Serious Crime Bill [HL]

We regret that the noble Lord, Lord Lucas, was not in a position to move the amendment himself, but the noble Baroness has done so with such elegance that I am sure he will be very happy that she was here to act in his stead. Under the amendment, the anti-fraud organisation and the Audit Commission would have to notify the Information Commissioner each time they received information from a public authority, unless the Information Commissioner directed otherwise. Such notifications must include the name of the notifying body, the name of the person disclosing the information, the nature and quantity of the information and the reason for disclosure. Although I know that this is a probing amendment, it would also place further duties on notifying bodies to comply with any direction that the Information Commissioner made, and on the Information Commissioner to maintain a register of all notifications received. The data that the anti-fraud organisations will share and the Audit Commission will use for its national fraud initiative will, as I said, be ““personal data”” for the purposes of the Data Protection Act 1998. Part 3 of that Act already prescribes a comprehensive registration regime for those bodies that process personal data and specifically prohibits them from undertaking this activity unless they comply with those obligations. It is perhaps important that we remember that ““processing”” in a Data Protection Act sense encompasses both receiving data and providing it, so that it will capture anti-fraud organisations, the Audit Commission and any other body that provides them with information—in other words, the bodies that are contemplated by this amendment. The data controllers who are processing personal data must notify the Information Commissioner of their particulars including, among other things, their names and addresses, a description of the personal data to be processed, the purposes of the processing and a description of the recipients to whom suchdata may be disclosed. I understand what the noble Baroness is seeking in her amendment, but I respectfully suggest that it is difficult to see how it would add anything of value to the registration system that is already in place. Further, the Information Commissioner already has a comprehensive suite of powers in relation tothe bodies that will be sharing or matching data and the work that they do. He can assess whether they are complying with any of the duties under the Data Protection Act. He can issue notices requiring these bodies to furnish him with such information as he may specify for his purpose. He also has enforcement powers to rectify instances of non-compliance and is able to prosecute individuals for offences under the Act. The very nature of fraud means that the bodies that are trying to tackle it need to be able to move quickly. This process could be hampered by an amendment such as this. The noble Baroness herself made it clear that she did not want to overlay unnecessary bureaucracy or anything of that sort. There would also be significant resource implications for the Information Commissioner in so far as how he would be expected to manage and process an influx of notifications. The noble Lord, Lord Lucas, suggests in his Amendment No. 111 that the Audit Commission should be placed under a duty to produce a detailed and prescriptive report before it undertakes each data-matching exercise. This amendment is not only unnecessary but bureaucratic and unworkable. Under it, the Audit Commission’s report would first have to state the reasons for conducting the data-matching exercise. That is unnecessary as the reasons for data matching are already set out in Section 32A. At that stage, data matching would be carried out to assist in the prevention and detection of crime. The amendment would then require the report to detail any assumptions to be made in the data-matching exercise, the audit to which those assumptions would be subject, and the outcome of the data matching which the Audit Commission would consider as successful. It is unclear what the noble Lord means by ““assumptions””, but in any event the Audit Commission makes no assumptions about whether any person whose data is shown to match may or may not be guilty of fraud. It will simply match data provided to it and forward any anomalous matches thrown up to the relevant bodies and their auditors for further investigation. The amendment proposes that the Audit Commission’s report would also have to detail why it considered that the data-matching exercise would be a proportionate use of its powers and the steps that it would take to ensure that data subjects are protected. Those, too, are unnecessary requirements. First, the Audit Commission is obliged to comply with the Data Protection Act and the European Convention on Human Rights regardless of the circumstances; secondly, the code of practice, which the Audit Commission is required to promulgate, is the more appropriate place for addressing issues of this nature. It may reassure the Committee to know that the Audit Commission undertakes pilot exercises to ensure that any wholly new data matches that are incorporated into the national fraud initiative will be likely to yield a high incidence of anomalies, or anomalies which, if found to be fraudulent, could involve large sums of money. It also has detailed security standards which apply to its data-matching exercises and to participating bodies. All these issues are already provided for in the Audit Commission’s existing code of data-matching practice. For those reasons, I must resist the amendments. The noble Baroness asked what the triggers were to justify data sharing—for example, from CIFAS rather than the Audit Commission. Although we cannot give a definite answer without reference to a specified anti-fraud organisation, CIFAS insists that, before filing a report for other members to check against, members must have enough evidence of fraud to make a report to the police. We think that that practice has proved sound and successful. The noble Baroness also asked how the commission chooses the data sets and whether those data sets would be published. I hope that I have covered that in the answer that I gave. There is clarity in how that is done. It has worked well, and we believe that it is a sound premise on which to go forward. I hope that, with that explanation, the noble Baroness will feel able to withdraw the amendment.