(7 years, 2 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I am delighted to be moving the Second Reading today and look forward gratefully to the help of my right honourable friend the Minister of State at the Home Office and my noble friends Lady Chisholm and Lady Vere.
New technologies have started innumerable economic revolutions, and the pace of change continues to accelerate. It is 20 years since we passed the last Data Protection Act, and since then we have seen the explosive growth of the world wide web, the rise of social media and faster and faster connectivity, powering new devices like the smartphone. The nature of developing technologies such as artificial intelligence and machine learning suggests that continuing transformation and change is the norm.
This has not escaped the notice of your Lordships’ House. Earlier this year we debated many of these issues in the new Digital Economy Act. We have a new Select Committee to examine artificial intelligence, chaired by the noble Lord, Lord Clement-Jones, who is not able to be in his place today as the committee is hearing evidence this afternoon. In March, the Communications Committee published a timely report on growing up with the internet, and just before the Summer Recess the EU Select Committee gave us a very helpful report on data protection. Just yesterday I moved the Second Reading of the Telecommunications Infrastructure (Relief from Non-Domestic Rates) Bill, which will help pave the way for a full-fibre future and 5G. Personal data is the fuel of all these developments. Data is not just a resource for better marketing, better service and delivery. Data is used to build products themselves. It has become a cliché that data is the new oil.
Twenty years ago data protection rights were used to obtain a copy of your credit record or to find out what information about you a public authority had collected. Today we worry daily about cyberattacks, identity theft and online crime. But we are fortunate that our existing laws have protected us well. For all the technological change I have described, we have successfully preserved our rights and freedoms, and we have strong oversight in the shape of an internationally respected Information Commissioner.
Looking ahead, we have three objectives. First, with all this change we need to maintain trust. Data must be secure, with transparency over how they are used and a proportionate but rigorous enforcement regime in place. Secondly, we must support future trading relationships. The free flow of data across international boundaries, subject to safeguards, must be allowed to continue. Thirdly, we must ensure that we can continue to tackle crime in all its guises and protect national security, making sure that our law enforcement agencies can work in partnership domestically as well as internationally.
The Data Protection Bill meets these objectives. It will empower people to take control of their data, support UK businesses and organisations through the change, ensure that the UK is prepared for the future after we have left the EU, and, most importantly, it will make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed. The Bill meets and exceeds international standards, and, with its complete and comprehensive data protection system, will keep the UK at the front of the pack of modern digital economies.
The Bill makes bespoke provision for data processing in three very different situations: general data processing, which accounts for the vast majority of data processing across all sectors of the economy and the public sector; law enforcement data processing, which allows the effective investigation of crime and operation of the criminal justice system while ensuring that the rights of victims, witnesses and suspects are protected; and intelligence services data processing, which makes bespoke provision for data processed by the three intelligence agencies to protect our national security.
The reform of protections for the processing of general personal data will be of greatest interest to individuals and organisations. We are setting new standards for protecting this data in accordance with the general data protection regulation, known as the GDPR. Individuals will have greater control over and easier access to their data. They will be given new rights and those who control data will be more accountable.
In our manifesto at the general election we committed to provide people with the ability to require major social media platforms to delete information held about them, especially when that information related to their childhood. The new right to be forgotten will allow children to enjoy their childhood without having every personal event, achievement, failure, antic or prank that they posted online to be digitally recorded for ever more. Of course, as new rights like this are created, the Bill will ensure that they cannot be taken too far. It will ensure that libraries can continue to archive material, that journalists can continue to enjoy the freedoms that we cherish in this country, and that the criminal justice system can continue to keep us safe.
The new right to data portability—also a manifesto commitment—should bring significant economic benefits. This will allow individuals to transfer data from one place to another. When a consumer wants to move to a new energy supplier, they should be able to take their usage history with them rather than guess and pay over the odds. When we do the weekly supermarket shop online, we should be able to move our shopping list electronically. In the digital world that we are building, these are not just nice-to-haves; they are the changes that will drive innovation and quality, and keep our economy competitive.
The Bill will amend our law to bring us these new rights and will support businesses and others through the changes. We want businesses to ensure that their customers and future customers have consented to having their personal data processed, but we also need to ensure that the enormous potential for new data rights and freedoms does not open us up to new threats. Banks must still be allowed to process data to prevent fraud; regulators must still be allowed to process data to investigate malpractice and corruption; sports governing bodies must be allowed to process data to keep the cheats out; and journalists must still be able to investigate scandal and malpractice. The Bill, borrowing heavily from the Data Protection Act that has served us so well, will ensure that essential data processing can continue.
Having modernised our protections for general data, in Part 3 the Bill then updates our data protection laws governing the processing of personal data by the police, prosecutors and other criminal justice agencies. The Bill will strengthen the rights of data subjects while ensuring that criminal justice agencies can continue to use and share data to investigate crime, bring offenders to justice and keep communities safe. The Bill does not just implement the recent directive on law enforcement data protection; it ensures that there is a single domestic and transnational regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector.
People will have the right to access information held about them, although there are carefully constructed exemptions to ensure that investigations, prosecutions and public safety are not compromised. People will always have the right to ensure that the data held about them is fair and accurate, and consistent with the data protection principles.
Part 4 protects personal data processed by our intelligence agencies. We live in a time of heightened and unprecedented terrorist threat. We are all grateful for the work done to protect us, especially by those whom we see every day protecting us in this House. The intelligence services already comply with robust data-handling obligations and, under the new Investigatory Powers Act, are subject to careful oversight. My noble friend Lady Williams signed the latest commencement order in August to bring into force provisions relating to the oversight of investigatory powers by the Investigatory Powers Commissioner and the other judicial commissioners.
Data processing by the intelligence agencies requires its own bespoke data protection regime, not least because the GDPR standards were not designed for this kind of processing and data processing for national security purposes is outside the scope of EU law. That is why this part of the Bill will instead be aligned with the internationally recognised data protection standards found in the draft modernised Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data.
Noble Lords will be familiar with the role of the Information Commissioner, whose role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Bill provides for her to continue to provide independent oversight, supervising our systems of data protection, but we are also significantly enhancing her powers. Where the Information Commissioner gives notices to data controllers, she can now secure compliance, with the power to issue substantial administrative penalties of up to 4% of global turnover. Where she finds criminality, she can prosecute.
The Bill modernises many of the offences currently contained in the Data Protection Act, as well as creating two new offences. First, as recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. To elaborate, huge datasets are used by researchers, as well as by those developing new methods of machine learning, and these are often pseudonymised to protect individual privacy. We need to ensure that those who seek to gain through re-identification are clear that we will not tolerate assaults on individual privacy, nor on the valuable data assets that are fuelling our innovative industries.
Secondly, the Bill creates a new offence of altering or destroying personal data to prevent individuals accessing it. Such an offence is already in place in relation to public authorities, but now it will apply to data controllers more generally. We are equipping the commissioner with the powers to deal with a wider range of offending behaviour.
Cybersecurity is not just a priority for the Government but a deep running concern of this House. Effective data protection relies on organisations adequately protecting their IT systems from malicious interference. Our new data protection law will require organisations that handle personal data to evaluate the risks of processing such data and implement appropriate measures to mitigate those risks. Generally, that means better cybersecurity controls.
Under the new data protection framework, if a data breach risks the rights and freedoms of an individual, data controllers—both for general data and law enforcement purposes—are required to notify the Information Commissioner within 72 hours of the breach taking place. In cases where there is a high risk, businesses must notify the individuals concerned. This landmark change in the law will put the need for serious cybersecurity at the top of every business priority list and ensure that we are safer as a nation.
As we move into the digital world of the future, the Data Protection Bill will both support innovation and provide assurance that our data is safe. It will upgrade our legislation, allowing the UK to maintain the gold standard in this important field. Of critical importance, strong protections of personal data are the key to allowing free flows of data to continue between the EU and UK as we build a new partnership. I look forward to hearing noble Lords’ comments on the Bill. I beg to move.
(7 years, 2 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, this has been a lengthy but excellent debate. I very much welcome the broad support from across the House for the Bill’s objectives; namely, that we have a data protection framework that is fit for the digital age, supports the needs of businesses, law enforcement agencies and other public sector bodies, and—as the noble Lord, Lord Kennedy, said—safeguards the rights of individuals in the use of their personal data.
In bringing the Bill before your Lordships’ House at this time, it is fortunate that we have the benefit of two recent and very pertinent reports from the Communications Committee and the European Union Committee. Today’s debate is all the better for the insightful contributions we have heard from a number of members of those committees, namely the noble Lord, Lord Jay, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, the right reverend Prelate the Bishop of Chelmsford and my noble friend Lady Neville-Rolfe.
In its report Growing Up with the Internet, the Communications Committee noted with approval the enhanced rights that the GDPR would confer on children, including the right to be forgotten, and asked for those rights to be enshrined in UK law as a minimum standard. I am pleased to say the Bill does just that. The European Union Committee supported the Government’s objective to maintain the unhindered and uninterrupted flow of data with other member states following the UK’s exit from the EU. Understandably, the committee pressed the Government to provide further details of how that outcome will be achieved.
With the provisions in the Bill, the UK starts from an unprecedented point of alignment with the EU in terms of the legal framework underpinning the exchange and protection of personal data. In August, the Government set out options for the model for protecting and exchanging personal data. That model would allow free flows of data to continue between the EU and the UK and provide for ongoing regulatory co-operation and certainty for businesses, public authorities and individuals. Such an approach is made possible by the strong foundations laid by the provisions in the Bill.
In other contributions to this debate, we have had the benefit of a wide range of experiences, including from noble Lords who are able to draw on distinguished careers in business, education, policing or the Security Service. In doing so, noble Lords raised a number of issues. I will try to respond to as many of those as I can in the time available, but if there are specific points, as I am sure there will be, that I cannot do justice to now, both my noble friend Lord Ashton and I will of course follow up this debate with a letter.
A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.
Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.
A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.
The noble Baroness, Lady Kidron, queried the status of Article 8 of the European Charter of Fundamental Rights, which states:
“Everyone has the right to the protection of personal data concerning him or her”.
The Bill will ensure that the UK continues to provide a world-class standard of data protection both before and after we leave the European Union.
Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.
Almost every noble Lord spoke in one way or another about protecting children online, particularly the noble Baroness, Lady Kidron, and the right reverend Prelate the Bishop of Chelmsford, who referred to the Select Committee on Communications report Growing Up with the Internet. The focus of that report was on addressing concerns about the risk to children from the internet. The Government believe that Britain should be the safest place in the world to go online and we are determined to make that a reality. I am happy to confirm that the Government will publish an internet safety strategy Green Paper imminently. This will be an important step forward in tackling this crucial issue. Among other things, the Green Paper will set out plans for an online code of practice that we want to see all social media companies sign up to, and a plan to ensure that every child is taught the skills they need to be safe online.
The other point that was brought up widely, including by the noble Lord, Lord Kennedy, was whether it was appropriate for 13 year-olds to be able to hand over their personal data to social media companies without parental consent. We heard alternative perspectives from my noble friend Lord Arbuthnot and the noble Baroness, Lady Lane-Fox. Addressing the same clause, the right reverend Prelate the Bishop of Chelmsford questioned the extent to which the Government had consulted on this important issue. The noble Baroness, Lady Howe, and the noble Lord, Lord Kennedy, made a similar point. In answer to their specific questions, 170 organisations and numerous individuals responded to the Government’s call for views, published in April, which addressed this issue directly. The Government’s position reflects the responses received. Importantly, it recognises the fundamental role that the internet already plays in the lives of teenagers. While we need to educate children on the risks and to work with internet companies to keep them safe, online platforms and communities provide children and young people with an enormous educational and social resource, as the noble Baroness, Lady Lane-Fox, pointed out. It is not an easy balance to strike, but I am convinced that, in selecting 13, the Government has made the right choice and one fully compatible with the UN Convention on the Rights of the Child, to which the noble Lord, Lord Stevenson, referred.
The noble Baronesses, Lady Jay and Lady Hamwee, stressed the importance of adequate understanding of digital issues, particularly among children. Improving digital skills is a priority of the Government’s digital strategy, published earlier this year. As noble Lords will be aware, the Digital Economy Act created a new statutory entitlement to digitals skills training, which is certainly an important piece of the puzzle. As I have already said, the Government will publish a comprehensive Green Paper on internet safety imminently which will explore further how to develop children’s digital literacy and provide support for parents and carers.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.
The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.
The noble Baroness, Lady Ludford, and the noble Lord, Lord Patel, noted that the Bill is not going to be used to place the National Data Guardian for Health and Social Care on a statutory footing. I assure them that the Government are committed to giving the National Data Guardian statutory force. A Bill to this end was introduced in the House of Commons on 5 September by my honourable friend Peter Bone MP, and the Government look forward to working with him and parliamentary colleagues over the coming months.
My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.
The noble Viscount, Lord Colville, queried the role of the Information Commissioner in relation to special purposes processing, including in relation to journalism. In keeping with the approach taken in the 1998 Act, the Bill provides for broad exemptions when data is being processed for journalism, where the controller reasonably believes that publication is in the public interest. I reassure noble Lords that the Information Commissioner’s powers, as set out in Clause 164, are tightly focused on compliance with these requirements and not on media conduct more generally. There is a right of appeal to ensure that the commissioner’s determination can be challenged. This is an established process which the Bill simply builds upon.
The noble Lord, Lord Black, questioned the power given to the Information Commissioner to assist a party or prospective party in special purposes proceedings. In this sense, “special purposes” refers to journalistic, literary, artistic or academic purposes. The clause in question, Clause 165, replicates the existing provision in Section 53 of the 1998 Act. It simply reflects the potential public importance of a misuse of the otherwise vital exemptions granted to those processing personal data for special purposes. In practice, I am not aware of the commissioner having provided such assistance but the safeguard is rightly there.
