for that reason. The clause is potentially of interest to the business community, because it will allow category 1 responders to insist that they are provided with information. Regulations 29 to 34 of the draft regulations govern that provision of information,
and it is worth examining how that will work in practice.
As we have already discussed, the nightmare scenario for a telecommunications provider would be if a local authority insisted on being provided with reams of information to plan for the failure of the telecommunications network, the provision of which was so onerous as to be potentially damaging to the provider's business interests. The question of what information has to be provided could be one of the crunch areas between the category 1 responders and commercial sector responders.
I have specific questions about the draft regulations that correspond to the clause under debate. Regulations 30 and 31 define the circumstances under which the provision of data under clause 6 can be refused. Certain circumstances are set out under which
''the responder must not comply with the request''.
It interesting that it does not say that a responder can choose not to supply data, but that they ''must not'' provide the data.
The provisions outlined in regulations 32 and 34 for the safeguarding of data that has been provided under clause 6 are welcome and should be in place. In particular, regulation 34 relates specifically to security. However, when we discuss these matters–the issue of data and information comes up in so many legislative contexts–the regulations often lack teeth because no penalties or sanctions are imposed if someone does not comply with them.
Under the Data Protection Act 1998, measures could be taken to deal with a breach of sensitive personal data. Therefore, if a category 1 responder requests data of a sensitive personal nature under clause 6 and discloses it inappropriately, Data Protection Act provisions would apply and action could be taken. However, a lot of other data, especially of a commercially sensitive nature, would not be covered under the Data Protection Act. Local authorities could ask a telecommunications provider for all of its data and could, either by accident or design, disclose one company's sensitive commercial data to a competitor company. That could cause all kinds of damage, yet there are no sanctions. They are mandated in the regulations not to do that kind of thing, but there is no sanction regime were they to do so. Someone who used the clause 6 powers inappropriately would not face action unless they had breached the sensitive personal data provisions of the Data Protection Act 1998.
May I draw to my hon. Friend's attention the provisions of clause 10 on enforcement, which would apply to orders made under clause 6(6).
I am grateful to my hon. Friend for bringing that to my attention, but the enforcement action that he refers to would be taken against those who refuse to comply with a request for data. I am talking about the person with the data using it inappropriately. So far as I can see, we cannot take action against them. Although people are being asked to do certain things, there are no sanctions.
I take an interest in data protection and the security of information. Quite sensibly, we have a growing awareness of the value of data. When talking about sensitive commercial data, especially in connection with the utilities, some kind of sanction is needed to back up the instruction to the local authority to keep that data secure. It is worth pointing out that there is a gap. I hope that the Minister will respond briefly, but I did not want let clause 6 disappear without having raised the subject.
I can be similarly brief. I share the general thrust of my hon. Friend's argument, although as I read it–the Minister may correct me–the clause is about the transfer of information between bodies who are category 1 respondents; essentially, they would be the public bodies listed in schedule 1. However, I am concerned about the structure of schedule 1.
Obviously, there is no power under this part of the Bill for a Scottish Minister to require either the British Transport police or the Secretary of State, as far as his functions relate to maritime and coastal matters, to be the recipient of information from bodies listed under part 2. That seems to be an obvious defect. If the power under clause 6 is necessary–on balance, it probably is–it ought to extend to information to be provided to those bodies. Given recent concerns about the operation of the Data Protection Act, and especially the difficulties experienced by police forces in England and Wales about sharing information in relation to the Soham murders, the power should be expressed in the Bill.
I shall first address the remarks of the hon. Member for Orkney and Shetland (Mr. Carmichael). One of my final acts before leaving the Department to come here was to sign a letter to the hon. Gentleman in relation to points that he raised on the construction of the schedules, and I extend my apologies if that letter has not yet reached him. Perhaps we could delay discussion of the merits or demerits of the structure of the schedules until he has received that correspondence. I will then be happy to address any remaining points that he wishes to raise.
The hon. Member for Sheffield, Hallam raised a number of points. As he suggests, the clause is worthy of a few moment's deliberation. First, I make it clear that each respondent will be subject to the same obligations as apply to the safeguarding of material under the regulations. In addition, the draft regulations provide that when a responder has been asked for sensitive information, and that responder has reasonable grounds to believe that disclosing the information would impair the confidentiality of the information, the responder must not comply with the request. That was the statutory construction that caused some concern and interest to the hon. Gentleman.
The importance that we attach to ensuring the confidentiality of personal or commercial information is reflected in the phraseology of the statute. It supports the seriousness of our concern. All the safeguards contained in the Data Protection Act about fair and lawful processing and the conditions
in which information is held will continue to apply. Possible sanctions were mentioned, and the unauthorised use and disclosure of the information will constitute breach of confidence and can give rise to legal action in the normal way, subject to the usual defence of just cause. Clause 10 will apply to those who breach regulations that restrict the disclosure of information.
I hope that that has covered all the points.
Question put and agreed to.
Clause 6 ordered to stand part of the Bill.