Ian Murray

- Hansard -

Copy Link

-

rose—

Ian Murray

- Hansard -

Copy Link

-

I know you thoroughly enjoyed the debate on the previous group of amendments, Mr Sheridan, so it is great to see you in the Chair in this debate. I thank the Minister for her apology on the impact assessment. We had a committee meeting during the Division and decided to accept her apology, even if the impact assessment arrived in the Vote Office at 1.53 pm—we understand that that is the official time recorded.

Amendments 107, 116, 117, 119 and 120 address the concerns of trade unions, the Political and Constitutional Reform Committee, lawyers, trade unionists and organisations such as Liberty, which believe that clause 37 could result in the improper use of sensitive material and accidental disclosure. It also raises questions, as my hon. Friend the Member for Wansbeck (Ian Lavery) mentioned in his contribution on the previous group of amendments, about international law, specifically articles 8 and 11 of the European convention on human rights.

Amendments 107 and 119 place a legal duty and obligation to provide total confidentiality and an express statutory duty of that confidentiality for the assurer, in addition to the oblique references already in proposed section 24ZF. The assurer should therefore have a statutory duty of confidentiality to the union and, more importantly, the union’s membership. The amendments also ensure that the assurer agrees not to engage in conduct likely to lead to a breach of a union’s obligations under the Data Protection Act 1998.

It should be noted that union membership is in the significant category of sensitive personal data. It is not known how far the Department for Business, Innovation and Skills has consulted the Information Commissioner’s office on the Bill. There is a significant risk that the union might be held accountable for breaches by the assurer. Will the Minister address what discussions she has had with the Information Commissioner’s office on the new assurer position, and what its thoughts were on the ability of trade unions both to comply with the Data Protection Act 1998 and be responsible as the data holder to an assurer who, by nature of the definition of the Bill, is independent from that data controller in terms of the trade union? The 1998 Act is clear and it may be worth considering this issue in detail, Mr Sheridan. When one overlays the Data Protection Act with the Trade Union and Labour Relations (Consolidation) Act 1992, we can see how unnecessary the proposed changes are.

Ian Murray

- Hansard -

Copy Link

-

That is exactly the purpose of all our amendments to clause 37: to ensure that any independent person, as described in the Bill—whether the assurer, the certification officer’s staff, or an investigator that might be appointed by the certification officer—is covered by existing data protection law and the European convention on human rights. That was a timely intervention, as it is important to run through the schedules to the Data Protection Act and relate them directly to our amendments, and the overlaying of clause 37 and other clauses in part 3.

Schedule 1 to the Data Protection Act lists the data protection principles in the following terms. I realise this is slightly technical, but it is worth running through them to ensure that we have got it absolutely right.

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) at least one of the conditions in Schedule 2 is met…”—

I will come back to that a little later, and, crucially, that—

“(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”

It is a condition of schedule 2 that, because trade union membership is classed as sensitive personal data it has to have a category in schedule 3 too. Sensitive data includes trade union membership, so we have to take that category into account overriding schedule 2.

Interestingly, section 4 of schedule 1 to the Act states clearly that

“Personal data shall be accurate and, where necessary, kept up to date.”

This is a strong requirement of the Act and in this context trade unions must abide by that condition as a data controller. There is already a strong obligation on trade unions under the current legislation, the Trade Union and Labour Relations (Consolidation) Act 1992—I wish there was a shorter way of saying that—to keep membership lists up to date. We have discussed that at length this afternoon in terms of legislation already in place to deal with many of the issues that the Minister deems to be a problem that have to be dealt with in the Bill.

Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data, and against accidental loss, destruction of, or damage to, personal data. Accidental loss could be a significant hurdle when being processed by independent assurers or independent investigators appointed by the certification officer, and that is a key concern for many stakeholders. The responsibility for the data under the Data Protection Act lies with the data controller at the trade union. They will be responsible for the actions of independent bodies looking at that trade union’s membership list.