The noble Lord, Lord Janvrin, spoke eloquently about the potential impact of the Bill on museums and archives. The Government agree about the importance of this public function. It is important to note that the Data Protection Act 1998 made no express provision relating to the processing of personal data for archiving purposes. In contrast, the Bill recognises that archives may need to process sensitive personal data, and there is a specific condition to allow for this. The Bill also provides archives with specific exemptions from certain rights of data subjects, such as rights to access and rectify data, where this would prevent them fulfilling their purposes.
The noble Lord, Lord Knight, queried the safeguards in place to prevent the mining of corporate databases for other, perhaps quite distinct, purposes, and the noble Lord, Lord Mitchell, made a similar point. I can reassure them that any use of personal data must comply with the relevant legal requirements. This would include compliance with the necessary data protection principles, including purpose limitation. These principles will be backed by tough new rules on transparency and consent that will ensure that once personal data is obtained for one purpose it cannot generally be used for other purposes without the data subject’s consent.
My noble friend Lord Marlesford raised the desirability of a central system of unique identifying numbers. The Bill will ensure that personal data is collected only for a specific purpose, that it is processed only where there is a legal basis for so doing and that it is always used proportionately. It is not clear to me that setting out to identify everybody in the same way in every context, with all records held centrally, is compatible with these principles. Rather, this Government believe that identity policy is context-specific, that people should be asked to provide only what is necessary, and that only those with a specific need to access data should be able to do so. The Bill is consistent with that vision.
I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, when I came into the Chamber, I had not the faintest intention of speaking in this debate. I do so, above all, for one reason: not because I am opposed to the amendment, although I am, very substantially, for the reasons given by the noble Lord, Lord Pannick. I do so because, in my experience, it is very unusual nowadays to vote at the outset of Committee stage on so fundamental a question as that raised by the amendment. It is surely yet more unusual—spectacularly so—to do so on a manuscript amendment filed this morning, which none of us has had sufficient time to deal with, on a very tricky area of the law, which so fundamentally alters the original amendment. As we have heard, that amendment was completely hopeless. The noble Lord, Lord Lester, described it as “constitutionally illiterate”. At least this one tries to introduce the concept of a balanced right which previously was missing.
It is true that I come from a different tradition where you do not vote on anything or decide anything unless you have heard the arguments. I rather gather that there may be a whipped vote on the other side, so the amendment is going to be voted on by noble Lords who have not heard the arguments of the noble Lords, Lord Pannick, Lord Faulks and Lord Lester, and who do not recognise the difficulties and the fundamental importance of this amendment. I seriously urge that it is not pressed to a Division today.
My Lords, I am grateful to all noble Lords who have spoken, many of whom do not appear to support these amendments. I particularly thank the lawyers in the House, who have instructed us on the legal position. I feel slightly like the lay person who was talked about, which I am, I hasten to add.
On a political view, it is important to remember that only three weeks ago at Second Reading it was clear that the Bill was widely supported across the House. Many noble Lords highlighted areas where further scrutiny and perhaps improvement were desired, but the House was unanimous in the view that data protection laws needed updating, that the general data protection regulation standards were the right standards, and that we must do everything to maintain future free flows of data. We shared those conclusions because we understand the role and value of data in our digital world and how it is the basis of delivering education, social mobility and economic advantage. That is why it is so sad that in this first group of amendments, on the first of seven days of Committee, for a Lords starter Bill, the opposition parties have threatened to suspend the usual business arrangements whereby we can debate in Committee, meet subsequently outside the Chamber and often come to agreement before the Bill leaves our House—an arrangement which does not prevent votes when they are needed, but which has worked well in the past. I urge noble Lords not to put this at risk. The Data Protection Act has stood the test of time because it was not a partisan piece of legislation, and we must not allow this Bill to become one.
Many noble Lords have said that these amendments are made in good faith to ensure that the UK is given a data protection adequacy agreement by our largest trading partner. This is the right ultimate objective, but it is the wrong route to get there. Contrary to the charge of the noble Lord, Lord Stevenson, we have not forgotten the importance of a free flow of data. In fact, ensuring we maintain a free flow of data is our number one priority, and we want to achieve that from the moment of Brexit, not wait to become a third country and then start the application process for adequacy. I direct those remarks especially to the noble Lord, Lord Clement-Jones. That is why last year we committed to ensuring that the UK adopts GDPR standards. That is why in August we published our plans and ambitions for the free flow of data once we leave the EU. That is why we have presented this House with this Bill: a Bill which builds a comprehensive regulatory system for personal data that covers everything that could be scrutinised in future adequacy negotiations, including areas which are not currently subject to EU jurisdiction. That answers the question of the noble Baroness, Lady Hamwee, on adequacy and the point made by the noble Lord, Lord Clement-Jones.
In the past, 12 countries have negotiated adequacy agreements with the EU Commission, including Canada, Israel, New Zealand and the USA. None of these was forced by the EU Commission to put the charter into their law in order to obtain adequacy. It is not a requirement and it is peculiar to suggest that it will be. It is a myth that we need this amendment to secure a future agreement. Why is that? The GDPR itself, which will become part of our law, says in Recital 4:
“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data”.
Recital 173 says:
“This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data”.
The noble Lord, Lord Stevenson, was reported over the weekend to be claiming that the Government were scaremongering. We were not. We were deadly serious about the risks, so I am delighted that the noble Lord has now recognised that Amendment 4 needs further thought. What a pity, therefore, that he was unable to discuss it with the Government.
I listened to the noble Baroness, Lady Ludford, who addressed the original Amendment 4. The problem, which I think has been alluded to, is that subsection (3) of the proposed new clause creates an absolute unqualified right to data protection. As attractive as that sounds, it is fatal, for two reasons. First, data protection is not an absolute right, as many noble Lords have said, and the GDPR says it explicitly, too:
“The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.
Secondly, both the GDPR and the Bill create a number of exemptions from data rights, which we will debate over the next few weeks. However, while we may disagree on some exemptions, I think that we all agree on the important ones. Terrorists must not be given unrestrained access to information held about them by the security services. Scientists must not usually be prevented from advancing research and furthering understanding. Therefore, the original Amendment 4 creates a risk at precisely the time we need reassurance.
However, Amendment 4A is a welcome improvement. We received this amendment just before noon today. Data protection is not the simplest area of our law, and at Second Reading many noble Lords commented on the complexity of the subject. It would be irresponsible of the Government to accept an amendment of this sort with just a few hours to consider it. What does it mean for future data flows and trade? How does it interlock with the rest of our legislation on information rights? What will the courts make of it?
At best, Amendment 4A is unnecessary or may not achieve what it seeks to achieve. Two particular problems with it were mentioned by the noble Lord, Lord Pannick. First, it has no value, and it only creates legal confusion. Secondly, subsection (4) of the proposed new clause is unwise. Rights often conflict; the Bill and the Human Rights Act manage those conflicts, while subsection (4) does not. At worst, as my noble friend Lord Faulks, outlined, it may have unintended consequences which nobody has been able to consider. Our initial analysis is similar to that given by the noble Lord, Lord Pannick, that Amendment 4A probably does very little. It does little other than summarise what the Bill does. The Bill protects personal data rights, and Amendment 4A reminds us of this. None the less, with so much at stake, we must give this amendment full and careful legal analysis.
The noble Lord, Lord Stevenson, has been placed in a difficult position. Labour is in a muddle over this. But that is exactly why we do not usually vote in Committee. This stage is for resolving muddles and for understanding the issues. It is not the stage for tabling amendments on the day and voting on them hours later, without even discussing it with the Government. I cannot see how this is a service to the House, which prides itself on careful reflection.
The noble Lord, Lord Stevenson, reminded us at Second Reading about the number of Bills that he and I have worked on together. He said that this was the sixth. I pay tribute to the careful, detailed—and sometimes even enjoyable—scrutiny he has given. We have had many useful meetings. Today is the first day in Committee and the first group of amendments on the Bill. We should continue with the positive spirit that we have built together, setting out our arguments and concerns. We can continue to meet outside the Chamber, and I and the Bill team are always happy to listen to and meet other interested noble Lords. On Report, we can reflect and, where we disagree, we can divide.
Therefore, I hope that noble Lords will see that now is not the time and these are not the amendments on which we should divide at this stage. They are unnecessary and they may be deficient. This Bill is essential for our social and economic future, and we risk wrecking it at the first hurdle. I therefore ask the noble Lord to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
It might have been. The noble Lord has exposed a much greater issue than we thought we were grappling with. The case has now been well made that there are four pillars rather than the three that I adumbrated before. We seem to have a case for special treatment. I am sure that the noble Lord, Lord Patel, with his assiduous workload and high work rate will have made this point several times to officials and Ministers. However, if he is not getting the answers he needs, we have a bit of a problem here, so I hope that the Minister will be able to help us on that.
This goes back to an earlier debate about the public interest. It again worries me—I think the noble Lord, Lord Clement-Jones, touched on this—that “public interest” is becoming an overworked term for rather too many issues. In other words, the argument here is not about the public interest at all; it is about the public good that would come from a differential approach, safeguarded by the ethics approach—I said that was new to me and I am grateful to hear about it—and about reinforcing the contribution that would make to an industrial strategy covering a much broader range of understanding about what we are doing, thus making this country a world centre for all that. So there is a power behind this that I had not appreciated and I am grateful to the noble Lord for explaining it. It is easy to analyse it in this way and come up with the answer that he might want, but is it the right way forward on this?
The noble Lord was wise to point out that there are constraints within the GDPR and limits on what the Government can do, but it must be possible to think more creatively about the problem that has come forward. If, as the noble Lord said, the GDPR opens up the question of not requiring consent in that very formal sense, and we are looking for an evidence-led policy initiative which addresses the public good, it behoves Ministers to think very carefully about how one might take it forward.
This may or may not be the only issue that requires this sort of approach, but the case has been made on its merits that more needs to be done. Listing existing bodies that are not included, to put it in the positive, in a list of issues—for example, the administration of justice is a function of the Houses of Parliament—is not the way into this issue. I appeal to the Minister to think creatively about this because it seems to me that we need a new approach here. I am very convinced by that and look forward to hearing what the Minister says.
My Lords, first, I thank the noble Lord, Lord Patel, for his insightful remarks and for providing us with evidence of his knowledge of this subject, and of the Bill’s potential implications for pioneering medical research. I am grateful to him for sharing his expertise on these issues. I am also grateful to the noble Baroness, Lady Manningham-Buller, who speaks on behalf of the Wellcome Trust. Other reputable medical research organisations and universities have also expressed concern about this issue. I understand about the issue of consent and whether it is GDPR-compliant.
On the concerns the noble Lord raised in relation to Clause 7, I mentioned at Second Reading, and on a previous group of amendments, that the list of tasks in Clause 7 is deliberately designed to be indicative and non-exhaustive. When I wrote to noble Lords after that debate, I committed to make this clearer in the Explanatory Notes and the Government will honour that commitment.
The noble Lord, Lord Stevenson, mentioned that we might have to have a new approach to this problem. We are happy to think about these issues. At the moment we find that it is difficult to expand Clause 7 to cover every scenario where personal data has been processed in the public interest. Each addition to the list, however justified on its own merits, would cast greater uncertainty on the public interest tasks that continue to be omitted. However, I can reassure universities and research groups carrying out legitimate medical research, that, in the Government’s view, such tasks are in the public interest for these purposes. I will come later to how we take this forward.
My Lords, the Minister gave the impression that medical research of the type described by the noble Lord, Lord Patel, was encompassed, or allowable, by the GDPR. Can he give chapter and verse on where in the mixture of article 6 and article 9 that occurs? That would be extremely helpful. I understand that obviously the Minister was also agreeing to look further in case those articles did not cover the situation, but it would be good to know which articles he is referring to.
I re-emphasise to the noble Lord that we think these tasks are in the public interest. However, I understand his desire for even more clarity than that. It would be sensible if I wrote to him and to other noble Lords taking part in the debate. I want to make sure that I get the legal basis right rather than just doing it on the hoof, so I agree to write to him and to all noble Lords who have spoken tonight. Again, as I say, we will work towards what I hope will be a more acceptable solution for everyone. Fundamentally, we do not want to impede medical research that is for the public good.
May I correct an impression that medical research does not seek consent? It seeks consent whenever possible, and extensively. However, there are categories where something else is needed. I would not want to leave the House with the impression that there is a substitute for that. In some circumstances we need an additional safeguard.
I believe also that even when consent is obtained, the worry is that it may not be subject to GDPR compliance, even if consent was acceptable before.
I think we have already made the point and we do not need to come back to it. What I took from the noble Lord’s earlier contribution was that one way in which medical research is developed and carried out involves a consent process, and we would not want to change anything in that sense. However, for lots of reasons—the noble Lord gave three or four—you cannot always use consent. You may not want to go to the patient, or perhaps you cannot go to or find the patient. Alternatively, the noble Lord made the more general point that you often collect data without any real sense of where it might go in the future. We are not saying that any of that is good, bad or indifferent—one is no better than the other—but they all need to be considered in a broader understanding of the public good being best served by having the least restrictive system concomitant with appropriate procedures being in place. That is the line, with the ethics committee sitting at the top, that gets you to the point where that would be a fruitful conversation to have with Ministers.
My Lords, I associate myself with the amendment in the name of the noble Baroness, Lady Howe. We are in Committee and it is a probing amendment. When we discussed it with colleagues the feeling was that 13 might be the right age but, as the noble Baroness indicated, it needs probing and some thinking about.
