I move: "That the Bill be now read a Second Time."
The object of the Bill is to give effect to the 1981 Council of Europe Data Protection Convention or — to give it its full title — the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. For that reason, it will be useful, by way of introduction, to describe briefly the developments which gave rise to the need for such a convention and also to refer to the legislative provision made in some other European countries to protect the privacy of individuals in respect of automated personal data kept about them.
In the early seventies large information systems had become computerised to such an extent that fears began to be expressed on an increasing scale about the threat to privacy that they could pose. The fears were not based primarily on the amount of the information stored in the systems. The real basis for the concern was the ease and speed with which computerised information could be collected, re-arranged, transferred and retrieved, and the fact that this information could include sensitive personal information and could be used for all kinds of purposes without the knowledge of the individuals to whom it related. Moreover, the ability to link computerised information systems gave rise to apprehension that the State would be in a position to have virtually instant access to all the information it held separately on each individual and, through file matching, to build up a comprehensive profile on every member of society. There were fears, too, that computerised personal information could more easily be stolen or copied or otherwise obtained improperly by those to whom it should not be disclosed.
The recognition that automated personal data was a potential threat led to the introduction of data protection legislation in a number of European countries. Sweden was the pioneer in 1973, followed since then by Austria, Denmark, France, the Federal Republic of Germany, Iceland, Luxembourg, Norway and the UK.
On the international plane, the OECD in 1980 published guidelines on the protection of privacy and transborder flows of personal data. The Council of Europe Data Protection Convention was opened for signature in 1981. Unlike the OECD guidelines, the Convention is a legally binding instrument. So far most member states of the Council of Europe have signed the Convention. Six have ratified it: Norway, Sweden, France, Spain, the Federal Republic of Germany and the UK. The guidelines were accepted, and the Convention signed, on behalf of this country in December 1986. We shall be in a position to ratify the Convention as soon as the Bill has been enacted and is in full operation. A number of other countries are also proceeding with legislation to enable them to do so.
As might be expected, all the legislative measures enacted by the countries which have ratified the Convention have certain features in common. They all give effect to the basic data protection principles set out in Chapter II of the Convention. These principles require that personal data shall be collected fairly and lawfully, be accurate, up to date and so on; that appropriate safeguards be provided for particularly sensitive personal data concerning racial origin, political opinions, religious or other beliefs, health or sexual life and criminal convictions; that appropriate security measures be taken for protecting the data; that the individual concerned should be able to establish the existence of personal data systems, to find out what data are kept about him or her, and to have the data rectified or erased if they have been processed in contravention of the principles.
However, the Convention allows exceptions to be included in the domestic law if they constitute a necessary measure in a democratic society in the interests of protecting State security, public safety, the monetary interests of the State or the supression of criminal offences; or of protecting the data subject or the rights and freedoms of others. It allows restrictions on the rights of access, rectification and erasure with respect to personal data used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects concerned. It also provides that national laws must provide a remedy and appropriate sanctions if there is any contravention of the data protection provisions.
The provisions to give effect to the Convention can take different forms, depending on the legal and constitutional system of the country concerned; and the laws or regulations adopted may be supplemented by voluntary codes of practice or codes of conduct. By and large there is a substantial correspondence between the main provisions of the legislation in force in each of the countries which have so far ratified the Convention.
In the present Bill, the "common core" or basic principles of data protection of the Convention are given effect to in sections 2 to 8 under the general heading of "Protection of Privacy of Individuals with regard to Personal Data." They include provisions relating to collection, processing, storage, access and dissemination of personal data.
Side-by-side with the basic principles, which guarantee to data subjects in all countries where the Convention is in force a certain minimum protection, the Convention contains special rules on transborder data flows. Particular importance is attached by the Convention to the free flow of information because the right to impart information and ideas without interference by public authority and regardless of frontiers is already guaranteed by article 10 of the Convention on Human Rights. Indeed, in those cases where the Data Protection Convention provides for the possibility of imposing restrictions on transborder data flows, it does so only to the minimum extent required for the protection of the rights of others, in particular, the right to respect for individual privacy.
The maintenance of unrestricted data flows is particularly important for our economy, especially in view of the establishment of the international financial services centre on the Custom House Docks site. This is because several European countries have legislation restricting the export of data for processing to countries which have less strict data protection laws or perhaps none at all. The absence of data protection legislation here could thus be a factor that international companies would take into account when deciding whether or not to establish a business here, particularly in the area of data processing. For this reason it is desirable that the Bill should be enacted and the Convention ratified as soon as possible.
