Clause 66

Part of Serious Crime Bill [Lords] – in a Public Bill Committee at 2:00 pm on 5 July 2007.

Alert me about debates like this

Photo of Vernon Coaker Vernon Coaker Parliamentary Under-Secretary (Home Office) (Crime Reduction) 2:00, 5 July 2007

The clause inserts a new paragraph in schedule 3 to the Data Protection Act 1998 to facilitate the sharing of sensitive personal data, as the hon. Member for Hornchurch says, for the purpose of preventing fraud. The first data protection principle prohibits the processing of sensitive personal data, unless one of the conditions in schedule 3 to the Act is met. For example, paragraphs 7(1)(b) and 7(1)(c) of schedule 3 state that processing is necessary

“for the exercise of any functions conferred on any person by or under an enactment, or for the exercise of any functions of the Crown, a Minister of the Crown or a government department.”

The Secretary of State may by order add further conditions under schedule 3.

Although many public bodies will be able to rely on one of the current conditions in or applied under schedule 3, it is unlikely that the existing conditions would cover all cases of data sharing to prevent fraud. Therefore, the clause provides an additional condition that is tailored to anti-fraud data sharing and will facilitate such data sharing. It does not decrease the threshold of data protection which applies under the Data Protection Act.

I must stress that the provision is not a move to overturn the Data Protection Act or the principles that form its basis. The clause will not remove the need for data controllers either to comply with the data protection principles or to satisfy the conditions for an exemption from them, such as the exemption for crime prevention. The clause simply helps data controllers to comply with the additional requirement of the Act which relates to sensitive personal data when information is shared to prevent fraud. Although many bodies would already be able to comply with one of the existing conditions for sharing such information, the clause provides consistency throughout the full range of bodies that will share the information.

Section 2 of the Data Protection Act defines sensitive personal data; the definition includes information about political opinions, religious beliefs and racial origins of the data subject. It also includes information about the commission or alleged commission by the data subject of any offence. That part of the definition is relevant in this context. The definition also includes criminal proceedings for any offence committed or alleged to have been committed by the data subject. Again, that part of the definition is of obvious relevance in the context of the disclosure of information for the prevention of fraud. However, it is also possible that in disclosing information relating to offences or suspected offences, other sensitive personal data are necessarily disclosed. For example, information that a person was suspected of claiming sickness benefit for longer than he was entitled has the effect of disclosing information about his physical health, namely that he was initially entitled to such benefit. Physical or mental health or condition is also included in the definition of sensitive personal data.

Although many of the disclosures to an anti-fraud organisation will be covered by one or another of the existing conditions, not all will. That is why we are  bringing forward the additional conditions. Under clause 66, all the information that is disclosed would have to be necessary for the prevention of fraud. In addition, the body sharing the information would have to do so either as a member of an anti-fraud organisation or in accordance with the arrangements made by such an organisation, so that data sharing will be subject to the rules of the anti-fraud organisation.

Furthermore, individuals will be informed that their data may be shared for the purpose of fraud prevention at the point that they provide the data. Individuals will be able to require the Information Commissioner to assess whether their data are being processed in compliance with the Data Protection Act. The commissioner may also investigate whether the data controller is complying with the Act on his own initiative. He will also be able to investigate using his normal powers and, where appropriate, he will be able to use an enforcement notice to require the data controller to take steps to comply with the Data Protection Act. With that explanation, I hope that the Committee will allow clause 66 to stand part of the Bill.