There is a danger, particularly in a House with our age group, that we assume these technologies are understood by the young—even the very young. We all hear anecdotes of parents or grandparents who have to consult their eight year-olds on how to make various gadgets work, but that misses the point. A frightening amount of information is being freely given. I mentioned at Second Reading that my generation and my parents’ generation had thoughts of personal privacy that my daughter and her contemporaries seem to have no thought of. They are very happy to exchange information about themselves, what they do and where they are with gay abandon.
When we get to the very young it is very important to make sure—we will discuss this in later amendments, if not tonight—that there is sufficient understanding and information to make informed choices, otherwise we get into very dangerous territory indeed. Therefore we are, not for the first time, in the noble Baroness’s debt for raising these questions. Late as it is, it is right that we put on record that these things, along with the amendments that will follow in the next couple of groupings, need to be taken as a whole before we make a final judgment as to the right age.
My Lords, I echo the comments of the noble Lord, Lord McNally, to say we are grateful to the noble Baroness, Lady Howe. I acknowledge, particularly after her Second Reading speech, that she has not immediately demanded that the age be put back up to 16, which I thought she might. She has produced an interesting amendment.
Amendment 16 would give the Information Commissioner the power to determine the age threshold at which children can consent to their data being processed by online information services. This would be based on consultation and evidence. While it is certainly a preferable proposal to a blanket increase to 16, I am afraid I still cannot agree.
First, the Information Commissioner’s role as an independent regulatory authority is to administer and enforce the application of data protection legislation. As part of that role the Commissioner provides advice to businesses, organisations and individuals on the proper implementation of the legislation and on their rights under that legislation, and provides redress for breaches of individuals’ personal data. It also has an advisory function in relation to Parliament, the Government and other institutions. By contrast, the question of affixing the age below which parental consent is required has much broader-ranging considerations and implications, including an important moral dimension. Requiring the Information Commissioner to be the one to answer it would place on the officeholder an extra demand for which the office is neither designed nor resourced.
Secondly, the GDPR specifies that it is member states that should make this important decision. It does not give the power for states to delegate this choice to another regulatory body. Therefore, this amendment would make the Bill as a whole non-compliant with the GDPR. It is for those reasons that the Government consider that the question should be decided by this House and the other place rather than by a regulatory body. I realise that, in saying that, we leave ourselves open to further discussions on this matter.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.
I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.
Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.
The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.
I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.
My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.
At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.
The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.
The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.
The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.
I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.
The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.
Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.
We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.
I apologise to the Minister for interrupting. I am just interested in that confusion that he talks about. Perhaps I am incorrect, but I understand that images, for example, are data. There is a lot of concern about sexting and about platforms such as Snapchat and the sharing of data. Where is the confusion? Is it in the Government, or in the Chamber?
I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.
I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.
There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.
We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.
It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.
First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.
Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.
Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.
Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.
Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.
I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.
Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.
In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.
There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.
My Lords, the Minister has just referred to the round table. He will recall that I mentioned in my remarks the issue of definitions and suicide sites that were raised during that round table last week. Can he tell the House any more about that?
I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.
Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.
I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.
First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.
Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.
I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.
I am happy to confirm those two points. On extraterritoriality, I agree with the noble Baroness that it is difficult to control. Commercial sites are easier—an example of which is gambling. We can control the payments, so if they are commercial and cannot pay people, they may well lose their attractiveness. Of course, the only way to solve this is through international agreement, and the Government are working on that. Part of my point is that, if you drive children away to sites located abroad, there is a risk in that. The big, well-known sites are by and large responsible. They may not do what we want, but they will work with the Government. That is the thrust of our argument. We are working with the well-known companies and, by and large, they act responsibly, even if they do not do exactly what we want. As I say, however, we are working on that. The noble Baroness is right to say that, if we drive children on to less responsible sites based in jurisdictions with less sensible and acceptable regimes, that is a problem.
Could the Minister help me with any information he might have about when the GDPR was drawn up? It must have been envisaged when Article 8 was put together that some member states would go with something different—be it 13, 16, or whatever. The issue of foreign powers must have been thought about, as well as verifying age, parental consent, or the verification of parental identity to verify age. Article 8 just talks about having to have parental sign-off. These issues of verification and going off to foreign powers must have been thought about when the article was being put together in Europe. Does he have any advice on what they thought would be done about this problem?
I cannot give the noble Lord chapter and verse on what the European bureaucrats were thinking when they produced the article, but age verification is not really the issue on this one, because it is extremely difficult to verify ages below 18 anyway. Although one can get a driving licence at 17, it is at the age of 18 when you can have a credit card. As I say, the issue here is not age verification—rather, it is about how, when we make things too onerous, that has the potential to drive people away on to other sites which take their responsibilities less seriously. That was the point I was trying to make.
My Lords, the Minister was kind enough to respond to the point I sought to make about the extraterritorial nature of all this, which of course goes way beyond individual sites to corporate ownership, the issue that I am most concerned about. I am glad that the Government are having conversations with, or at least dealing with, what he describes as the most responsible players in this market. None the less, we are dealing with a global environment in which most countries, not just a few rogue countries, have a very different environment and understanding of the culture and nature of the regulation of broadcasting than we do in this country. We have had a very particular and sophisticated way of dealing with terrestrial broadcasting for several generations. The real problem lies in addressing how we can translate some of those values and regulatory formats into the global internet age.
I take that point completely. So that I get it right, it would be best if I write to the noble Baroness about what we are doing. I am afraid that I cannot recall whether it is the G8, the G20 or whatever. Ownership is obviously a key point as well, so I will write to the noble Baroness on those points.
My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.
This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.
However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.
My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.
The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.
I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.
I accept entirely that the economic drivers for the digital economy are being handled quite well. I am suggesting that the societal end of that debate is not keeping pace with the commercial and that, if we allow too great a disconnect to occur between societal impacts and commercial success, we will reap a very unfortunate harvest. The Minister was good enough to see me last week, together with an official from the Department for Education. I am not pretending for a moment that nothing is being done, but I am suggesting that there is nothing like enough urgency in trying to correct the societal aspects of this issue.
I take that point. I also understand the difference that the noble Baroness, Lady Lane-Fox, highlighted between digital skills and digital understanding, and we need to address that. One of the issues that the data ethics body is going to look at is how society deals with these technical problems, albeit that they are changing incredibly fast.
I have talked about younger pupils. Older pupils are also taught citizenship as part of the national curriculum. That equips pupils to take their place in society as active and responsible citizens, including providing them with the knowledge and skills that they need to think critically and to research and interrogate evidence. These vital skills help our children understand how their data can be used and why data protection is important.
Amendment 20 would require the Secretary of State for Education to make changes to the current maintained schools national curriculum, and would create new requirements for independent schools and academies. In our view, now is not the time to make further changes to these subjects. We need to allow schools to fully embed the new curriculum in order to provide a period of stability for schools so that they can focus on ensuring that pupils are taught this new curriculum well, including the new aspects on data protection.
Having said that, we are not complacent. We realise that companies’ use of data in the online world is increasingly complex and that we need to support children to understand that. The changes introduced in the Children and Social Work Act 2017 represent a step change in education on online safety. For the first time it will be compulsory for all primary-aged children at school in England to be taught relationships education, and all secondary-school children will be taught relationships and sex education. In addition, we will carefully consider whether also to make personal, social, health and economic education compulsory in all schools.
The noble Lord, Lord Knight, took my lines to a certain extent. I was going to confirm that the Department for Education confirmed today that it has begun its engagement with stakeholders. This is a point that has come up before: that will help it reach evidence-based decisions on the content. I can tell the noble Lord that the head teacher who is running it will advise the Department for Education on what will be included in relationships and sex education and PSHE, whether it should be compulsory and, if so, what content may be included. It will be live to online issues and include what children need to know to be safe online, beyond what is already in the computing curriculum.
The Government will ensure that these new compulsory subjects in England address the challenges experienced by young people online and are seeking views to work out exactly what this should cover and how best to do so. The Department for Education will support schools to ensure that content is pitched at the right level for each school year and builds knowledge as children grow up. Engagement and consultation will help us to get the detail right.
My department, DCMS, and the Department for Education are working together on the online safety aspects of these subjects. We will work with partners, including social media and technology companies, subject experts, law enforcement—
I thank the Minister for giving way. Is he suggesting that the aim should be to adapt children to the realities of the online world and the internet service providers, rather than to adapt the providers to the needs of children?
I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.
We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.
I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.
I am very grateful for the Minister’s helpful reply and to noble Lords who have contributed to this debate. I do not particularly like the phrase “digital literacy”: I much prefer “digital understanding”. I always understood that the fourth “r” was religion, so perhaps, with a small “r”, this is a religion for some of these large tech companies.
I can accept everything the Minister said, with the exception of two points. He said that these things are happening in the maintained sector. However, over 70% of our secondary schools are no longer in the maintained sector and they can choose whether or not to follow the programmes that he has suggested. Free schools are also increasing in number and, again, they do not have to take any part in this activity if they do not want to.
I agree with the Minister that this is not a discrete package where you tick the box when you have done it. It has to be part of a wider programme which goes through all aspects of learning. I also agree with the noble Lord, Lord Stevenson, who raised the question of whether we have the skills in our schools. It is not just digital issues: we do not have teachers for A-level maths or physics but we do not stop doing maths or physics. This might ensure that we actually started training teachers to work in this area.
I am grateful for the Minister’s helpful reply and look forward to considering this again on Report. I beg leave to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
With great respect, we are concerned with the permanence of arrangements set up and put into primary legislation. The chairman of IPSO is not there for ever, and the code can be rewritten whenever the committee decides to do so.
My Lords, of course, we appreciate the contributions from all sides of the Committee on this issue, but let us be clear: this Bill is about data protection—it is not about press regulation. It is not about distinguishing between journalists, nor between the regulators they may or may not belong to.
The Government are committed to defending not only hard-won liberties but the operation of a free press. That is a fundamental principle of any liberal democracy. This Bill seeks to preserve the balance found in the 1998 Act, where journalists can process personal and special categories of personal data, but only when their processing is in the public interest and the substantial public interest respectively. The Bill also seeks to ensure that journalists are exempt from compliance with certain data protection requirements where to do so would undermine the operation of a free press, a key part of a strong and effective democracy where Governments are held to account and corruption and criminal behaviour can be challenged. No one seeks to condone the past misbehaviour of individual media organisations, nor to legitimise it.
Amendment 42 is moved by the noble Lord, Lord Stevenson. As we discussed last week in reference to Part 2 of Schedule 1, there is an exhaustive list of the types of processing which could be in the substantial public interest. When the Government consider that processing of a particular type will not always be in the substantial public interest, the Bill makes it a requirement that the data controller satisfies himself that any particular instance of processing is in the substantial public interest. Amendment 42 concerns the condition allowing journalists to process data in connection with unlawful acts and dishonesty, as dealt with in paragraph 10. The Bill, however, needs to balance freedom of expression with privacy and it may be that in some cases an act of dishonesty is not important enough and does not engage the substantial public interest to the extent that it justifies the processing of sensitive data by journalists. That is why the distinction is made.
To pick up on a point made by the noble Lord, Lord Stevenson, about continuity of arrangements in the 1998 Act, this processing condition is the same as that which currently appears under the existing Data Protection Act. It would appear that journalists have been dealing with that effectively and making the appropriate judgments for the last 20 years. I hope that that goes some way to explaining why we resist Amendment 42.
On Amendment 87B, I reassure the noble Lord that the specific inclusion of “photographic material” in paragraph 24(2)(a) of the schedule is unnecessary. This is because photographic material is likely to fall within one or more of the categories listed in that paragraph—for example, journalistic material or artistic material. We suggest that there is no requirement for express reference to photographic material. As for the point that was raised with the noble Lord by the NUJ, I think, about the use, the test is,
“with a view to publication”.
As long as that test is met, it does not necessarily follow that there must have been publication in order to legitimise the material in question. The position would, of course, be radically different if one had regard to one of the amendments moved by the noble Baroness, Lady Hollins.
Amendment 87E would remove the list of codes and guidelines in paragraph 24 of Schedule 2 that help controllers assess whether a publication would be in the public interest for data protection purposes and would replace it, as I understand it, with the term “appropriate codes”. I confess that I am a lawyer, to respond to a point made by the noble Lord, Lord McNally, or at least it is alleged that I am. That would certainly make it more difficult, as a matter for interpretation, for both publishers and the Information Commissioner to evaluate whether the publication of an individual’s personal data was in the public interest. Indeed, rather than the clarity of a list, one could instead be faced with years of potential litigation before an adequate body of case law was in place to establish what was appropriate. That is why we suggest it is appropriate that there should be a specific list, as reflected in the current legislation, the 1998 Act.
Amendments 88 and 89A concern the specific industry codes listed in the Bill. I start by saying that the codes currently listed in the Bill reflect those that are listed in the existing legislation. The editors’ code listed in the Bill—now enforced by IPSO rather than the Press Complaints Commission, I acknowledge —is one of these, and the Information Commissioner has already reflected this change in her current guidance on Section 32 of the existing Act. That follows from the Data Protection (Designated Codes of Practice) (No. 2) Order 2000, which set out the various codes of practice and included the editors’ code of practice. While there is a suggestion that the editors’ code of practice might change, in the light of any such change the Information Commissioner’s view and guidance as to the applicability of that code may also change. So it is not as if it is entirely without control.
The Minister said that it could change, but the word IPSO is actually in the Bill, so I do not quite understand the point that the Minister has just made.
Let me elaborate on the point for a moment to make it clear. IPSO did not exist in 1998; the editors’ code did and therefore the editors’ code was incorporated as such by reference to the 1998 Act and the 2000 order. The relevant editors’ code is now known as the IPSO code. It is essentially the same code, as I understand it. I see that the noble Lord, Lord Stevenson, is shaking his head on this point, but it is essentially the editors’ code that is now incorporated within the IPSO code.