All data protection legislation to date provides for a person or body to supervise the operation of the legislation and to enforce its provisions. The Convention does not specifically require the establishment of such an authority but, as a practical matter, it is difficult to see how any legislation can be fully effective unless there is some form of supervisory authority with power to see that its provisions are complied with and, where they are not, to take remedial action. In most of the countries concerned the supervising authority is independent of both the public and the private sector.
Section 9 of the Bill provides for appointment of a Data Protection Commissioner. He will be appointed by the Government and will be independent in the exercise of his functions. He will have power to enforce compliance with the provisions of the Act, either on his own initiative or on receipt of complaints from data subjects. To achieve this, he can issue "information notices", requiring persons to furnish him with information to enable him to perform his functions; "enforcement notices", requiring data controllers or processors to comply with specified provisions of the Act, and "prohibition notices", prohibiting the transfer of personal data abroad in certain circumstances. These notices, of course, are measures of last resort to be employed only if the persons concerned either refuse to behave properly or genuinely believe that the commissioner is wrong and that the matter should be determined by the Circuit Court on appeal. I see the commissioner more as a mediator and as someone who can play a useful role in helping those who keep personal data to bring their operating procedures into line with the Act. Because it is not possible to legislate for the specific data protection requirements of all the different areas concerned, he will also have the duty of encouraging the preparation and dissemination of codes of practice in those areas.
I have referred to the international dimension of the Bill and its importance in relation to transborder flows of personal data. The commissioner will have an important role in this area. Section 11 contains special provisions regarding transborder flows and for mutual assistance between contracting States. The commissioner, when considering whether to prohibit a proposed transfer to a place bound by the Convention, must have regard to article 12, which severely limits the powers of a contracting State to prohibit or restrict data flows to the territory of another contracting State. So far as a transfer to a non-contracting State is concerned, he must allow it unless he is of opinion that the transfer would be likely to lead to a contravention of the data protection principles set out in the Convention. In either case he must also consider whether the transfer would cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.
The commissioner will be the designated authority for the purposes of Chapter IV of the Convention which provides that contracting States will render each other mutual assistance in implementing the Convention. That chapter also sets out the obligations undertaken by parties towards one another, such as the rendering of assistance to data subjects abroad and the safeguards necessary as regards confidentiality in such circumstances.
Data protection laws differ in the type of the control exercised over those who keep automated personal data. In the earliest of these, for example, in Sweden and Norway, a licence from the controlling authority was necessary before anyone could establish a personal data register or file. That imposed a heavy burden on the data protection authority. In other countries universal registration was the norm and the problem of undue "bureaucracy" was met by having simplified forms of registration for small businesses or other activities which did not constitute any serious danger to individual privacy.
More recently, a less rigid approach has emerged. The trend is now towards a two-tier system, characterised by a requirement of registration for the large-scale controllers and processors — those whose activities are more likely to give rise to concern — and a simpler system of a self-regulatory kind for those whose keeping and use of personal data is limited in scope and poses no threat. We have sought to learn from the experience of other countries and to provide a system which would avoid unnecessary burdens on industry and small businesses and ensure that the commissioner would have adequate powers to see to it that the provisions of the law are complied with fully. Accordingly, the Bill proposes that, initially, only certain categories of data controllers will be required to register. These will be persons or organisations keeping the specially sensitive data I have referred to —data about racial origin, political opinion, health, sexual life, and so on — as well as organisations operating in the public sector and financial institutions and agencies concerned with credit references, debt collecting, direct mailing and direct marketing. All data processors, that is, those who provide computer bureau services, must also be registered. The requirement to register will therefore cover a wide area of activity, an area in relation to which the public can expect to have particular concerns in the matter of the protection of their privacy.
All other persons and bodies who keep automated personal data, while not required to register, will be equally bound by the general data protection provisions of the Bill. Complaints about contraventions by them of these provisions can be investigated by the commissioner in the same way as he can investigate smaller complaints about data controllers who have to register. His powers to enforce compliance with these provisions will also apply in the same way. The heavy administrative burdens involved in universal registration will thus be avoided and resources can be devoted to supervision and enforcement of data protection.
On the other hand, the Bill does not exclude the possibility of extending substantially the categories of data controllers who are required to register or, indeed, even the possibility of having universal registration if in some future situation it should appear to be desirable to do so. For the present and for the foreseeable future, however, it seems to me that the resources involved in universal registration would be more effectively employed in seeing that the data protection provisions are properly implemented. In particular, I see no reason for the registration of all those small businesses that to an ever increasing extent are making use of microcomputers for payroll and customer applications and that constitute no danger to individual privacy.
The commissioner will have power to refuse applications for registration, for example, where he is of opinion that the person applying for registration is likely to contravene any of the provisions of the Act. Where data controllers keep the specially sensitive kind of data I have mentioned, he must refuse registration unless he considers that they are providing, and will continue to provide, appropriate safeguards for protecting the privacy of the individuals concerned.
