Out-Law News 2 min. read
18 Mar 2008, 12:42 pm
The Joint Committee on Human Rights said that a spate of recent losses of personal data by the Government or its agencies is "symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously … the rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards."
"The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector," the Committee said.
The Committee was reporting on a series of data protection breaches by public authorities, the most serious of which was the loss of personal and banking details of 25 million people by HM Revenue and Customs last November.
The Committee said that the Government failed to take data protection issues seriously enough and should put data protection principles directly into new laws rather than always rely on the Data Protection Act.
"Bills should include specific data protection safeguards," said the Committee. "In our view, appropriate safeguards include clearly defining who should be allowed to access information; to whom information may be disclosed; and the purposes for which information may be shared."
The Committee also said that the powers of the minister responsible for data protection were too weak to force the Government to protect data properly. Michael Wills, a minister of state at the Department of Justice, has responsibility for data protection along with 12 other areas.
"We are concerned that the role of data protection minister is far too limited, being related exclusively to the maintenance of the legislative framework for data protection," said the Committee.
"We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection," it said.
The Committee said that it had consistently warned the Government that it should put data protection into a number of laws. It said it has singled out recent laws including the Anti-Terrorism, Crime and Security Act, the Enterprise Act, the Community Care (Delayed Discharges etc) Act, the Criminal Justice Act, the Children Act, the Serious and Organised Crime Act, the Identity Cards Act and others as laws which require specific data protections.
"The Government's response has generally been to resist our recommendations," said the Committee. "We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation."
"Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation," it said. "This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account."
The Committee said that data protection has long been a serious issue that was only now getting the Government attention it deserved. "We regret that it has taken the loss of personal data affecting 25 million people – a 'train crash', in the words of the Information Commissioner – for the Government to take data protection seriously," it said.
"Data protection is a human rights issue and should not be treated as a fringe concern, a matter for rarely-consulted policy documents and procedures which are all too easily ignored. The recent data protection breaches have revealed the complacency of the Government's repeated refusal to accept our recommendations that more detailed limits and safeguards be included in Government bills which authorise the sharing of personal data," it said.
Training: Pinsent Masons, the law firm behind OUT-LAW.COM, is running a series of data protection update sessions in April 2008 at which this report and other topics will be discussed.