Ian Murray

- Hansard -

Copy Link

-

My hon. Friend makes an incredibly good point. One of the key aspects of the Trade Union and Labour Relations (Consolidation) Act is to ensure that trade unions’ membership lists are up to date. The current categories are set out in sections 24(1) and (2) of the 1992 Act—my hon. Friend the Member for Wansbeck (Ian Lavery) spoke about them a few hours ago—which contain provisions to ensure that anyone unhappy with their personal data being held by the trade union can apply to the certification officer for a ruling on whether those data should be held. There are therefore already strict rules about the data, which is right, given, say, blacklisting and whether data on trade union membership become an issue.

The purpose of amendments 116 and 117 is to restrict data collection in a trade union to collection from the data controller only. The data controller can subsequently obtain the required information from individual branches or sections, as mentioned in the Bill, but the responsibility for that must come from the data controller of the union, who has the legal obligations both under the Data Protection Act and their responsibilities to the Information Commissioner. Inquiries to other centres makes the job of the data controller near impossible. Trade unions manage their membership data carefully; that should be explicitly maintained in the Bill.

Such considerations have given rise to a fear that part 3, and clause 37 in particular, could result in a new scandal of people being blacklisted for being members of a trade union. That is the reasoning behind amendment 120, which would restrict disclosure of a member’s data to where the member had consented—that is, given explicit consent under the Data Protection Act—and the investigation of criminal proceedings. The list of other such circumstances set out in clause 37 is unhelpful in dealing with people’s data protection concerns and the blacklisting issues that might arise. Proposed new section 24ZG(3) of the 1992 Act, as set out in clause 37, is too widely drafted and creates other legal responsibilities that the data controller might not be able to meet.

In the last couple of years we have seen the increasing exposure of blacklisting activities in some sectors, in which individuals have concerns about joining a trade union for fear of victimisation at work and loss of employment. Increasing powers for state officials to access union membership records and addresses can only increase the deterrent against such activities. May I respectfully suggest to the Minister that, rather than increasing the regulation of trade unions through this Bill—which might increase the risk of blacklisting—the Government should take active steps to abide by the decision taken by this House back in February, after the Opposition day debate on blacklisting, to instigate an inquiry, release the information held by the Information Commissioner’s Office about the victims of blacklisting and look at a compensation package for those on the blacklists?

Ian Murray

- Hansard -

Copy Link

-

It absolutely would. Given the evidence of blacklisting that has emerged over the past few years, particularly in relation to the inquiry by the Scottish Affairs Select Committee, it would be perfectly reasonable to assume either that someone might not wish to join a trade union, or that an existing member might wish to leave, on the ground that their membership could affect their employment prospects. That matter has not been dealt with in the Bill, as a result of the slapdash way in which it has been put together and placed before the House.

The Data Protection Act imposes strict conditions for processing sensitive personal data. Anyone processing such data must satisfy one of more of the conditions for processing that apply specifically to such sensitive data, as well as one of the general conditions that apply in every case relating to non-sensitive data. It is arguable that the Bill does not satisfy those conditions, which merely emphasises how incompatible it is with the Data Protection Act.

The conditions in schedule 3 of the Act for processing sensitive personal data are as follows. First, it is necessary for the data subject to have

“given his explicit consent to the processing of the personal data.”

The members would therefore have to consent explicitly, meaning that the assurer would have to contact all the members on the membership list, should they require the data. That would surely be impractical and, as my hon. Friend the Member for Aberdeen North (Mr Doran) said earlier, a requirement that the assurer contact everyone to obtain their explicit consent would impose an onerous burden of cost and bureaucracy on the trade unions.

The second condition in the Act states that the processing should be

“necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.”

Unless I am mistaken, however, the proposal in the Bill has nothing to do with employment law. The third condition states that the processing must be necessary

“(a) in order to protect the vital interests of the data subject or another person, in a case where—

(i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject”.

That should not apply in the case of a trade union member. The processing must also be necessary

“in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.”

I would imagine that, in relation to trade union membership, those conditions could be satisfied fairly easily. It is not clear that any of the proposed process is designed to protect the individual. It could therefore be argued that the Government have failed to tell us what problem they are trying to resolve, and what process they are trying to protect.

