Simon Hughes – 2015 Speech to the Data Protection Practitioner Conference

The speech made by Simon Hughes, the then Minister of State for Justice and Civil Liberties, in Manchester on 2 March 2015.

Thank you for your introduction and for inviting me to join you at today’s conference.

The issues around access to information matter hugely to people, and increasingly so.

When private and personal data goes missing it is a matter of real concern to those affected.

When data is misused, for example to make nuisance calls, it can cause real distress.

When information is not managed effectively, for example in connection with the need to check the backgrounds of those working with children, it can lead to serious lapses of safety and security.

When the public and the media cannot access legitimate information, for example about decisions made by the government, they are rightly frustrated.

I am clear. And the Coalition government is clear. The issues you are discussing today, but deal with every day, matter to the public and can have a real impact on people’s lives.

I want, therefore, to first thank you for all that you do in the fields where you work.

The UK’s information rights regime is one of which we should be proud – and you can be proud of the advances which have been made.

I want to take this opportunity to commend the Information Commissioner for his work, and all who work in the Office of the Information Commissioner for their work, particularly to make sure that individuals understand their right to information.

The Information Rights Balance of Competences review which we recently conducted – and which some of you may have contributed to – confirmed that the Data Protection Act strikes a good balance between the interests of data controllers and data subjects.

I am equally clear that there can be no room for complacency.

As the Minister with responsibility for these issues for just over a year, I have been determined that there is no complacency in government.

Every year, if not every month, brings a new technological advance.

Last week I celebrated the 32nd anniversary of my election as an MP in 1983. In that time I have seen a transformation in how I communicate with my constituents and the way their information – often hugely personal and highly sensitive – is managed. Those changes have brought huge benefits and helped me to improve, I hope, the way I can serve my constituents as their MP. I am now an email or a tweet away, rather than a letter or a surgery appointment away – although of course these methods of engagement continue. I can direct constituents to sources of government information on the internet which previously would have been available only by post or on the end of an agency’s helpline, often with a lengthy wait. Our systems are now cloud-based.

The Internet of Things will transform our lives in ways we cannot imagine.

And each of these advances brings with it new and ever more difficult issues of privacy and data protection.

It is our job to meet the challenge of safeguarding personal data, whilst also facilitating its use and flow.

Let me give you just four brief examples which I imagine you are all aware of which show how we are meeting that challenge.

First, just last month, we have taken a really important step to widen the protection of data by passing legislation that will extend the Information Commissioner’s powers of compulsory audit to public authority NHS bodies.

This now allows the Information Commissioner to undertake mandatory ‘spot-checks’ on specified NHS data controllers.

In practical terms, this means that the ICO can now work with data controllers in the NHS to rectify problems at an earlier stage. He can now carry out inspections when he deems it necessary.

The reforms should encourage NHS bodies to improve their compliance with the data protection framework. These changes should also go some way towards improving public confidence in the ability of NHS bodies to protect sensitive personal data.

This is just one example of how government has worked with the ICO and stakeholders to improve data protection legislation.

The second example is one that I am particularly pleased about, as it fulfils a promise I made at this conference last year.

I said then that the government intended to end the practice of enforced subject access.

I am pleased to say that legislation to make this a criminal offence will come into force on 10 March. From this date, it will be a criminal offence for any employer to ask a prospective employee to submit a personal data request and then disclose the results to them in order to obtain employment or secure services.

Of course, appropriate safeguards are in place which make it possible to access an individual’s criminal records where it is legitimate to do so. The relevant sections of the Police Act 1997 now provide an appropriate statutory regime for employers and others to obtain criminal records across the UK without the need to resort to the practice of enforced subject access requests.

This is a really important reform which I know will be welcomed by employees.

A third example is the government’s efforts to protect individuals’ rights in the work we are doing in conjunction with industry bodies, consumer groups and regulators to tackle the menace of nuisance calls.

Nuisance calls can be an annoyance to all of us, but for the vulnerable and elderly they can be genuinely distressing. The government takes this issue seriously. We have made some progress in this area and we are working hard to target those companies which operate outside the boundaries of the law.

I am pleased to say that legislation will now come into force on 6 April that will make it easier for the ICO to take enforcement action against rogue businesses which breach the Privacy and Electronic Communications Regulations.