I could not resist jumping up. I think the nub of the argument is the four letters IPSO. It is an editors’ code. IPSO is a separate body. I think there would be less concern if it were just simply the editors’ code because we understand what that is. That would be the right reference, but I think we will return to this later.
The terms of the editors’ code are now referred to as the IPSO code, but I take the noble Lord’s point and I will take away and consider whether there is any material issue about using the designation of that code in the schedule. However, it is, with respect, essentially the editors’ code as it was originally recognised. As I understand it, that is reflected in the Information Commissioner’s current guidance under reference to Section 32, which is why it appears in the schedule in the form that it does.
I shall be corrected in due course if I am wrong, but I think the position is that the editors’ code was the code that was formulated under the PCC, and then when Sir Alan Moses became chair of IPSO the code was then amended to strengthen it—but I shall be corrected if that turns out to be mistaken.
The noble Lord is quite right that it had its origin as the editors’ code before the PCC, but I am reflecting the fact that the Information Commissioner, being aware of the genesis of that code and its approval, has, as I understand it, under current guidance under reference to Section 32 of the existing Act acknowledged it as a relevant code. It seems to me that we may be arguing around designation rather than content, and I will give further consideration to the question of designation.
Removing that code—I will call it “that code” for present purposes—as proposed in the amendments would be a quite extraordinary step. Whatever one might think of IPSO, we should recognise that it has more than 2,500 members, including most of the major tabloids and broadsheets. Removing the code from the Bill would therefore remove protections for the vast majority of our press industry and cause significant detriment to what is a free press.
No codes adopted by a Press Recognition Panel-approved regulator are listed—and of course there is only Impress in that context. Under current legislation the Information Commissioner’s guidance on Section 32 does not include that code. That does not mean that such a code cannot be included in the future. However, before amending the list of codes, the current and proposed legislation makes it clear that the Secretary of State must consult the Information Commissioner. The self-regulator Impress has applied for its standards code to be included in the schedule, and the Secretary of State is currently considering that application—but in due course, once she has considered the application, she will have to refer to the Information Commissioner and consult her about that application.
I should also emphasise that the current list of codes, allowing for the point about designation, does not represent an endorsement of any one press regulator over another. This is about ensuring that the codes listed are appropriate, having regard to the need for data protection.
It is also worth noting that the exemption the Bill provides to those processing data for special purposes will be available to all journalists where the criteria set out in paragraph 24(2) of Schedule 2 are met. Where a publication is subject to one of the listed codes of conduct, it must take that code into account when determining whether publication is in the public interest. However, although the commissioner’s current guidance emphasises that compliance with industry codes will help demonstrate compliance, those publications that are not subject to a code are not somehow excluded from qualifying under the relevant exemptions, if they meet the three-part test in paragraph 24.
I appreciate that the intention of Amendment 91 is to ensure that we interpret the notions relating to journalism broadly and, in doing so, protect the right to freedom of expression. However, there is no requirement for this amendment if one has regard to Clause 184, the relevant interpretation clause, which makes it clear and underlines that material need be available only to a section of the public, and that would include those who subscribe by way of a fee for particular access to material. So these exemptions will extend to the sort of body that was referred to by the noble Lord in relation to Amendment 91. If anything, there is duplication, because we have not only paragraph 24(9), which refers to the public and a “section of the public”, but Clause 184, which defines the public by reference to, and includes, a section of the public. I believe that there was an earlier proposal to take paragraph 24(9) out in order to avoid that duplication.
I turn to the amendment tabled by the noble Baroness, Lady Hollins, and supported by my noble friend Lord Attlee. Article 85 of the GDPR requires member states to reconcile the right of protection of personal data with the right to freedom of expression and information, which is of course embraced by the European Convention on Human Rights. Although like, clearly, other Members of the Committee, I have great sympathy for the noble Baroness’s own experience, I firmly believe that the Bill strikes the right balance in reconciling these interests and aligns with the requirements of the regulation.
By contrast, the proposed amendments seek to reset that balance, so that the right to personal information privacy trumps that of the right to freedom of expression and information. This would be inconsistent with Article 85, which recognises the special importance of freedom of expression and provides a wide power to derogate from the regulation for processing for the special purposes. That point was elaborated by the noble Lord, Lord Lester of Herne Hill, when he underlined the importance of the freedom of the press in this context.
Amendment 87A seeks to amend the journalistic data protection exemption to make it available only where the processing of data is necessary for publication, rather than simply being undertaken with a view to publication. I fear that this does not reflect the realities of how journalists work and how stories, including the most sensitive and important pieces of investigative journalism, are put together and published. A journalist will not know what is necessary until the data has been gathered, reviewed and assessed.
Amendments 87C and 87D relate to what factors the controller must take into account when considering whether publication of data would be in the public interest. The amendments would remove the requirement on the controller to take account of the special importance of the public interest in freedom of expression and information, and make the exemption available only where, objectively, the likely interference with privacy resulting from the processing of the data is outweighed by the public interest.
Controllers already have to consider issues of privacy when considering the public interest. But this amendment goes too far in saying that public interest can be trumped by privacy, weighting the test away from freedom of expression. This is again contrary to Article 85, which requires a reconciliation of these rights. I understand the noble Baroness’s intent here, and the harm that she seeks to prevent, but the rebalancing that she suggests goes too far.
Finally, Amendments 89B and 91A aim to narrow the exemptions for journalists who are not members of an approved regulator as defined by the Crime and Courts Act 2013. Fundamentally, these provisions are about protections that journalists should be able to legitimately rely on in going about their important work. We should view these clauses through that lens—as vital protections that give journalists the ability to inform us about the world in which we live and to effectively hold those in power to account.
The Government do not condone the past behaviour of individual media organisations, nor, as I noted earlier, do we seek to legitimise it. Equally, though, we do not think the problems that Sir Brian Leveson and others have identified can, or indeed should, be fixed through the medium of data protection law. Indeed, the Government feel strongly that these important protections for journalists should be maintained.
We must strike the right balance in reconciling the right to privacy with the right to freedom of expression and information. I hope I have gone some way towards explaining how the Bill seeks to do that. I hope I have addressed the concerns that have been expressed through the amendments, and I urge noble Lords to withdraw them.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.
The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.
Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.
Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.
These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.
Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.
I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—
My Lords, I am sorry to interrupt. The Minister mentioned the guidance from the Information Commissioner. From what he said, I assume he knows that the insurance industry does not believe that the guidance is sufficient; it is inadequate for its purposes. Is he saying that a discussion is taking place on how that guidance might be changed to meet the purposes of the insurance industry? If it cannot be changed, will he therefore consider amendments on Report?
Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.
Following up the noble Lord’s point, I would like to say a couple of things. First, I sort of understand where the Information Commissioner’s Office is coming from. I have article 7 in my hands, which contains the definition of consent from the GDPR, and article 9(2)(a). My concern is that even if the Government are very nice to an Information Commissioner and persuade them to change the guidance, it could change at any time. It is important to ensure that the Bill will work for the ordinary man in the street. As for compulsory classes, it is not about looking after the insurers but every small business in Britain and every small person who wants to get motor insurance, especially those who have problems with either criminal convictions or their health.
I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.
My Lords, I am sorry to interrupt the Minister again but he is dealing with important concepts. Right at the beginning of his speech he said he did not think this could be covered by the substantial public interest test. Surely the continuance of insurance in all those different areas, not just for small businesses but for the consumer, and right across the board in the retail market, is of substantial public interest. I do not quite understand why it does not meet that test.
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
I am sure that the noble Earl, Lord Kinnoull, will come back at greater length on this. The issue that the Minister has outlined is difficult, partly because the Information Commissioner plays and will play such an important role in the interpretation of the Bill. When the Government consider the next steps and whether to table their own amendments or accept other amendments on Report, will they bring the Information Commissioner or her representative into the room? It seems that the guidance and the interaction of the guidance with the Bill—and, eventually, with the Act—will be of extreme importance.
I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.
I thank all noble Lords who have taken part in this short but interesting debate. Of course, the Information Commissioner reports to Parliament, so if we held a meeting here, we probably could ask her, quite properly, to come. That might be quite helpful in this complex area. As I said, when you mess around in these areas, the person who suffers is the man in the street, not the insurance companies. The noble Lord, Lord Stevenson of Balmacara, in particular made a number of interesting points in speaking to his amendment, which need to go into the mix as regards how we sort through this difficult area.
I am very grateful to the Minister for confirming that we will continue discussions in this area. I do not think for a moment that I necessarily have all the right answers, but we have started on the journey and will continue. We will certainly be talking about the same issues again in different formats on Report and I look forward to that very much. On that basis, I beg leave to withdraw the amendment.
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
I fully support my noble friend’s assertions and the Minister’s response. It is very important that registered political parties can operate effectively. I wonder whether, in the discussions he is proposing to undertake, the Minister will also address the issue of other organisations and political parties attempting to influence the political process. I do not think I need to spell it out, in view of recent news, but the use of social media by organisations that are not covered by our electoral law or by registration as a political party must not have the same provisions that registered political parties would have under the Bill or my noble friend’s amendments. I wonder if that could be addressed directly in these discussions.
My Lords, I want to pick up on the last point of the noble Lord, Lord McNally. We are getting into a situation where political parties are addressing personal messages to individual voters and saying different things to different voters. This is not apparent; there must be ways to control it. We will have to give some considerable thought to it, so I see the virtue of the amendments.
Quickly, because I will not remember all the questions and points, I want to emphasise that they are all very good points and I will reflect on them. My main mission is to get the GDPR and law enforcement directive in place by May 2018. I absolutely accept the point made by the noble Lord, Lord McNally—that this is the tip of iceberg—but we must bear in mind that this is about data protection, both today and on Report, so I will focus on that. We have already had other avenues to raise a lot of the points the noble Lord made, but I agree that it is a huge issue. He asked when the report from the Information Commissioner will be available. I would expect it before Christmas, so it will be before the Bill becomes law.
I certainly undertake to reflect on what the noble Baroness, Lady Jay, said about the Electoral Commission. I believe that our call for views was after the election; nevertheless, I take her point. I am very sorry but I cannot remember what the point from the noble Lord, Lord Whitty, was, but I accept these things have to be taken into account. When we have our meeting—it is becoming a big meeting—it will be for people concerned specifically with the Data Protection Act, not some of the issues that lie outside that narrow area, important though they are.
I ask noble Lords not to press their amendments.
My Lords, picking up on the last point from the noble Baroness, Lady Hamwee, is this the first time the privileges of Members of this House have been reduced in relation to Members of the other House? If so, will the Government consult the Speaker of this House on whether he considers that desirable?
My Lords, they have not been reduced. This is the position that exists today.
My Lords, privileges are being given to Members of another place—and indeed to Members of the Parliaments of Scotland and other places—that are being denied to us. Is this the first time that has been done?
No, it is not the first time because this is the position that exists under the Data Protection Act 1998.
My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.
I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.
I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.
My Lords, as a non-lawyer, I am delighted to find myself in the same company as the noble and learned Lord, Lord Hope of Craighead, as this has also introduced me to an area of trust law which I am not familiar with. I thank noble Lords for their amendments, which concern the exemptions from data rights in the GDPR that the Bill creates. Two weeks ago we debated amendments that sought to create an absolute right to data protection. Today we will further debate why, in some circumstances, it is essential to place limitations on those rights.
The exemptions from data rights in the GDPR are found in Schedules 2 to 4 to the Bill. Part 6 of Schedule 2 deals with exemptions for scientific or historical research and archiving. Without these exemptions, scientific research which involves working on large datasets would be crippled by the administration of dealing with requests from individuals for their data and the need to give notice and service other data rights. This data provides the fuel for scientific breakthroughs, which the noble Lord, Lord Patel, and others have told us so much about in recent debates.
Amendment 79 seeks to remove “scientific or historical” processing from the signposting provision in Clause 14. Article 89 of the GDPR is clear that we may derogate only in relation to specifically historical or scientific research. We believe that Clause 14 needs to correctly describe the available exemption, although I reassure noble Lords that, as we have discussed previously, these terms are to be interpreted broadly, as outlined in the recitals.
Part 1 of Schedule 2 deals with exemptions relating to crime, tax and immigration. For example, where the tax authorities assess whether tax has been correctly paid or criminally evaded, that assessment must not be undermined by individuals accessing the data being processed by the authority. Amendments 79A and 79B, spoken to by the noble Lord, Lord Griffiths of Burry Port, would limit the available exemptions by removing from the list of GDPR rights that can be disapplied the right to restrict processing and the right to object to processing. In my example, persons subject to a tax investigation would be able to restrict and object to the processing by a tax authority. Clearly that is not desirable.
Amendments 80A and 83A seek to widen the exemption in paragraph 5(3) of Schedule 2 which exempts data controllers from complying with certain data rights where that data is to be disclosed for the purposes of legal proceedings. Without this provision, which mirrors the 1998 Act, individuals may be able to unfairly disrupt legal proceedings by blocking the processing of data. We are aware that the Bar Council has suggested that the exemption be widened as the amendments propose. This would enable data controllers to be wholly exempt from the relevant data rights. We believe that this is too wide and that the exemption should apply only where the data is, or will be, subject to a disclosure exercise, which is a process managed through court procedure rules. At paragraph 17 of Schedule 2, the Bill makes separate provision for exemptions to protect legal professional privilege. We think that the Bill continues to strike the right balance between the rights of data subjects and controllers processing personal data for the purposes of exercising their legal rights.
