Amendment moved [this day]: No. 178, in clause 65, page 36, line 6, leave out ‘two’ and insert ‘four’.—[James Brokenshire.]

James Brokenshire (Hornchurch) (Con): When we adjourned, I was halfway through explaining that amendment No. 178 was tabled on the assumption that we will ultimately reach a resolution on the matters that we were discussing. The amendment is reasonably straightforward and sets out the Committee’s clear intention on how data protection issues will be addressed and the seriousness with which they are treated. I need say no more.

The Parliamentary Under-Secretary of State for the Home Department (Mr. Vernon Coaker): Good afternoon, Mr. Benton. It is good to see you chairing our Committee again.

I ask the Committee to resist the amendment, which would increase the penalties in clause 65 for the clause 64 offence of making

The existing maximum penalty of a two-year custodial sentence would be increased to four years.

Clauses 64 and 65 were included in the Bill in recognition of the fact that a specific additional safeguard is needed to protect against improper onward disclosure of Her Majesty’s Revenue and Customs information. That is to conform with the safeguards attached to HMRC information in other circumstances. Clause 64 allows for the same additional safeguards to be applied by order to public authorities’ information. I hope that it is evident that the penalty in clause 65 applies in a very narrow set of circumstances relating to wrongful onward disclosure of information shared by public authorities through a specified anti-fraud organisation. Currently, that applies only to HMRC information.

The maximum penalty of two years’ imprisonment is consistent with the maximum penalty for all other comparable data-sharing offences—for example, under section 19 of the Commissioners for Revenue and Customs Act 2005 and section 10 of the Official Secrets Act 1989. In addition, the Government have proposed an amendment to the Data Protection Act 1998 to include a maximum custodial penalty of two years for the offence of unlawfully obtaining personal data under section 55 of that Act; the measure is in the recently published Criminal Justice and Immigration Bill. The Government do not accept the case for doubling the penalty in the limited circumstances of clause 64.

James Brokenshire: I hear what the Minister says. The amendment is in some ways different from the measures that he has highlighted. We tabled the amendment to make clear our view that the offence must be treated seriously, and to provide confidence in the way in which the system will operate. I do not intend to press the amendment to a Division; the point of tabling it was to set out for the Committee that breaches of data protection rules and the rules in clause 64 will be treated seriously and punished accordingly.

Mr. Coaker: I agree absolutely with the point that the hon. Gentleman makes.

James Brokenshire: I welcome that assurance from the Minister because it is important that that message is sent out. I know that the Information Commissioner has made representations to the Home Office and other parts of the Government to emphasise that, and that responses have recently been given in relation to the issue, as the Minister mentioned.

In the light of what the Minister has said, and the changes that have taken place, I beg to ask leave to withdraw the amendment.

Amendment, by leave withdrawn.

Clause 65 ordered to stand part of the Bill.

Question proposed, That the clause stand part of the Bill.

James Brokenshire: The clause would insert additional wording in schedule 3 to the Data Protection Act 1998. The disclosure of sensitive information will be permitted if it is processed for the purpose of disclosure to an anti-fraud organisation of the kind that we debated this morning, or is processed by that person after being so disclosed—in other words, if it is then processed thereon. The question is: why is the clause needed? The list of sensitive personal data that are covered is broad in ambit, and it goes much further than might be perceived necessary for a simple anti-fraud purpose. It has provoked some concerns among various groups. Liberty’s briefing note says:

It adds:

The Minister may say that the provision is required, and that it is an essential element in the fight against crime. However, it is wide ranging, and he must provide a justification for it, an assurance that it is not based on the administrative convenience that Liberty has highlighted, and a clearer understanding of the provision’s necessity, so that we might consider it accordingly.

Mr. Coaker: The clause inserts a new paragraph in schedule 3 to the Data Protection Act 1998 to facilitate the sharing of sensitive personal data, as the hon. Member for Hornchurch says, for the purpose of preventing fraud. The first data protection principle prohibits the processing of sensitive personal data, unless one of the conditions in schedule 3 to the Act is met. For example, paragraphs 7(1)(b) and 7(1)(c) of schedule 3 state that processing is necessary

The Secretary of State may by order add further conditions under schedule 3.

Although many public bodies will be able to rely on one of the current conditions in or applied under schedule 3, it is unlikely that the existing conditions would cover all cases of data sharing to prevent fraud. Therefore, the clause provides an additional condition that is tailored to anti-fraud data sharing and will facilitate such data sharing. It does not decrease the threshold of data protection which applies under the Data Protection Act.

I must stress that the provision is not a move to overturn the Data Protection Act or the principles that form its basis. The clause will not remove the need for data controllers either to comply with the data protection principles or to satisfy the conditions for an exemption from them, such as the exemption for crime prevention. The clause simply helps data controllers to comply with the additional requirement of the Act which relates to sensitive personal data when information is shared to prevent fraud. Although many bodies would already be able to comply with one of the existing conditions for sharing such information, the clause provides consistency throughout the full range of bodies that will share the information.