The new legislation will make sure that the ICO will only need to prove a company has breached the rules, rather than as is the case now, having to find evidence of significant harm and distress from unsolicited communications.

This is a welcome step in a raft of measures aimed at tackling nuisance calls. The Claims Management Regulator is also working hard, in partnership with others such as the ICO and Ofcom, to address the challenges posed by rogue claims companies.

We have given the Claims Management Regulator new powers to impose financial penalties on claims companies which break the rules. That includes using information gathered by unlawful unsolicited marketing. We have also introduced tough new rules, requiring claims companies to make sure that when they contact consumers to offer claims services, they do so within the legal boundaries. These changes show that we are committed to strengthening individuals’ data protection and privacy rights.

My fourth and final example demonstrates the other side of the coin – our determination to open up access to information to which the public has an absolute right.

I know that Tony Blair has described the Freedom of Information Act as his biggest regret and, in his autobiography, called himself an imbecile and a nincompoop for introducing it, but I don’t agree.

I think it has been a hugely significant reform that has helped throw open the curtains and let in much needed light on government and public bodies, the decisions of which affect all aspects of people’s lives. Those should be open to full and proper scrutiny – and I will always be a strong promoter of FOI.

I am therefore particularly pleased last month to have been able to take through an Order in Parliament to extend the FOI Act to Network Rail.

This measure will give the public an enforceable right to access a wide range of information about the operation, maintenance and development of the rail infrastructure. It brings more than £3.5 billion of public spending every year into the light. Not only does this include Network Rail’s work to maintain and develop the rail network, but it also includes its operation of key railway stations, provision of light maintenance depots, and allowing train-operating companies to use its tracks and stations. It also covers information about corporate issues which relate to the discharge of these functions, such as pay and rail safety.

Network Rail joins 100 other bodies that have been brought within the scope of FOI by the coalition government.

I believe there is further to go. I want to see all public service delivered by the private sector put on an equal footing and subject to FOI – they are, after all, being paid for by the taxpayer. There is not coalition agreement on that as of today, but I will continue to press for it until there is.

Those are my four examples.

Extending the Information Commissioner’s powers of compulsory audit to public authority NHS bodies.

Ending the practice of enforced subject access.

New powers to tackle the menace of nuisance calls.

Extending Freedom of Information.

I could go on with many others, but I think those four alone are evidence of our determination to strike that balance between facilitating the use and flow of data yet safeguarding personal information.

So let me conclude by looking ahead.

I am clear, and the government is clear, that the absolute priority for 2015 is to reach an EU-wide agreement on a new a new data protection framework.

We must have an updated data protection act that meets the needs of the 21st century.

We have to strengthen the information rights framework.

We have to do so in a way that both protects personal data and facilitates economic growth.

And that means doing so in a way that respects individuals’ rights to privacy without being too prescriptive or costly for business.

We have already made progress in those negotiations and there have been many changes made to the European Commission’s original proposals, published in January 2012.

New elements of the data protection regulation which have been revisited include: ‘the right to be forgotten’, 24 hours breach notifications, a cross- EU regulatory one-stop shop and mandatory data protection impact assessments.

We have made good progress in negotiating these and other parts of the Regulation.

In particular, we have worked hard to ensure that the original text, which was too prescriptive and process driven, is now more balanced so that data protection obligations on business are proportionate to the degree of harm of the processing activity.

Many of you here today have helped us with our negotiations.

You may have met with my officials to engage in the details of the new proposals; or you may have raised your concerns by writing to my office and meeting with MEPs.

With your help we will continue to negotiate for a sensible and proportionate data protection framework which protects civil liberties while allowing for economic growth and innovation in the digital economy. These can and should be achieved in tandem, rather than at the expense of one another.

With your help, I will continue to do all I can to make sure that the UK plays a full part in the negotiations ahead so we can meet that commitment we have made to secure agreement on the new package by the end of 2015.

Thank you again for all that you do.

These are exciting and challenging times for everyone involved in this area of work.

Our shared goal is an information rights framework that is easy to understand, easy to apply and is effectively regulated

To achieve that, let us all continue to support the good work that is being done by the ICO and others in this area.

Thank you for inviting me to join you today.