Amendment 83B seeks to remove paragraph 7 of Schedule 2 from the Bill. This paragraph sets out the conditions for restricting data subjects’ rights in respect of personal data processed for the purposes of protecting the public. Those carrying out functions to protect the public would include bodies and watchdogs concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, securing the health and safety of persons at work and protecting charities and fair competition in business. Paragraph 7, which is based on the current Section 31 of the 1998 Act, ensures that important investigations can continue without interference. Without this paragraph, persons would have to be given notice that they were being investigated and, on receipt of notice, they could require their data to be deleted, frustrating the investigation.
Paragraph 14 of Schedule 2 allows a data controller to refuse to disclose information to the data subject where doing so would involve disclosing information relating to a third party. Amendment 86A would remove the circumstances set out in sub-paragraph (3) to which a data controller must have regard when determining whether it is reasonable to disclose information relating to a third party without their consent. These considerations mirror those in the 1998 Act and we think that they remain important matters to be considered when determining reasonableness. They also allow for any duty of confidentiality to be respected.
Paragraph 15 of Schedule 2 ensures that an individual’s health, education or social work records cannot be withheld simply because they make reference to the health, education and social work professionals who contributed to them. Amendment 86B would allow a controller to refuse to disclose an individual’s health records to that individual on the grounds that they would identify the relevant health professionals who authored them. We believe that individuals should be able to access their health records in these circumstances.
This was included in the letter I was sent today. I am afraid the noble Lord has not got it. The noble Lord, Lord Kennedy, helpfully withdrew his amendment before I was able to say anything the other night but the EU withdrawal Bill will convert the full text of direct EU instruments into UK law. This includes recitals, which will retain their status as an interpretive aid.
My Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.
I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.
Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.
We are not transposing the GDPR. It takes direct effect on 25 May.
I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.
My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.
They will be part of UK law, because the withdrawal Bill will convert the full text into UK law. There will of course be a difference between the recitals and the articles; it will be like a statutory instrument, where the Explanatory Memorandum is part of the text of the instrument.
May I add to this fascinating debate? Does this not illustrate one of the problems of the withdrawal Bill—that in many areas, of which this is one, there will be two potentially conflicting sources of English law? There will be this Act, on data protection, and the direct implementation through the EU withdrawal Bill on the same subject. The two may conflict because this Act will not contain the recitals.
My Lords, all I can say is that I do not know how the legal profession will cope in the circumstances.
One thing we can all be certain of is that the legal profession will cope.
My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.
The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.
It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.
Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,
“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,
“the maintenance of effective immigration control”.
The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.
To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.
It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.
First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.
Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,
“an important objective of general public interest”.
As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.
I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.
Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.
My Lords, there is a lot that demands careful reading and careful thought. I have three questions which I can raise now. First, in the examples which the Minister gave it struck us on these Benches that she was talking about things which are, in fact, criminal offences being dealt with under Part 3, which is the law enforcement part of the Bill.
Secondly, how is all this applied in practice? How does the controller know about the purposes? I am finding it quite difficult to envisage how this might work in real life. Thirdly, the Minister referred to the lawfulness of processing. I wonder whether this is not circular because paragraph 4, in disapplying listed provisions—by the way, I think those listed provisions include many which are very important indeed—makes it lawful, so I have a bit of a problem around that. Of course, I and others will carefully read what the Minister said, but I am sure we will want to return to this at the next stage.
My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.
I thank my noble friend for that. In the meantime, I think my words should be reread, particularly my point about it not being a wholesale carve-out but quite a narrow exemption. I will write to noble Lords. I thought I might home in on one question that the noble Baroness, Lady Hamwee, asked about relying on this in the investigation, detection and prevention of crime. Of course, that is not always the correct and proportionate response to persons who are in the UK without lawful authority and may not be the correct remedy. I will write to noble Lords, and I hope that the noble Lord will feel happy to withdraw the amendment.
My Lords, I thank the Minister. For a Home Office Minister she has a wonderful ability to create a sense of reassurance, which is quite dangerous. I am afraid that for all her well-chosen words, these Benches are not convinced. In particular, I noticed that she started off by saying, “This is only a very limited measure; it does not set aside everything”. But paragraph 1 sets aside nine particular aspects, all of which are pretty important. This provision is not a pussycat; it is very important.
I thank all those who spoke, including the noble Baroness, Lady Jones, and the noble Lord, Lord Lucas. I thought the support from the noble Lord, Lord Kennedy, for this amendment—I called him the right name this time—was rather more equivocal, and I hope he has not been persuaded by the noble Baroness’s siren song this evening. This is a classic example of the Home Office dusting off and taking off the shelf a provision which it has been dying to put on the statute book for years. The other rather telling point is that the noble Baroness said there is express provision for such derogation in the GDPR. But that is no reason to adopt it—just because it is possible, it is not necessarily desirable. But no, they say, let us adopt a nice derogation of this kind when it is actually not necessary.
As my noble friend pointed out, the Minister has not actually adduced any example which was not covered by existing exemptions, for instance, criminal offences. We will read with great care what the Minister has said, but I do not think that the “Why now?” question has really been answered this evening. In the meantime, I beg leave to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I am thrilled that the day of the noble Lord, Lord Stevenson, has got better, and I hope that at the end of my speech it will get better still. Things are definitely looking up for the noble Lord, I hope.
I will be reasonably brief on this because we have debated other delegated powers before and much of what my noble friend Lady Chisholm said on day two of Committee holds here.
On Amendment 108B, I agree with much of what my noble friend Lord Arbuthnot said. I shall answer the noble Lord, Lord Paddick, in a different way which will address his point. The amendment would prevent the Secretary of State using the delegated power contained in Clause 15 to,
“amend, repeal or revoke the GDPR”.
I am happy to reassure the noble Lord not only that the Government do not intend to use the power in Clause 15 to amend, repeal or revoke the GDPR but that they actively cannot. As the opening line of Clause 15 describes, the power contained in it permits the Secretary of State only to,
“make provision altering the application of the GDPR”.
The noble Lord’s amendment is therefore unnecessary.
Clause 17(1)(a) would allow the Secretary of State to specify in regulations circumstances in which a transfer of personal data to a third country is necessary for an important reason of public interest not already recognised in law. Public interest is one of a number legal bases on which a controller can rely when justifying such a transfer. This is very much a backstop power. In many cases, reasons of public interest will already be recognised in law, so the power is likely to be needed only when there is a pressing need to recognise a particular but novel reason for transferring personal data as being one of public interest. We are wary of any change such as that proposed in Amendment 110B, which may hamper its exercise in emergency situations such as financial crises.
Amendment 180B seeks to amend Part 7 of the Bill to ensure that the power contained in Clause 21 cannot be exercised without consulting the Information Commissioner. The clause is a backstop power which allows the Secretary of State to amend Part 2 of Chapter 3 of the Bill—that is, the applied GDPR and associated provisions—to mirror changes made using Section 2(2) of the European Communities Act 1972 in relation to the GDPR. As I am sure we are all aware, a Bill is being considered in another place that would repeal the European Communities Act, so this power is already specific and time-limited. We are not sure what consulting the Information Commissioner before exercising it would add. However, these points notwithstanding, we are happy to consider the role of Clause 21 and Amendments 110B and 180B in the context of the Government’s response to the Delegated Powers and Regulatory Reform Committee’s recent report on the Bill.
The Government have previously committed to considering amendments substantively similar to Amendment 180A and I am happy to consider that amendment as well. However, I echo what my noble friend Lady Chisholm said about the importance of the law being able to keep up with a fast-moving field.
With those reassurances, I hope the noble Lord will feel able to withdraw the amendment.
It certainly is turning out to be my day. I am grateful to the Minister for his comments. We are perhaps anticipating a further debate that we may have to have on the basis of what the Government intend to take back to the DPRRC, but it is good to have a sense of where the thinking is going, which I am sure we will look at in a sympathetic light. Where he ended up will be an appropriate way of progressing on this point.
On the Minister’s first point in relation to Clause 15, I hesitate to ask because I know he is already burdened, but it would be helpful if he can write to me about subsection (1) because our reading of the line:
“The following powers to make provision altering the application of the GDPR”,
could not, according to what he has said, change the GDPR itself, only the way that it is applied. We may be talking only about nuances of language. Interpretations from the far north, where the noble Lord resides, down to the metropolitan south may well not survive the discussion, so I would be grateful to have something in writing. With that, I beg leave to withdraw the amendment.
My Lords, in moving Amendment 113A I will speak to Amendments 114A, 118A, 119A and 121A. Schedule 6 changes references to “the Union” to “the United Kingdom” and deals with the transposition between the GDPR and the applied GDPR as and when we move beyond Brexit.
The paragraphs to which these amendments relate may be a bit confusing unless we understand the timescale under which they operate. We think that the GDPR, as originally drafted, aims to say that there should be a free flow of information between member states, creating a single market for data flows across the whole of the EU, applied irrespective of the concerns of the various national regimes. Once we leave the EU it hardly seems necessary to have such a provision because it would seem to imply we need to provide powers for data to flow within the United Kingdom. Therefore, the heart of the amendment and of part of this group is the suggestion that this is otiose. Will the Government explain what they are trying to do if it is not about the flow of data within the United Kingdom? If it is, it surely is not needed because we should not have that situation arising.
The concern is not really about whether the Bill refers to Union or domestic law, but which space we are talking about. Are we talking about the United Kingdom or parts of the United Kingdom? Will different rules apply in Jersey, Guernsey and the Isle of Man? These are all the issues that regularly come up about the United Kingdom. By focusing too narrowly on this we raise a danger that we might be overcomplicating what should be a relatively straightforward issue. I beg to move.
My Lords, it is a great pleasure to speak on these amendments, which cover the applied GDPR. Before I address them directly, it is worth recalling that the purpose of the applied GDPR is to extend GDPR standards to those additional areas of processing that are outside the scope of EU law and not covered separately in Parts 3 and 4 of the Bill. The benefit of taking this approach is that it avoids relevant controllers and processors needing to adapt their systems to two different sets of standards, or even needing to know which set of standards they should be applying. However, if the need for such analysis arises, it is crucial that the data subjects and controllers and processors are clear about their respective rights and obligations.
In such circumstances, reference to text that contains concepts that have no meaning or practical application for processing out of scope of EU law will result in confusion and uncertainty. So, while the intention of the applied GDPR is to align as closely as possible with the GDPR, Schedule 6 adapts the GDPR’s wording where necessary so that it is clear and meaningful. It is important to remember that the GDPR does not apply to such processing, so the creation of equivalent standards under UK law is a voluntary measure we are making in the Bill.
In particular, paragraph 4 of Schedule 6—the subject of Amendment 113A—replaces references to such terms as “the Union” and “member state” with reference to the UK. This simply clarifies that, unlike the GDPR itself, the applied GDPR is a UK-only document and should be read in that context. References to “the Union” et cetera are at best confusing and at worst create uncertainty for the small number of controllers whose processing is captured by the applied GDPR. Paragraph 4 provides important legal clarity to them and, of course, to the Information Commissioner. The United Kingdom in this context refers to England, Wales, Scotland and Northern Ireland only, in accordance with Clause 193.
Paragraph 8, the subject of Amendment 114A, limits the territorial application of the applied GDPR so that it is consistent with that for Parts 3 and 4 of the Bill, as set out in Clause 186, without the EU-wide, and indeed extraterritorial, application of the GDPR itself. As we have touched on in a previous debate, the applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.
Article 9.2(j) of the GDPR provides for a derogation for processing of special categories of personal data for archiving and research purposes, and references the need to comply with the safeguards set out in Article 89 when conducting such processing. The Bill makes full use of this derogation, so paragraph 12(f) of Schedule 6, the subject of Amendment 118A, tidies up the drafting of Article 9.2(j) for the purposes of the applied GDPR so that, rather than setting out the need for derogation, it refers directly to the relevant provisions in the Bill.
Paragraph 27, the subject of Amendment 119A, removes certain requirements on the Information Commissioner relating to data protection impact assessments on the grounds that those provisions exist mainly or wholly to assist the European Data Protection Board in ensuring consistent application among member states. There is clearly no need for such consistency in respect of the applied GDPR—a document which exists only in UK law—and the Information Commissioner will in any case undertake very comparable activities in respect of the GDPR itself. Paragraph 46(d), the subject of Amendment 121A, simply makes further provision to the same end, both specifically in relation to data protection impact assessments and more broadly. I hope that, with those reassurances, the noble Lord will feel able to withdraw his amendment.
I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.
On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.
Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.
On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.
I think it would be sensible to reply in writing, just because I want to get it right. It would be more useful for noble Lords to get a letter.
I thank the Minister for that offer, I look forward to a letter and I beg leave to withdraw the amendment.
114: Page 157, line 28, at end insert— “(including paragraph 3(1)”
My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.
Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.
I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.
I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.
I am grateful for that. I beg leave to withdraw the amendment.
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).
I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.
Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.
Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.
In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.
I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
My Lords, government Amendments 141 and 142 to Clause 90 are technical in nature and simply ensure that the summary description of the rights conferred on data subjects by Chapter 3 of Part 4, as set out in subsection (1), fully itemises each of the relevant rights. I look forward to hearing from the noble Lord, Lord Kennedy, and the noble Baroness, Lady Hamwee, about their amendments in this group and I will respond to them when winding up.
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
Could I ask the noble Baroness to repeat which provision she is referring to?
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.
The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.
However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.
Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.
The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.
This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.
There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.
The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.
My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?
At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.
So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.
On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.
On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.
Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.
The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.
Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.
I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.
Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.
I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.
My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
(7 years, 1 month ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.
Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.
Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.
Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.
Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.
My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.
Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.
I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.