Section 2 of the Data Protection Act defines sensitive personal data; the definition includes information about political opinions, religious beliefs and racial origins of the data subject. It also includes information about the commission or alleged commission by the data subject of any offence. That part of the definition is relevant in this context. The definition also includes criminal proceedings for any offence committed or alleged to have been committed by the data subject. Again, that part of the definition is of obvious relevance in the context of the disclosure of information for the prevention of fraud. However, it is also possible that in disclosing information relating to offences or suspected offences, other sensitive personal data are necessarily disclosed. For example, information that a person was suspected of claiming sickness benefit for longer than he was entitled has the effect of disclosing information about his physical health, namely that he was initially entitled to such benefit. Physical or mental health or condition is also included in the definition of sensitive personal data.

Although many of the disclosures to an anti-fraud organisation will be covered by one or another of the existing conditions, not all will. That is why we are bringing forward the additional conditions. Under clause 66, all the information that is disclosed would have to be necessary for the prevention of fraud. In addition, the body sharing the information would have to do so either as a member of an anti-fraud organisation or in accordance with the arrangements made by such an organisation, so that data sharing will be subject to the rules of the anti-fraud organisation.

Furthermore, individuals will be informed that their data may be shared for the purpose of fraud prevention at the point that they provide the data. Individuals will be able to require the Information Commissioner to assess whether their data are being processed in compliance with the Data Protection Act. The commissioner may also investigate whether the data controller is complying with the Act on his own initiative. He will also be able to investigate using his normal powers and, where appropriate, he will be able to use an enforcement notice to require the data controller to take steps to comply with the Data Protection Act. With that explanation, I hope that the Committee will allow clause 66 to stand part of the Bill.

James Brokenshire: I am grateful to the Minister for that detailed explanation of the need for clause 66. What he said has been helpful in setting out the context, and the reasons and rationale of why this measure would be needed practically, and he has also addressed the concerns that have been highlighted elsewhere. I am grateful to the Minister for that explanation.

Question put and agreed to.

Clause 66 ordered to stand part of the Bill.

Clause 67 ordered to stand part of the Bill.

Amendment made: No. 148, in schedule 7, page 73, line 32, leave out from beginning to end of line 34 and insert—

Mr. Jeremy Browne (Taunton) (LD): I beg to move amendment No. 14, in schedule 7, page 75, line 11, leave out ‘keep under’.

The Chairman: With this it will be convenient to discuss the following amendments: No. 15, in schedule 7, page 75, line 11, after ‘review’, insert ‘on an annual basis’.

No. 13, in schedule 7, page 75, line 24, at end insert—

No. 241, in schedule 7, page 75, line 24, at end insert—

Mr. Browne: I am grateful to you, Mr. Benton, for giving me an opportunity to speak briefly about these amendments Nos. 14, 15 and 13, which stand in my name. During our proceedings this morning, we had a detailed conversation about clause 63; there is a lot of overlap and cross-over into the schedule, so I do not intend to repeat the points that I and others raised previously. However, I shall explain, for the benefit of members of the Committee the purpose of the amendments and the thinking behind them.

Amendments Nos. 14 and 15 would provide for an annual review of the code for data matching. My concern is that the time scales are too flexible and are insufficiently specific. The amendments, which amend the same sentence but reorder the wording, are designed to provide for an annual review. Amendment No. 13 relates to the point that I was discussing, along with others, with the right hon. and learned Member for Sleaford and North Hykeham, this morning. The amendment would require the code on data matching to be published before any information could be disclosed. I take the point that the right hon. and learned Gentleman made that, although that requirement would be more onerous than what is currently in the Bill, it would be better still to accept amendment No. 241 because that would provide for approval by Parliament.

My intention, subject to other contributions during the discussion on the schedule, is to press amendments Nos. 14 and 15 to a vote, because they address a specific different point about time scales, but not to press amendment No. 13 to a vote. I would be minded to support amendment No. 241 if that were pressed to a vote by other hon. Members.

Mr. Geoffrey Cox (Torridge and West Devon) (Con): I wonder if the hon. Gentleman might think about the expression “on an annual basis.” As I understand it, that means that the Commission might to do it only every 12 months, whereas it might want to look at the matter sooner if some event crops up. Should not the wording be “at least annually”?

Mr. Browne: That is a good point. My thinking may have been insufficiently demanding when I tabled the amendments and we may table further amendments at a later stage. I share the hon. and learned Gentleman’s view that requirements should be in place to ensure that the mechanisms are reviewed periodically in a way that is likely to provide greater safeguards. I accept that he may not regard “annually in all circumstances” as sufficient, but the clause as drafted does not specify a time scale, so it could stretch indefinitely into the future, which would be unsatisfactory.

James Brokenshire: The schedule deals with data matching. I welcome the additional changes in schedule 7, especially the insertion of new section 32A(5) of the Audit Commission Act 1998, which states:

The Minister referred to that this morning. That is a welcome improvement as it defines the contrast between data matching and data mining, which was referred to at the start of our previous debate, which is very helpful.

However, concern remains about whether we are being taken down another track. It is important to keep the code of practice on data matching under review. I say to the hon. Member for Taunton that the ambit of language in proposed new section 32G(1) is already fairly broad; my interpretation is that the code will be under constant review that may be wider than the hon. Gentleman’s amendments propose.

