The Joint Committee on Human Rights said that a spate of recent
losses of personal data by the Government or its agencies is
"symptomatic of the Government's persistent failure to take data
protection safeguards sufficiently seriously … the rapid increase
in the amount of data sharing has not been accompanied by a
sufficiently strong commitment to the need for safeguards."
"The fundamental problem is a cultural one: there is
insufficient respect for the right to respect for personal data in
the public sector," the Committee said.
The Committee was reporting on a series of data protection
breaches by public authorities, the most serious of which was the
loss of personal and banking details of 25 million people by HM
Revenue and Customs last November.
The Committee said that the Government failed to take data
protection issues seriously enough and should put data protection
principles directly into new laws rather than always rely on the
Data Protection Act.
"Bills should include specific data protection safeguards," said
the Committee. "In our view, appropriate safeguards include clearly
defining who should be allowed to access information; to whom
information may be disclosed; and the purposes for which
information may be shared."
The Committee also said that the powers of the minister
responsible for data protection were too weak to force the
Government to protect data properly. Michael Wills, a minister of
state at the Department of Justice, has responsibility for data
protection along with 12 other areas.
"We are concerned that the role of data protection minister is
far too limited, being related exclusively to the maintenance of
the legislative framework for data protection," said the
Committee.
"We recommend that the role of data protection minister should
be enhanced. In addition to overseeing the data protection
legislation, the data protection minister should have a
high-profile role within Government, championing best practice in
data protection and ensuring that lessons are learnt from breaches
of data protection," it said.
The Committee said that it had consistently warned the
Government that it should put data protection into a number of
laws. It said it has singled out recent laws including the
Anti-Terrorism, Crime and Security Act, the Enterprise Act, the
Community Care (Delayed Discharges etc) Act, the Criminal Justice
Act, the Children Act, the Serious and Organised Crime Act, the
Identity Cards Act and others as laws which require specific data
protections.
"The Government's response has generally been to resist our
recommendations," said the Committee. "We fundamentally disagree
with the Government's approach to data sharing legislation, which
is to include very broad enabling provisions in primary legislation
and to leave the data protection safeguards to be set out later in
secondary legislation."
"Where there is a demonstrable need to legislate to permit data
sharing between public sector bodies, or between public and private
sector bodies, the Government's intentions should be set out
clearly in primary legislation," it said. "This would enable
Parliament to scrutinise the Government's proposals more
effectively and, bearing in mind that secondary legislation cannot
usually be amended, would increase the opportunity for Parliament
to hold the executive to account."
The Committee said that data protection has long been a serious
issue that was only now getting the Government attention it
deserved. "We regret that it has taken the loss of personal data
affecting 25 million people – a 'train crash', in the words of the
Information Commissioner – for the Government to take data
protection seriously," it said.
"Data protection is a human rights issue and should not be
treated as a fringe concern, a matter for rarely-consulted policy
documents and procedures which are all too easily ignored. The
recent data protection breaches have revealed the complacency of
the Government's repeated refusal to accept our recommendations
that more detailed limits and safeguards be included in Government
bills which authorise the sharing of personal data," it said.
Training: Pinsent Masons, the law firm behind
OUT-LAW.COM, is running a series of data
protection update sessions in April 2008 at which this report
and other topics will be discussed.