Taking up the point made by the noble Baroness, Lady Stowell, does the Minister agree that we are introducing, for the first time, vetting of material before it is broadcast, a power that even Ofcom, the regulator set up by government for broadcasting, does not have? Ofcom regulates only after the event. Surely this is a dramatic new intervention.
The noble Lord makes a perfectly good observation about this provision. It brings me to one of the questions posed independently and neutrally by the noble Lord, Lord Stevenson, on whether the provisions of the Bill as drafted simply implement the provisions of the 1998 Act or extend its provisions. The answer is that they do not change the regime found in the 1998 Act except in respect of Clause 164(3)(c). I acknowledge the significance of that provision and I am happy to look again at that issue in light of the expressions of concern I have heard from around the Committee about it.
Some noble Lords also questioned the need for the provision of assistance in special purposes proceedings. Under Clause 165, individuals who are a party, or a prospective party, to special purposes proceedings may apply to the commissioner for assistance in those proceedings. For the application to be accepted, the commissioner must be convinced that the matter is of substantial public importance. There is, as I have implied, an equivalent provision in the 1998 Act. I understand that it has only ever been used once. In my respectful submission, that in itself indicates the effectiveness of the provision. It is not necessary because people know it is there and can be relied on, but only if that very high test of substantial public importance is met. Therefore, we consider it appropriate to retain this as a safeguard for data subjects. It is, I respectfully suggest, an important contributor to maintaining the balance between privacy and freedom of expression that has to underlie all these provisions.
Amendment 179A, spoken to by the noble Baroness, Lady Hollins, would require the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. As I have mentioned, a consultation was launched to look at Section 40 of the Crime and Courts Act 2013, which also asked whether proceeding with part 2 of the inquiry was still appropriate, proportionate and in the public interest. As I stated previously, it is the Government’s intention to publish a response to that consultation by Christmas; therefore, we do not believe that this amendment is appropriate, given the decisions that are currently being taken on that matter.
My Lords, the Minister stated that the response to the consultation will be published before Christmas. Can he further reassure the Committee that it will be published before Report so that noble Lords can reconsider their amendments?
I am obliged to the noble Baroness. It is the Government’s intention that the consultation response should be published before Christmas. I cannot say that it will be published before Report but we will keep noble Lords advised of any decision with regard to a specific date for publication.
If is not to be published before Report, would it be possible for me to meet the Minister to discuss these matters?
I am certainly open to any meeting that the noble Baroness would wish to engage in to discuss these matters. In so far as I am able to inform her, and indeed the Committee, of developments, I will seek to do so.
Just to be helpful to the Committee, if it was published after Report, does the Minister agree that it would be perfectly reasonable to have a Third Reading amendment to reflect whatever has come out of that response?
With respect to the noble Lord, I am not the litmus test of reasonableness—at least, I have been told that in the past.
Would the Minister perhaps agree that it would be highly advantageous to the Government—it would be in the Government’s interest—for the response to the consultation to be published before Report? If it is, its contents might well incline those of us who support these amendments to think again about them, whereas if we do not have the benefit of the Government’s response, we may be obliged to carry amendments that the Government would not wish to be carried.
I quite understand the force of the noble Lord’s observations. Nevertheless, I am not in a position to say that the response will be available for publication before Report. I am afraid that we have to proceed on that basis. It may have consequences such as those set out by the noble Lord, and we will have to address those in due course. I am afraid that I cannot go further on this point.
Finally, I come to some of the observations of the noble Lord, Lord McNally, who spoke to his Amendments 185E and 185F. I begin by saying that I have no wish to disappoint either the gentleman on the Clapham omnibus or the noble Lord himself. Therefore, I will endeavour to address the questions that he raised as fully as I can. I take account of his commendable intention to peruse Hansard over breakfast and to come to a view as to whether or not I have fully responded to his points.
Amendments 185E and 185F seek to make the unlawful obtaining of personal data a criminal offence with a custodial sentence of up to two years under Clause 175. Of course we recognise the seriousness of any offence that is committed in this context. That is why it is important that proper thought is given to the introduction of any changes which would seek to put in place custodial penalties that could remove people’s liberty. Under the coalition Government, in March 2011, the noble Lord, Lord McNally, said that the Government would not commence prison sentences for Section 55 offences but would continue to keep the matter under review. At that time Ministers agreed to pursue non-custodial options, instead of a custodial option, including encouraging the use of the Proceeds of Crime Act 2002 and making the offences recordable. Indeed, it is this Government’s intention in this Bill that the offences should now be made recordable. That is addressed in Clause 178.
Again, this is one of those complex areas where we have to achieve a balance between competing rights and obligations. We believe that, for the reasons I sought to set out earlier, we are achieving the right balance with the provisions in the Bill. I hope that the noble Lord will feel open to not moving his amendment.
My Lords, I will consider that point in a few moments, but I am much reassured that the noble and learned Lord has more respect for the man on the Clapham omnibus than he seems to have for BBC lawyers. That is a step forward.
No inference can be drawn regarding the considerable respect in which I hold the legal advisers of the BBC.
If I may put the record straight, it was not a BBC lawyer who advised me.
My respect for all lawyers remains undiminished.
As the noble Lord, Lord Stevenson, observed, some issues of fundamental importance underlie this; I refer not just to press freedom but to fundamental rights. I therefore have welcomed the contributions to this debate, but I hope that at this time the noble Lord, Lord Black, will feel it appropriate to withdraw his amendment.
Can the noble and learned Lord tell us of any precedent for a Government undertaking a consultation exercise before commencing a provision in a recent Act of Parliament?
I am not immediately reminded of any precedents, but principle often caps precedent.
My Lords, I thank all those who have taken part in this thoughtful and important debate—despite the fact that it is the first time I have been likened to someone who has murdered his parents, thwarted the will of Parliament and, according to the noble Lord, Lord Puttnam, is the personification of all the sins of the media. I regret that, given the seriousness of the issues for the academic, literary and artistic worlds, we have yet again had a debate which has largely been dominated by press regulation. We have been round this course so many times that even Sir Mo Farah would have been exhausted by now.
I am inclined to agree with the noble Lord, Lord Stevenson, that this is not really the place to debate press regulation. We should wait to see what the consultation says. Like other noble Lords, I am grateful for confirmation from the noble and learned Lord that we will have a response by Christmas.
There were two very important speeches. The noble Baroness, Lady Stowell, talked about the profound change—I shall get my bit of Latin in again—from post hoc to ex ante. We cannot underestimate the scale of the impact of that across the media, and it is right that the noble and learned Lord should look at that. The noble Viscount, Lord Colville, also made some very powerful comments about the serious implications for investigative broadcast journalism. His point about how the Armstrong Sunday Times case would have been impacted by the Bill was a vivid example of the mischief that currently sits in it.
I am very grateful to the noble and learned Lord for saying that he will look at the issues raised, particularly by Amendments 163, 164A and 170B, and also at Clause 164(3)(c). It has caused concern around the Committee, and he confirmed that it is a change since the 1998 Act that will have profound implications. On that note, I beg leave to withdraw the amendment.
My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.
Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.
As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.
It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.
I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.
Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.
Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.
Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.
My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.
If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.
That may have been the original intention, but perhaps it was never put properly into effect.
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.
I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.
My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.
This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.
The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.
It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.
I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.
I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.
If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.
I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.
My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.
With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.
Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.
Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.
More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?
We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.
I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.
My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.
Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.
All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.
The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.
My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.
(7 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, it is with some degree of anticipation that I open the debate on the first day of Report on this Bill with amendments relating to the EU Charter of Fundamental Rights. While we have, in the great tradition of this House, managed to discuss and settle many of our differences over recent weeks while debating this legislation, it was this topic, concerning the charter, where we first found ourselves at odds, really since arguments at the other end of the Palace were sent here to tease us.
Since we last considered this matter, the European Union (Withdrawal) Bill has been making progress in the other place. On 21 November, there was an extensive debate on the future of the charter. My honourable friend the Minister of State for Justice and my honourable friend the Solicitor-General explained at length that the charter is not the original source of the rights contained within it; it was only intended to catalogue rights that already existed in EU law. Those rights, codified by the charter, came from a wide variety of sources, including the treaties, EU legislation and, indeed, case law, which recognised fundamental rights as general principles. All those substantive rights, of which the charter is a reflection not the source, will already be protected in domestic law by the European Union (Withdrawal) Bill. It is not necessary to retain the charter in order to protect such substantive rights.
Last week, on 5 December, the Government published a detailed memorandum setting out how each article of the charter will be reflected in UK law after we leave. That document explains in detail how the right to data protection is already reflected in our law. The Government are well aware of the economic benefit of ensuring that, once we have left the EU, we preserve the free flow of personal data with our main trading partners. Indeed, that is one of the guiding principles that underpins this legislation. On 7 August, when we published our statement of intent before we introduced this Bill, we set that out clearly, and we have repeated this time and again. Every amendment that noble Lords have proposed to this Bill has to be considered against that key test. Will it support or will it harm our arguments that we have wholly implemented the necessary data protection reforms to support the free flow of personal data?
There is no doubt in our minds that we have fully implemented the right to data protection in our law. No one has convincingly put forward any counter argument. None the less, our Amendment 1 is designed to provide additional reassurance on this point. Not only will it be clear in the substance of the legislation and all of the statements and announcements around the legislation; it will also be written into the Bill. This Bill exists to protect individuals with regard to the processing of personal data. Personal data must be processed lawfully. Individuals have rights, and the Information Commissioner will enforce those. The Bill does what it says on the tin.
My Lords, I turn first to the amendment of the noble Lord, Lord Stevenson. During the course of the Bill I met the noble Lord frequently, both formally and informally. When I met him two weeks ago he told me that he was working on his Amendment 2 and he had a look of foreboding about him. He said, “Wish me luck”. I had sympathy with his position—I almost felt sorry for him—because this is a legally and constitutionally complex area. Amendment 2 reads well—it sounds attractive and has seductive packaging—but when taken out of that packaging and slotted into this Bill it is not only ineffective but damaging. It is rather like pouring diesel into a petrol engine.
The amendment makes great play of creating a new and freestanding right. Unlike the government version it is not framed within the context of the Bill. It is a wider right. Indeed, it is far wider even than article 8 of the charter. It is not constrained to the context of EU law but applies to everything. It is attractive, perhaps, but it is seriously problematic.
How is the court to interpret this new right? If this was in the context of the Human Rights Act, there is a framework within which to operate, so if a court finds primary legislation to be incompatible with a convention right, it will make a declaration of incompatibility. The Human Rights Act sets out the effect of that finding on the validity, continuing operation and enforcement of the legislation. This simply would not exist if we were to agree Amendment 2, so the consequences of any finding would be unclear. That could create legal, regulatory and economic chaos.
How would data controllers operate if they could not tell whether the apparently incompatible legislation they were operating under was still effective or not and there was no mechanism to fill any gap? What if the courts found parts of the GDPR incompatible with this new super-right? Rather than enabling the free flow of data we could be crippling it. Further, how would the courts approach other legislation in light of this new right and how would they approach other rights? Could this new right be balanced against other rights, and if so, would it carry additional weight?
Apart from these legal problems, in our view Amendment 2 is simply unnecessary. The general principles of EU law will be retained when we leave the EU by the European Union (Withdrawal) Bill for the purposes of interpretation of retained EU law. The GDPR will be retained. Indeed, this Bill firmly entrenches it in our law. The right to protection of personal information is a general principle of EU law and has been recognised as such since the 1960s. The European Union (Withdrawal) Bill requires our courts to interpret the GDPR consistently with the general principle reflected in article 8, and with retained CJEU case law so far as it is possible to do so. In that context, the jurisprudence of the CJEU will continue to have influence in much the same way as the judgment of a court in Australia might have an influence on how common legal principles should be applied.
The amendment also refers to the status of judgments of the European Court of Human Rights. This is completely unnecessary and unwelcome. Section 2 of the Human Rights Act already requires our courts to take into account relevant judgments of the Strasbourg court. If we write this here, where else must we write it? We do not want to cast doubt on our absolute and total respect for human rights on any issue, not just data protection. The Government have reaffirmed and renewed our commitment to human rights law. It is reflected through UK national law as well as in a range of domestic legislation that implements our specific obligations under UN and other international treaties, from the convention against torture to the Convention on the Rights of the Child. Of course, the principal international treaty most relevant to the UK’s human rights laws is the European Convention on Human Rights. I am happy to repeat the commitment made by my fellow Ministers in recent months that the Government are committed to respecting and remaining a party to the ECHR. There will be no weakening of our human rights protections because we are leaving the EU.
All of these issues interlink. Article 6 of the Treaty on European Union makes clear that due regard must be had to the explanations of the charter when interpreting and applying it. The explanations for article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection.
It is easy to conclude that we are spiralling in circles on this matter, and in a sense, we are. We believe that there is simply no problem here of any substance. The right to data protection is fully implemented in our law and it is fully enforceable. Government Amendment 1 makes it clear that this is the case. While Amendment 2 seeks to do the same it trips and falls, creating confusion rather than the clarity the noble Lord is after. So I hope that he will feel able to withdraw his amendment. I wish to press government Amendment 1. As the noble Lord, Lord Pannick, said, we are seeking to provide reassurance. I said at the beginning that we would remain open for discussions on this, and if we can provide any further reassurance, taking into account some of the four points made by the noble Lord, Lord Pannick, we will do so.
The noble Baroness, Lady Ludford, gave a long explanation of why adequacy is important and some of the extra issues that will be taken into account when we have to approach an adequacy decision from the EU, including for example areas of law which at the moment are not susceptible to EU jurisdiction, such as national security. I agree completely that that will be taken into account when we go for an adequacy arrangement. That is exactly why we have tried to apply the GDPR principles to all our laws, so that we have a complete and systematic data protection regime. On that basis, I accept the four questions asked by the noble Lord, Lord Pannick. We will consider those issues in the discussions.