Section 19 spells out the effects of registration. First, it will be an offence for data processors and registrable data controllers to keep or process personal data without being registered. It will also be an offence for such data controllers to act contrary to the intentions expressed by them when applying for registration. For example, they may not keep personal data of a description other than that specified in the entry in the register, or keep or use such data for a purpose other than the purpose or purposes described in the entry. If the source from which the data is obtained is described in the entry, they may not obtain the data from any other source. Finally, they may not transfer data to a place outside the State, other than a place named or described in the entry.
I should like now to turn to some of the other provisions of the Bill, starting with the definitions in section 1. Some of the definitions, particularly of such key expressions as "personal data" and "processing" are of critical importance because it is essential to try to express them in terms which will still be valid even if technological change continues at its present rate. Otherwise the scope of the Bill would be broadened or restricted by the continuous developments in the field of data equipment. For this reason it has not been possible to avoid a fair degree of technicality in the definitions.
An example will indicate why. I think we all appreciate that the kind of automated personal data the Convention contemplates are data that are machine-readable and not readable in the ordinary sense. In other words, we are talking here of information that is recorded in a computer memory or floppy disc or magnetic tape and that can be made intelligible only by displaying it on the computer screen or on a printout. On this view, a definition of personal data as information in machine-readable form would seem to be adequate. But nowadays data equipment can record typed pages so that all typewritten information is now potentially machine-readable and under such a definition would come within the scope of the Bill. The Bill should apply only if and when typewritten information has been inputted into an automated system and that is the effect of the definitions of "data" and "processing" in section 1.
There is also an express exclusion in the definition of "processing" for an operation performed solely for the purpose of preparing the text of documents. The intention is to exclude the operation of word processors when being used simply for that purpose. A common example would be the despatch of a standard letter to many people where the names and addresses are kept on a word processor. Word processors are not excluded as such. Much word processing the is done on personal computers which are capable of automatically processing the personal data concerned. Once they are used for purposes other than the preparation of documents, their operation comes within the scope of the Bill.
It is clear from the definitions of "data" and "personal data" that the Bill's provisions do not extend to manual files or to companies or partnerships.
The main reason for excluding manual files is that automated personal information systems present problems of a particular kind for the protection of individual privacy. There is also the major administrative problem that including manual files in this legislation would involve, not least of which would be the substantial additional costs. As against this, it is sometimes argued that the easiest way to circumvent the Convention is to delete the automated data concerned and put it on a manual file. However, the Convention is concerned with the potential misuse of computerised data and the computer's inherent power to transmit and correlate huge quantities of informtion at very high speeds. Such considerations do not arise where data are collected or stored manually. Also, more and more data are being transferred to computers and it would not be an economic proposition for a business to reverse the trend towards automated information systems.
As regards the question of extending possible protection to legal persons or non-personal data, it seems to me that there is an essential difference between the privacy interests of natural persons and those of an artificial entity such as a corporations, though I appreciate that corporations too have trade secrecy and confidentiality interests that can be damaged. The exclusion of companies or other bodies is not to be taken as exempting them from the provisions relating to data controllers or processors if they qualify as such.
Section 1, apart from containing the definitions, also authorises Ministers to delegate responsibility for compliance with the provisions of the Bill to those civil servants in the various Departments who are primarily concerned with the personal data covered by the Bill. Additionally, the Minister for Defence can designate an officer of the Permanent Defence Force to be responsible for automated personal data relating to members of the Defence Force.
Finally, section 1 provides for the exclusion of certain personal data from the scope of the Bill. As allowed for by article 9 of the Convention, this exclusion covers personal data that in the opinion of the Minister for Justice or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State. The section also excludes personal data concerned only with the management of an individual's personal, family or household affairs or kept by him or her only for recreational purposes.
Sections 2 to 6 of the Bill are devoted specifically to the protection of the privacy of individuals with regard to personal data. Section 2 imposes on data controllers obligations relating to the collection, accuracy, adequacy, relevance, storage and security of personal data kept by them and prohibits the use or disclosure of the data in any manner incompatible with the purposes for which they are kept. The obligation relating to security is the only one applicable to data processors.
Sections 3 to 6 entitle individuals to establish the existence of automated personal data concerning them, to have access to such data and to have the data rectified or erased, where appropriate. These provisions correspond to the principles contained in article 8 of the convention and give individuals new rights in relation to personal data kept about them. The right of access is one of the most important safeguards of the rights of the individual data subject that is provided for in the Bill. It will prevail over any enactment or rule of law prohibiting or restricting disclosure of information or authorising the withholding of it, but power is given to the Minister for Justice to make regulations continuing any such prohibition, restriction or authorisation if he thinks that that should be done in the interests of the individuals concerned or any other individuals. An example that comes to mind is the provision in the Adoption Acts prohibiting the disclosure of information from the index kept for tracing the connection between the entries in the Adopted Children's Register and the corresponding entries in the register of births.
