Serious Crime Bill [HL]

The noble Baroness is right that under Section 22 of the Data Protection Act the Secretary of State can make an order designating a type of data processing as assessable processing, if it appears to him that it is likely—this is the important point—to cause substantial damage or distress or otherwise significantly prejudice the rights and freedoms of the data subjects. That is the benchmark. An order under Section 22 of the Data Protection Act would add an extra stage to the notification regime already in place under that Act. Data controllers, such as the Audit Commission, are required to notify the Information Commissioner on how they intend to process personal data and they are required to be included on a register kept by the Information Commissioner. The noble Baroness has outlined in part how this system works. If an order were made under Section 22, the Information Commissioner would have to decide whether the intended processing would be assessable processing and, if so, whether or not it would comply with the Data Protection Act. The Information Commissioner would have a period of28 days in which to make his assessment, which he could extend by a further 14 days, and the data controller would not be able to begin any assessable processing during that period. The process is tough. The noble Baroness is right that the Secretaryof State has not, to date, made an order underSection 22, so the Information Commissioner is not currently required to consider the question of assessable processing. If the Secretary of State considers that any data sharing or matching under the powers in the Bill are likely to cause substantial damage or significant prejudice, he already has the power to make an order under Section 22 requiring a prior assessment by the Information Commissioner. That could happen without the amendment. We already have what the noble Baroness seeks. The Government do not consider the proposed data sharing particularly likely, "““to cause substantial damage or substantial distress to data subjects””," or otherwise significantly prejudice their rights and freedoms. The processing is a necessary measure for the prevention of fraud. As the noble Baroness identifies, however, if it were to cross the threshold of Section 22, we would have the power to use that process. The possible delay of 28 days or longer while the preliminary assessment took place could seriously hinder the fraud prevention purposes of the new powers. Finally, this provision could also distract the Information Commissioner’s Office from focusing on those activities likely to cause the greatest harm to individuals, since it would be required in all cases to consider whether a notification for a data controller included any assessable processing. I know that the noble Baroness would not seek that and, as I said, the powers created by this clause are, and will continue to be, subject to the Data Protection Act. The Information Commissioner’s Office will continue to investigate whether data sharing and matching comply with the Act in the same way as it regulates all other data processing. There is therefore no need to include an express reference to Section 22 of the Data Protection Act in the Bill.