I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?
I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.
The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.
Does the Minister also agree that a further answer to the points made by the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay of Clashfern, is that it is absolutely inevitable that the detailed provisions of the Bill will be, on occasion, the subject of dispute, uncertainty and litigation, and that it would be very helpful to have a statement of principle on what is intended at the commencement of the Bill? This would not be the first time that a Bill has done that. Everybody would then know what the principles were. Of course, the Minister still needs to consider before Third Reading what that statement should be, but that is the point, as I understand it, of government Amendment 1.
Why does the Minister feel it so necessary to push ahead with his amendment when it is quite clear that the best and most constructive way forward would be for both amendments not to be pressed to allow constructive discussion and resolution at Third Reading?
Government Amendment 1 provides a basis for the discussion that we will have before Third Reading. Of course, I accept that it could be amended at that stage.
As for the remarks of the noble Lord, Lord Pannick, I will have to read my noble friend Lord Faulks’s words. I was not entirely sure that he was as supportive as the noble Lord feels, but I may have misinterpreted him.
As I understand them, both the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay, doubt the need for any amendments of this sort. I am suggesting to the Minister that there is a real need for a statement of principle—that is all.
I thank the noble Lord. As I said in Committee, we too saw no need for this. The Government have moved because they are always listening and we hope that we can make this more acceptable. I will read what was said by the noble Lords, Lord Pannick and Lord McNally, and my noble friend Lord Faulks, but I would like to press my amendment so that we might have it as a basis for further discussion before Third Reading.
My Lords, the Minister has received quite a lot of comment from around the Chamber on this and I made it clear in my opening remarks that I though the best solution was to have neither amendment. If we are to have a genuine discussion, it does not seem helpful to have in the Bill the wording which the Minister has alighted on at this stage in his conversion. It would be much better to start with a blank sheet and try to work to a common solution. I beg him to reconsider his view and withdraw his amendment; I will not press mine. We could then move to Third Reading with a clean slate.
My Lords, I understand what the noble Lord is saying. This amendment has been around the houses in government; it has had many people from many departments looking at it from top to bottom. The feeling of the Government at the moment is that it is better to have something on paper as a basis for discussion. I would like to press my amendment.
(7 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, in Committee the noble Earl, Lord Kinnoull—I am very grateful to him for his help and that of the industry bodies that I have now met—told us that the language in the Bill enabling the processing of sensitive data relating to employment might be interpreted more narrowly than the similar wording in paragraph 2 of Schedule 3 to the Data Protection Act 1998. This was never the Government’s intention and I thank the noble Earl and the noble Lord, Lord Clement-Jones, for bringing the issue to the Government’s attention. Amendments 11 and 12 to address these concerns by reverting to the wording used in the 1998 Act, thereby removing any doubts as to their proper interpretation. I will sit down and wait for the noble Earl to propose his amendments and reply to them after. I beg to move.
My Lords, I am very grateful to the Minister for that news on those government amendments. It is very helpful and will prevent a lot of insurers having to redo their administrative systems. I shall speak to Amendments 25 and 26, which are another pair of insurance amendments. I declare my interests as set out in the register of the House, particular those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, who has been very helpful. He brings great clarity at all times of day to our discussions. Although he is the chairman of the Artificial Intelligence Select Committee, his intelligence is far from artificial and is most helpful. Also, I see the Bill team over there. They have been excellent. Given the amount of fire coming in they are very calm, collected and user-friendly. I thank them for everything they have done so far on the Bill.
The Lloyd’s Market Association, the British Insurance Brokers’ Association and the Association of British Insurers, among other insurance associations, have helped in the preparation of some of these remarks. The insurance industry is trying to deliver products in the public interest. Indeed, some major classes of insurance, such as motor insurance and employers’ liability insurance, are compulsory. There is a long list of other insurances that are quasi-compulsory. For instance, one cannot get a mortgage without buying household insurance. It is greatly to society’s benefit that a wide choice of good products is available at a reasonable price.
My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.
My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:
“Insurance and data concerning health of relatives of insured person”,
and:
“Third party data processing insurance policies and insurance on the life of another”,
with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.
The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.
As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.
My Lords, I add my voice in support of the noble Baroness’s amendment and wish it well. I suspect she has run into the logjam that constitutes the waiting list to see the Bill team and the Ministers, who have been worked so hard in the last few months. But I hope it will be possible, given that there is a bit of time now before Third Reading, for this matter to be resolved quickly and expeditiously before then.
My noble friend Lady Neville-Jones explained in Committee that Unique plays a hugely important role in providing advice and support to sufferers of rare chromosomal disorders and their carers. Some of these charities have large databases dating back many years, so we understand their desire to maintain these when the GDPR comes into force without necessarily obtaining fresh consent to GDPR standards for each data subject included on the database. When families are providing support to their loved ones, some of whom may need round-the-clock care, filling in a new consent form may not be high on their agenda.
However, they may still value the support and services that patient support groups provide and would be concerned if they were removed from the charities’ databases. If charities such as Unique had to stop processing or delete records because consent could not be obtained, they worry that this would impede the work they do to put patients and their families in touch with others suffering from rare genetic conditions, help clinicians to deliver diagnoses and facilitate research projects. We recognise that this could be particularly damaging when there is barely any knowledge of the condition other than what they may hold on their database.
Let me be clear: if there is a grey area in the Bill that puts this work at risk, the Government are fully prepared to amend it. Legislating in this area is not straightforward and I am keen that the policy and legal teams in the department are able to continue with the constructive discussions they have been having with Unique and the UK Genetic Alliance to ensure that the legislation adequately covers the specific processing activities they are concerned about, while providing adequate safeguards for data subjects. I assure noble Lords that we will use our best endeavours to work on this legislative solution as quickly as possible. If it is not ready by Third Reading, and I am afraid I cannot promise it will be, the Government will endeavour to introduce any necessary provisions at the next possible amending stage of the Bill. I will of course ensure that my noble friend gets the credit she deserves for her persistent efforts on this subject when that time comes.
Government Amendments 72 to 77 are the products of detailed discussion with the noble Lord, Lord Patel, the noble Baroness, Lady Manningham-Buller, and representatives of the Wellcome Trust. I thank them very much for those constructive and helpful discussions. In Committee we discussed the operation of the safeguards in Clause 18 and the potentially damaging impact they would have on pioneering medical research. As I explained at the time, it was never the Government’s intention to undermine such important work, so it is with great pleasure that I table these amendments today.
Noble Lords will recall that the greatest concern stemmed from the safeguard in what is currently Clause 18(2)(a). That paragraph was designed to prevent researchers using personal data to make measures and decisions in respect of particular data subjects but, as the noble Lord explained, there are certain types of medical research where this is inevitable. In the context of a clinical trial, for example, a data subject might willingly agree to participate, but in the course of the trial researchers might need to make decisions about whether the treatment should continue or stop, with respect to some or all data subjects. Government Amendment 77 addresses this concern by making it clear that the safeguard is automatically met where processing is necessary for the purposes of approved medical research. Approved medical research is defined in the new clause and includes, for example, research approved by an ethics committee established by the Health Research Authority or relevant NHS body. Importantly, the new clause also contains an order-making power so that the definition of approved research can be kept up to date.
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.
I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.
(7 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I am not quaking in my boots when addressing an amendment from my noble friend, first, because he is a helpful man and, secondly, because I am getting quite used to it, to be quite honest, particularly after the Digital Economy Bill.
As we heard, my noble friend’s amendment would restrict the provision in the Bill that allows anti-doping bodies to process sensitive personal data without consent to just UK Anti-Doping. It would permit other bodies to process sensitive data only if allowed by the Secretary of State. This House agrees, I think, how important sport is and that it can only continue to be successful if it is, and is seen to be, clean. It should therefore come as no surprise when I say that the Government remain fully committed to combating doping and protecting the integrity of sport. We are at one with the noble Baroness, Lady Billingham, on that.
At the moment, a large number of organisations, both domestic and international, work to prevent and eliminate doping in sport in this country in accordance with agreed international standards. UKAD, as the UK’s national anti-doping organisation, plays a vital role. But we must recognise that other bodies, some of which have been mentioned, also have important roles to play, including in particular sports’ national governing bodies. The amendment would see UKAD as the only body with automatic responsibility for processing sensitive data for the purposes of preventing doping in the UK. Other bodies would have a role only if named by the Secretary of State.
I am not convinced that this is a positive change for a number of reasons. First, it is not immediately clear to me why such an amendment is needed. UKAD’s role, and that of other sporting bodies, is set out in the national anti-doping policy, and this arrangement is largely seen to be effective, not just here in the UK but internationally. But we can never be complacent, and that is why my honourable friend the Minister for Sport, Tracey Crouch, has already commissioned a review of UKAD. That review is looking closely at UKAD’s functions, efficiency and effectiveness and has consulted widely. The findings of this review will be published early next year and will inform the revision of the UK national anti-doping policy, which will also take account of the recently published review of the criminalisation of doping. As part of this policy revision process, the Government will consult all relevant stakeholders, and will no doubt welcome discussions with my noble friend Lord Moynihan.
In addition, the arrangement outlined in my noble friend’s amendment would appear to present a number of risks. As he mentioned, the World Anti-Doping Code and the UNESCO convention set a clear framework that allows major events organisers and international federations to conduct their own anti-doping activities. Their ability to test cannot, without risking a breach of the convention, be contingent on them having obtained prior authorisation by a national Government.
Sports bodies change regularly as new sports are recognised and new bodies gain funding and manage competitions. A new round of designations would be required every time a new sporting body came into being or organised competitions or an old body changed its name. Under the system proposed by my noble friend, even a short delay in doing so could allow a drugs cheat to escape sanction by challenging the validity of the data processing undertaken by a sports body weeks, months or even years prior. That is not least because the Secretary of State’s decision to designate a body would itself be subject to judicial review. This could turn a relatively straightforward process of designation into a lengthy process of review, consultation and litigation. Similarly, if international bodies wanted to hold competitions in this country, they would, on the face of it, need to be officially designated by the Secretary of State. In a competitive marketplace, this could discourage organisers of major events from bringing their events to the UK.
To summarise, the Government believe that my noble friend’s amendment will put the UK’s status as a leading destination for clean sport at risk. It will create uncertainty in the sporting world and will be out of step with the recognised international framework that is already in place. It is widely understood that UKAD is the recognised body in the UK with responsibility for enforcing anti-doping rules. But the Bill must not be used as a tool to limit interventions by internationally recognised sporting bodies, such as the England and Wales Cricket Board, the Football Association and the Rugby Football Union. They, like UKAD, should be allowed to set and enforce anti-doping rules in sports. The fact that these bodies are not governed entirely by UKAD’s rules does not make their need to process data without consent for anti-doping purposes any less important. We are clear on that, the World Anti-Doping Code is clear on that, and the bodies themselves are clear on that.
Indeed, I have a statement from four of our leading sports bodies: the Football Association, the Rugby Football Union, the England and Wales Cricket Board, and the British Horseracing Authority. They are not speaking with different voices. This is a joint quote, which they have authorised me to announce. They say:
“We welcome further discussion with all parties on this issue but do not believe that this Amendment, that has not been discussed with or subject to any consultation with our organisations, is the right way to proceed today”.
In answer to the noble Viscount, Lord Falkland, who asked about the horseracing authority, I am afraid he should direct his question to my noble friend Lord Moynihan, because it is his amendment that would change the current system. Therefore, while I understand the desire of my noble friend to assist in the fight against doping, which we all support, I do not believe that the Bill is the proper vehicle to achieve it; nor do I believe that my noble friend’s amendment would in fact achieve it.
Let me be clear: if my noble friend or the noble Lord, Lord Stevenson, want to keep talking about anti-doping in general, I am very happy to do so, as is my honourable friend the Minister for Sport; I have already said that. But the Government have spent a great deal of time working with UKAD and sports bodies to design paragraph 23 of Schedule 1, and I have heard nothing in the debates in Committee and today that would suggest that we should alter our view before the review of UKAD is complete. On that basis, I urge my noble friend to withdraw his amendment.
My Lords, I am grateful to all noble Lords who have contributed. I will respond to the Minister first. I was disappointed that he did not respond to the suggestion of the noble Lord, Lord Clement-Jones, which I also touched on, namely, that it was important, if at all possible, to take away this amendment and consider it in greater detail so that the Government could bring it back at Third Reading. The Government have decided not to do so, and in so doing they have argued the following points.
The first was that there has been inadequate consultation—for example, no discussion between the BHA and myself. If I may respond to the noble Viscount, Lord Falkland, I had a conference call with, I think, four BHA people last Friday to discuss in detail the consequences of the proposed amendment. It was a constructive and helpful discussion. It was very important to them that they did not come under the umbrella of UKAD, and they would not. Amendment 31 says very specifically that the references are,
“to be read as references to … UKAD … , its successor bodies or a body designated by the Secretary of State”.
They asked me whether that would be a cumbersome process, and I said, “Certainly not”. The Secretary of State could respond to a letter pretty much immediately by saying, “Continue the good work that you’re doing”. That would be absolutely fine under the amendments I have tabled to Schedule 1.
This would apply to any organising group that exercises authority in anti-doping in this country outside UKAD, which covers the wide majority. Indeed, UKAD can test any athlete in this country, if it so wishes, at any level of competition. But there are organisations which will operate outside UKAD, for example the international federations and the International Olympic Committee. The other organisations which the noble Lord mentioned operate within UKAD in any event. Organisations such as the Football Association and the Rugby Football Union have a relationship with it to continue its good work, not least because those are Olympic sports, so they are covered in any event by the phrase,
“a body designated by the Secretary of State”.