The right of access is restricted in the kind of circumstances that are envisaged by article 9 of the Convention. For example, the right of access may not be exercised in relation to personal data kept for the purpose of preventing, detecting or investigating crime if that purpose would thereby be prejudiced.
Section 7 is an important provision. It imposes on data controllers and data processors a duty of care to individuals in respect of whom they collect, process, keep, use or disclose personal data, that is, to the extent that the law of torts does not already impose such a duty. Under the present law, any damage resulting from a breach of the relevant provisions of the Bill could make the controller or processor liable in negligence, breach of confidence, defamation or breach of contract. This section provides a specific right to compensation to the extent that the law of torts does not already do so, for example, where it may not be possible to establish a sufficient relationship between a data processor and the individual concerned so as to give rise to a duty of care.
The final group of sections, entitled "Miscellaneous", includes a provision— section 21 — making it an offence for "hackers" and other persons to obtain personal data without authority and then to disclose the data. "Hacking"— the unauthorised accessing of a system — is not being made an offence per se. That would be outside the scope of this Bill and if the creation of such a specific offence were necessary it would be appropriate to a Bill dealing with computer crime.
The offence under section 21 will arise only where two conditions are satisfied — obtaining personal data without authority and its subsequent disclosure. The inclusion of such an offence in the present Bill is appropriate because of the other provisions it contains which are directed against unauthorised disclosure of personal information.
Section 22 deals with personal data kept or processed outside the State. Normally the Bill will have no application to such data but it will apply if the data, although processed abroad, are used or intended for use in the State.
Provision is made in section 23 for officers authorised by the commissioner to visit premises of data controllers and processors in certain circumstances and obtain any information necessary for the performance of the commissioner's functions.
Section 25 provides a right of appeal to the Circuit Court against decisions of the commissioner. An appeal may be brought to the High Court against a decision of the Circuit Court only on a point of law.
The commissioner is being given power by section 30 to prosecute offences under the Bill summarily. Here I should say that, in general, a failure or refusal by a data controller or data processor to comply with the data protection provisions will not be an offence. However, if the commissioner requests a data controller or a data processor to comply with an obligation under the Bill and he issues a notice requiring compliance, then any failure or refusal, without reasonable excuse, to comply with the requirement will be an offence. Of course, if an appeal is taken to the Circuit Court against such a requirement, the requirement need not be complied with while the appeal is being determined unless in circumstances of urgency for which special provision is made.
Section 34 provides that different provisions of the Bill may commence at different times. The idea is to bring into operation those provisions necessary to enable the Convention to be ratified as soon as possible after the Bill's enactment, while allowing sufficient time for persons and organisations to adapt to the data protection requirements and, if required to do so, to register. Some of the provisions need not be brought into operation until the people affected have had an opportunity to accommodate fully to the legislation. An example would be subsection (2) of section 6, which requires a person who rectifies or erases personal data pursuant to the Act to notify the rectification or erasure to anyone to whom the data were disclosed in the 12 months prior to the request for rectification. It would be unreasonable to expect this provision to apply until some time had elapsed after the commencement of the main provisions of the Act, so as to give controllers who do not keep records of disclosures an opportunity to arrange to do so.
As regards commencement, it is anticipated that a period of six months at least would be required between the passing of the legislation into law and the date when its main provisions would become operative. During that period, steps can be taken to ratify the Convention since it will not come into force for the State until three months after the instrument of ratification has been deposited on our behalf. The intention is that that date and the date of the commencement of the main provisions of the Bill should be the same.
To sum up then: the Bill is designed to provide adequate safeguards to individuals against any abuse of their privacy arising from the automatic processing of personal data concerning them. It does this without imposing any indue burdens on industry or the taxpayer and without unnecessarily restricting transborder flows of data, including flows of data to this country for processing from countries which have ratified the Convention.
There are other positive benefits. The Bill will encourage Government Departments and agencies and private sector companies to adopt better practices in the handling of personal data, such as keeping data up to date and not keeping data for longer than necessary. That should lead to greater efficiency in the use of information technology in both the public and private sectors.
The general principles of the Bill will commend themselves to all sides of the House but it is a technical Bill and there may be aspects which Deputies may wish to have clarified. If so, I shall endeavour to do so when replying or during Committee Stage. In any event, I shall give careful consideration before that Stage to any suggestions for amendment that may be made in the course of this debate.