The fourth condition states that the processing must be carried out by a not-for-profit organisation and should not involve disclosing personal data to a third party unless the individual consents. Extra limitations apply to this condition, in that individual consents are required for disclosure to a third party. Will the Minister tell us whether the assurer or the certification officer are third parties? Would any investigator appointed by the certification officer be deemed to be a third party, given that they are deemed in the legislation to be independent? That would not be compatible with the responsibility of the data controller in the trade union.

In addition to those conditions in the Data Protection Act, regulations set out several other conditions for processing sensitive personal data. Their effect is to permit such processing for a range of other purposes—typically, those cases that are substantially in the public interest and that must necessarily be carried out without the explicit consent of the individual. The Government would have to put up a strong argument to convince us that checking a trade union’s membership list was substantially in the public interest, and I cannot see how the provisions in part 3 of the Bill can be deemed to be fulfil those conditions. It is difficult to construct a public interest test in relation to the annual membership list of a trade union. The nature of the consent required to satisfy the condition for processing sensitive data must be explicit. The Act particularly mentions the word “explicit”, yet it is not mentioned in the proposed new clause.

We have tabled amendment 108 to ensure that the assurer is a person of suitable calibre. The Secretary of State should explicitly set out regulations to ensure that the assurer can demonstrate a strong knowledge of and previous compliance with the Data Protection Act and other regulations relating to data protection. Our amendment 109 provides for the removal of an assurer if they are in breach of any of the confidentiality conditions, or if the trade union has any reason to believe that it would be inappropriate for them to remain in post. Amendment 118 would raise the bar on confidentiality, requiring the assurer to take “all steps necessary”, instead of the present “all reasonable steps”, to secure obligations under the Data Protection Act and other legislation.

Ian Murray

- Hansard -

Copy Link

-

Under the Bill as it stands, the assurer can be removed, but owing to the weakness of the provisions relating to data protection, it is not clear whether he can be automatically removed if he does not abide by the Data Protection Act. Perhaps the Minister will be able to answer that question. Our amendments are intended to give trade unions the power to remove an independent assurer if they feel that he is causing a trade union data controller to be in breach of his duties.

Let me now deal with the question of whether clause 37 is compliant with article 11. The first issues that emerged from the Sunday Times v. United Kingdom case were “legitimate aim” and “pressing social need”. The Government’s discussion paper states:

“at present complaints to the Certification Officer (CO) about the register can only be made by trade union members and no-one else. In addition, members only have a right to see whether and how their own details are recorded. This means it is difficult for members to make a complaint in relation to the accuracy of the membership register as a whole.”

Liberty rightly argues that that is not a legitimate aim, as the position is already adequately covered by current legislation, and

“the independent scrutineer”

—for whom the Bill also provides—

“is required to examine the entirety of register of their own volition and report any issues to the union.”

That brings us back to the arguments relating to clause 36. Again, these provisions already exist in the Trade Union and Labour Relations (Consolidation) Act. The same reasoning lies behind amendment 110, which aligns clause 37 and provision for the appointment and removal of assurers—which was mentioned by my hon. Friend the Member for Birmingham, Selly Oak (Steve McCabe)—with the obligations conferred on scrutineers by section 49(1) of the Act. Any individual challenge to the regulator must involve investigation of the accuracy of the register as a whole, not just the member’s own incorrect entry. The current framework in section 24 of the Act allows for that.

Ian Murray

- Hansard -

Copy Link

-

That is a legitimate point. I do not know whether my hon. Friend was present during the last debate, but I can tell him that the certification officer figures are pretty stark. There have been 10 determinations since 1987, none in the last eight years and six between 2000 and 2004, of which five were dismissed and the sixth did not even constitute a formal determination. A new, erroneous part of the Bill could easily cause a certification officer to be dragged into a position that affected his neutrality—which, incidentally, trade unions and their members respect. Unions and certification officers work closely together, and certification officers are always keen to make the point that they are not opposed to each other, but share the aim of ensuring that unions operate correctly and within the law.