I note that the hon. Gentleman will not press amendment No. 13 to a Division. My clear impression is that the clause refers to the data matching code rather than to the data sharing code: the two need to be kept separate as they are assessing different things. However, our argument that the code needs parliamentary approval is still relevant for the purposes of data sharing, which we debated this morning. We therefore tabled amendment No. 241, which provides that the code on data matching

We may have rehearsed some of the arguments earlier, but I look forward to the Minister’s response to the amendments. It is important that there is some assurance that not only has there been consultation with the relevant persons, such as the Information Commissioner, but that there will be external and parliamentary scrutiny of the code.

As parliamentarians, we want to be able to say that we are satisfied that the code of practice provides the intended protections, so that the concern we have highlighted about the ambit of data matching in respect of the code of practice is adequately addressed. I will listen with interest to the Minister’s response to the amendment before deciding whether to press it to a Division.

Jeremy Wright (Rugby and Kenilworth) (Con): I rise briefly to support what my hon. Friend said about the amendment. I share his reservations about the amendments tabled by the hon. Member for Taunton as it is vital to have a code that can be amended as flexibly as possibly to deal with what may be a fast-changing situation. I attended a presentation by the National Fraud Initiative, which the Minister kindly arranged.—

Sitting suspended for a Division in the House.

On resuming—

Mr. Coaker: I thank the hon. Member for Hornchurch for the point that he made about proposed new section 32A(5) of the Audit Commission Act 1998. We want to ensure that our approach is conciliatory. I also thank the hon. and learned Member for Torridge and West Devon, who rightly pointed out to the hon. Member for Taunton that it is the flexibility to review the code that is important. That might be done more than once a year.

The hon. Member for Taunton has tabled two amendments that would have the cumulative effect of requiring the Audit Commission to review its code of data matching practice every year. To date, the national fraud initiative has been carried out only every other year. The new provisions already place a duty on the Audit Commission and other audit bodies using the powers to keep the code of data matching under review. In practice, that means that the code will be reviewed and updated before each round of data matching occurs, in order to take account of developments that have taken place over the previous two years.

Sitting suspended for a Division in the House.

On resuming—

Mr. Coaker: It is a bit like Wimbledon here—it is difficult to maintain one’s train of thought. We should have some sympathy for the competitors there.

On the amendments tabled by the hon. Member for Taunton, it does not follow that the code should automatically be reviewed every two years; it might be appropriate for it to be done more or less frequently. I think that that point has also been made by other members of the Committee.

The amendment tabled by the hon. Member for Arundel and South Downs (Nick Herbert), which was moved by the hon. Member for Hornchurch, would prevent the code of data matching from having effect until it was approved by both Houses of Parliament. We debated some of those issues this morning, and my contention is still the same in respect of the code of practice and the data sharing principles. My objection to this amendment is the same as my objection to the earlier one requiring the data sharing code to be approved by both Houses of Parliament before it is published. The Information Commissioner was specifically appointed to be the independent regulator responsible for monitoring compliance with the Data Protection Act. The Audit Commission will be required to consult him when preparing or revising the code, and to send a copy of the code to the Secretary of State, who will be under a duty to lay it before Parliament.

Given the arrangements that Parliament is in the process of putting in place, I wonder whether it is necessary, or right, for it to involve itself in approving the code. As I indicated earlier, such a step would duplicate the functions entrusted to the Information Commissioner by Parliament and encroach on his supervisory and regulatory remits. The Information Commissioner answers to Parliament and can, if he wishes to do so, report to the House if he is unhappy with the way in which powers are being used.

As I said earlier, if we ask Parliament to approve the code of practice, where will that leave all the existing codes, which have not been approved? The question follows, should Parliament be asked to approve all codes of practice as they come up for renewal? I am not sure that that would be an economic use of Parliament’s valuable time. I hope that my explanation has reassured the hon. Gentleman and that he will be willing to withdraw the amendment.

James Brokenshire: We will reflect on the Minister’s comments on the ability of the Information Commissioner to report back to Parliament on the code of practice, and on whether that gives this place sufficient oversight to ensure that the protections that we would like to have in the code are properly maintained.

On the basis of what the Minister has said, I do not wish to press amendment No. 241 to the vote. The work of the Audit Commission on the national fraud initiative has been very effective, and I recognise that the powers are intended to bring that within a statutory framework. We shall reflect on the Minister’s reassurances, including those about the Information Commissioner, and consider whether the issue needs to be revisited on Report.

Mr. Browne: In light of the comments from both sides of the Committee room, I am not minded to press a vote on the amendment—not least because of the Minister’s reassurances. Although I am not averse to heroic one-man charges, I have, like the right hon. and learned Member for Sleaford and North Hykeham, no taste for—

Mr. Cox: Futile gestures.

Mr. Browne: Indeed. So I shall bow out. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Amendments made: No. 149, in schedule 7, page 78, line 38, leave out from beginning to end of line 40 and insert—

No. 150, in schedule 7, page 84, line 25, leave out from beginning to end of line 27 and insert—

Schedule 7, as amended, agreed to.