Let me now deal with the proportionality issue that arose from the case relating to article 11 of the European convention on human rights. Liberty states that the current regime satisfies the requirement that scrutiny be undertaken to ensure public confidence in the status of any register, and that the current measures to undertake that scrutiny are proportionate.

The increased powers of the certification officer are also disproportionate. First, it may invoke its increased powers if it thinks there is good reason to do so. That is very broadly drawn, and what constitutes a good reason in any case? Might it be a vexatious claim from a national newspaper to the certification officer to have a look at a particular membership list? That was the driver behind our amendment 103 to the previous clause, which the Government have just rejected.

Secondly, the certification officer can view not only the register, but any other document that may be relevant to determining whether there is a breach of section 24(1) of the 1992 Act and it can require people to give explanations.

Thirdly and ultimately, under clause 37 as currently written, the certification officer does not owe a duty of confidentiality to the union. The addition of a third-party inspector would be particularly intrusive and that inspector owes a duty of confidentiality only to the certification officer, not the union.

Liberty rightly concluded:

“These measures clearly go beyond what is necessary and proportionate to achieve any legitimate aim behind the proposals, if indeed there is one at all, and as such constitute a breach of Article 11 of the Convention.”

There is, indeed, a compelling argument to be made that clause 37 breaches article 11. The justification for that claim arises from the fact that there is already legislation in place to deal with many of these issues.

Amendments 111, 112, 166 and 115 are intended to clarify the need for a trade union to take “all reasonable steps” to ensure membership lists are accurate. We discussed some of that language in our debate on the amendments to clause 36. This is completely consistent with obligations under the 1992 Act to take all reasonable steps. That language and responsibility should be reflected in clause 37. There will be an inconsistency of language if we remove the reference to taking reasonable steps in the 1992 Act and replace it with language that is more stringent on the trade unions.

The primary responsibility for the alterations to any membership list lies with the individual. That is already set out in section 24(1) of the Act. However, all too often a union member may move house, change jobs or even pass away and those details will not be passed on to the union membership officer for recording in a timely fashion. In some circumstances, it cannot be reasonable for a trade union to be held wholly responsible for every part of a membership list. People can take a complaint to the certification officer resulting in an in-depth investigation at great cost to both the public purse and the trade unions, when the 1992 Act clearly states that the responsibility for ensuring the accuracy of an individual’s data on a trade union membership list lies with the individual, not the union. If the union has taken “all reasonable steps” to make sure that list is accurate, such a matter should not fall within the remit of this Bill.

It should be the case that the assurer can make a determination that the union has, in so far as is reasonably practicable, ensured the entries in the membership register are accurate. That is what amendments 111 and 112 would achieve. They would give the assurer the power to qualify the membership audit certificate to say that information from employers or members has not come forward in a timely fashion and the union has taken all steps to ensure the information is accurate.

The issuing of any membership certificate will be based on information for just a snapshot in time of that particular moment and day. We have learned from the—late—impact assessment that about 9% or 10% of trade union membership flows in or out of a trade union at any given period. For a major trade union, that amounts to an awful lot of people to keep track of. If a union has taken “all reasonable steps” to ensure their membership list is accurate, it should be taken into account that the list will only be a snapshot of a particular moment in time. It should be possible to clearly state on the audit certificate that any inaccuracies are not the fault of the trade union and therefore the audit certificate is issued with that qualification. The clause as currently drafted would not allow for that.

Importantly, for that process to operate correctly the employers also have a duty of responsibility to the trade union membership audit certification process. Amendment 115 would give the assurer the right to access reasonable information from employers if it was determined that that information would be necessary for the performance of the assurer in determining the accuracy of a membership list. It would also allow for access to data that may satisfy the assurer that the trade union has taken all reasonable steps in compiling the membership register. Many unions have indicated that a lack of information from employers provided in an efficient manner is the main cause of the vast majority of inaccuracies in their membership lists. Giving the assurer the powers to make reasonable requests to employers for information means that there can be confidence that membership registers are indeed accurate. If anything comes out of this process and this bad part of the Bill, it might be that the assurer, as an independent person, could help the trade unions with some of those relationships with the employers, to ensure that the data coming from the employers make the lists that trade unions have far more accurate.