I want further to assist my noble friend the Minister by suggesting that, instead of simply leaving it at that, every single point that he made could be covered by the regulations that he is being asked to bring forward under the Bill. There would be no uncertainty; there would be complete clarity, and we would have the opportunity to address those points in detail prior to that secondary legislation coming forward.
Why was it important to amend a general catch-all clause on sport to deal with these issues? It was important so that the BHA knew its position and could continue the good work with minimum bureaucracy, simply by a letter recognising that it continues the good work. I have heard nobody—not from the Bill team, which I met, not the policy advisers from DCMS and not the BHA, which I had a long conference call with last Friday—mention that there is anybody who seeks to change the way in which the BHA does excellent work in this area. It would simply be recognised on the face of the secondary legislation and so it should be—
Does my noble friend not accept, then, that if the situation is exactly the same as now, he is proposing a new process which will possibly be subject to litigation and achieve exactly the same status that we have today?
First, there is no evidence whatever that it is subject to litigation. If the Secretary of State—
I am sorry to interrupt again. Of course there has not been any litigation because the system that my noble friend proposes has not been put in place.
But there are no grounds for litigation. If the BHA is doing good work in anti-doping then, in the context of this paragraph, all that is being done is for that to be recognised within the legislation and by the Secretary of State in designating the BHA to continue its good work. Who would wish to litigate on that? Nobody is changing any relationship between the BHA, and those who work within it, and the excellent anti-doping policy that it currently runs. I am sure the Government would not want to change that.
The reason why this should be on the face of the Bill and in the secondary legislation—the regulations—is that this is of serious importance. We are asking athletes to give up a lot of personal data, and we should protect them when giving up personal data. It is important and right for an anti-doping policy that they should do so, but its importance should be recognised and my noble friend the Minister did not even mention it in his response. It is about the data management.
I conclude by saying simply this, and I will happily give way to my noble friend the Minister. If he is prepared, as I hope he is, to follow the initiative of the noble Lord, Lord Clement-Jones, which I fully support, on improving the wording of the amendment, I stand absolutely ready to find consensus with all governing bodies, the Government, the Bill team and everybody else who is interested in the subject, including all Members of your Lordships’ House, in order to find an improved amendment. I think the amendment works perfectly satisfactorily, and I have just tried to explain that to my noble friend and the House, but I am sure it could be improved by further discussions. Is my noble friend the Minister willing to take it away and bring it back at Third Reading? If he is, I will happily give way.
I have to be very clear about what we are doing, particularly as this is the first group on our first day on Report. To be absolutely clear, I am not content to return to this issue at Third Reading of the Data Protection Bill because we have heard nothing that would suggest to us that paragraph 23 would benefit from further consideration at this time. I have to repeat that the wording on the face of the Bill was drawn up—this is a quote from the governing bodies that I mentioned—
“in close consultation with the sports governing bodies and the Sport and Recreation Alliance and we support the original wording as the right way forward”.
I hear what the Minister said. We have had many discussions with different members of governing bodies and others who have argued that this provision could be improved. Indeed, the noble Lord, Lord Stevenson, and I sat opposite UKAD and governing bodies last Monday, so what the right hand in some of these governing bodies is doing is clearly not what the left hand is doing. I think this amendment is a significant improvement that protects the rights of individual athletes. That is what we should be doing in this Bill because it is about data management. Regretfully, because I hoped that the Minister would take this away and come back with a consensus on something better, I wish to test the opinion of the House.
My Lords, I intend to be brief, but not because this is a minor matter—quite the reverse. This is one of the biggest concerns that we should have about how we engage through the public view on the issues that affect many of our citizens. I am talking particularly here about safeguarding, especially in relation to sport, although it also has wider concerns, wherever an adult has responsibility for a child.
The public concern has mostly focused on issues such as football and swimming in recent months and the last few years, but there are wider concerns that have been dealt with under various inquiries, and we await the results. The narrow issue relating to this Bill is that those individuals or bodies that have a protective function of safeguarding children or, indeed, vulnerable adults, and need to process sensitive data, even though they have no legal obligation to do it and have no statutory function may be an issue that the Government wish to return to. There is no doubt that UK Anti-Doping has the powers that are necessary in sports. But when members of the public and their children are not being sufficiently looked after, extra vigilance must be taken, and we must ensure that the Bill in no way affects that.
I have tabled this amendment, sent to us by a number of bodies involved in sport, but there are other groups outside the sporting area with interests here. The Government are currently discussing these issues and hoping to come to a conclusion shortly. On that basis, I hope that the Minister can give us some indication of the progress that has been made here and, if he can, some sense of the timescale in which the Government will act. I beg to move.
My Lords, I will be brief. Amendment 33 seeks to introduce a condition permitting the processing of special categories of personal data where it is necessary for the purposes of safeguarding children or vulnerable adults. The Government take the issue of safeguarding extremely seriously and recognise the need for the Bill to provide certainty to organisations with safeguarding responsibilities, so I thank the noble Lord, Lord Stevenson, for raising this issue.
Organisations in all sectors wish to ensure that they have a lawful basis when they process special categories of data for safeguarding purposes. In many—maybe even all—circumstances, organisations will be able to rely on existing conditions under the Bill: for example, where processing is necessary for the purposes of preventing or detecting unlawful acts or where the processing is necessary for the exercise of functions under legislation or under a rule of law. However, I recognise that there is an argument for having a specific safeguarding condition to put the issue beyond doubt.
This is an issue which requires careful consideration and noble Lords may be assured that my department is actively working across government and with stakeholders in the voluntary and private sectors to consider the issue. We must be mindful, for example, of the broader implications of defining safeguarding and vulnerability within data protection law. Inclusion of such definitions within the Bill could have unforeseen consequences for other legislation which uses the same, or similar, terminology. As such, I can assure noble Lords that the Government are sympathetic to the objective of this amendment. However, given the importance of this issue and the potential impacts both within and beyond data protection law, we are sure that further consideration is required before any amendment can be brought forward. I can assure noble Lords that we will continue to examine this issue urgently. While it will not be possible to conclude our consideration in time for Third Reading, I am confident of doing so in time for Committee stage in the Commons. On the understanding that we will return to the issue of safeguarding in the Commons, I hope that the noble Lord feels able to withdraw his amendment this evening.
I am grateful to the Minister for giving such a precise response to this, not only on the substance, recognising the issue and confirming that it needs to be put beyond doubt that the powers will exist, but giving us the assurance that this matter will be brought back in the Commons, which is wonderful. I beg leave to withdraw the amendment.
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
My Lords, I start by thanking noble Lords for their amendments, which bring us back to the important issues around the use of automated processing in what is an increasingly digital world. I apologise if my smile was misleading, I was just very pleased to see the noble Baroness in her place; it did not indicate anything other than that.
The range in which automated processing is applied includes everything from suggested views on YouTube to quotes for home insurance and beyond. In considering these amendments it is important to bear in mind that automated decision-making can bring benefits to data subjects, so we should not view these provisions simply through the prism of threats to data subjects’ rights. The Government are conscious of the need to ensure that stringent provisions are in place to regulate appropriately decisions based solely on automated processing. We have included in the Bill the necessary safeguards such as the right to be informed of automated processing as soon as possible, along with the right to challenge an automated decision made by a data controller or processor. We have considered the amendments proposed by noble Lords and believe that Clauses 13, 43, 48, 94, 95, 111 and 189 provide sufficient safeguards to protect data subjects of all ages—adults as well as children.
I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.
My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.
Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.
The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,
“important objectives of general public interest”.
The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.
The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.
My Lords, the Minister is reading from her brief, but I do not think I made any of the statements it anticipated I would make.
I have been badly advised somewhere. Shall I just get on with what I was going to say?
I made clear in Committee that the exemption is not a blanket provision applying to a whole class of data subjects. It is important to note that Schedule 2 does not create a basis for processing personal data. The exemptions in that schedule operate as a shield allowing data controllers to resist the exercise or application of the data subjects’ rights as set out in chapter III of the GDPR. It is the assertion or application of those rights that triggers the exemptions in Schedule 2. Given this, it is simply not the case that the Home Office, or any other data controller, can invoke the immigration exemption or, for that matter, any other exemption as a default response to subject access requests by a group of persons. Instead, an individual decision must be taken as to whether to apply the exemption in circumstances where a data subject’s rights are engaged.
Moreover, before a right can be restricted, the controller must be satisfied that there would be a likelihood of prejudice to the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. Only if that test is satisfied will the controller be able to apply the restriction on the data subject’s rights. I should also stress that this restriction should be seen as a pause button and not something to be applied in perpetuity to the data subject. If circumstances change so that the test is no longer satisfied in a given case, then the restriction will have to be lifted.
Having said that, I recognise the concerns that were expressed in Committee about the breadth of the exemption, and government Amendments 43 and 44, as the noble Lord, Lord Kennedy, said, respond to those concerns. These amendments remove the right to rectification and the right to data portability from the list of data subjects’ rights that may be restricted. On further examination of the listed GDPR provisions in paragraph 1 of Schedule 2, we have concluded that the risk of any prejudicial impact on our ability to maintain effective immigration control that might arise from the exercise of the rights in articles 16 and 20 of the GDPR is likely to be low.
Having clarified both the purpose of this provision and the way it will operate, and having addressed the concerns about the extent of the exemption, I would ask the noble Baroness, Lady Hamwee, to withdraw her amendment and support the government amendments.
My Lords, I am obviously disappointed by both those speeches. I agree with the noble Lord, Lord Kennedy, that immigration control should be effective and fair, which is precisely what I was driving at. He referred to balance; I quoted article 23(1), which requires necessity and proportionality.
I thank the Minister for her answers and for her response to Liberty. She talked about taking this “case by case”, but is that not how we deal with all our immigration control? We do not apply wholesale visa bans; we are not Trump’s poodle. Data requests are made on a case-by-case, individual basis, but you need to know what data is held in order to make the request.
The Minister referred to a “pause button”. I am afraid that does not, to me, have the air of reality or really offer any assurance in the real world.
Amendment 44 does not respond to our concerns. As I commented, you cannot exercise the right of rectification unless you know what is said about you. I feel we are hardly even talking the same language, although it gives me no pleasure to say that. I think I must seek to test the opinion of the House.
My Lords, I begin by thanking the noble Lord, Lord Pannick, and the noble and learned Lord, Lord Walker of Gestingthorpe, for taking the time to meet me and officials to explain in detail the concerns following the debate in Committee. The question about the interaction of the fundamental principles of trust law and the GDPR is a valid one that we understand, and which deserves a response.
In Committee, my noble friend the Minister conveyed that it is not our intention to compel trustees to disclose the kind of information described in the noble Lord’s amendment. The Government both understand and are sympathetic to the noble Lord’s concerns in this respect.
Article 15 of the GDPR confers a general right for a data subject to seek access to personal data held by a controller, but there are a number of exemptions, set out directly in both article 15 and in Schedule 2 to the Bill. The amendment of the noble Lord, Lord Pannick, seeks to add an additional exemption to Schedule 2 to preserve the confidentiality of trustees’ decision-making and to minimise the risk of disagreement between beneficiaries and trustees, to which the noble and learned Lord, Lord Walker, referred. The Government’s position remains that article 15(4) of the GDPR already prevents the disclosure of the material the noble Lord’s amendment is concerned with. This is because the Government consider that the,
“rights and freedoms of others”,
referred to in article 15(4) includes the rights of both trustees and other beneficiaries. Where disclosure under data protection law would reveal information about a trustee’s deliberations or reasons for their decisions that would otherwise be protected from disclosure under trust law, the Government’s view is that disclosure would adversely affect the rights and freedoms of trustees and beneficiaries in the trustees’ ability to make independent decisions in the best interests of the trust without fear of disagreement with beneficiaries.
While I appreciate the noble Lord’s concerns, rushing to codify what in trust law is generally referred to as the Londonderry principle would, we consider, be a disproportionate step. The wider potential risks and unintended consequences involved mean that pre-emptive action in this area, far from clarifying the position, might actually confuse it. Should the law be tested after Royal Assent and found wanting—which, I stress, the Government do not expect to happen—the delegated power in Clause 15(1) allows the Secretary of State to bring forward regulations to correct this. By that point it will be much clearer what deficiency, if any, has in fact been identified in the law and we would expect a Government to consider those powers in such circumstances. I hope that is a full and adequate response to the three points the noble Lord, Lord Pannick, made. In those circumstances, I invite him to withdraw the amendment.
I am very grateful to the Minister. He has responded positively to each of the points that I made. I know that the House is anxious to move on to reaffirming freedom of speech. Therefore, I will say no more other than to beg leave to withdraw the amendment.
My Lords, exactly a month ago, we had an interesting debate concerning a range of amendments tabled by my noble friend Lord Black. It was a surprisingly consensual debate, and I am rather hoping for more of the same this evening. The noble Lord, Lord Stevenson, agreed that there were serious issues raised that needed to be addressed. The noble Lord, Lord McNally, agreed that the Bill needed amending to ensure that it did not undermine the work of investigative journalists. The Government have listened, as we have on so many issues raised by noble Lords, and we have tabled appropriate amendments.
Government Amendment 50 deals with the issue raised by my noble friend that the Bill applies the exemptions only where processing is for the special purposes. We heard the persuasive example of the media being penalised if, for example, the police sought the pre-broadcast disclosure of journalistic material in relation to an undercover investigation because they wanted to see whether the alleged wrongdoing uncovered by the broadcaster’s investigation merited further police investigation. We agree that it is unfair and our amendment puts this right.
Government Amendment 57 concerns the list of journalistic codes of practice that appears in paragraph 24 of Schedule 2, which is also the focus of a number of amendments tabled by noble Lords, from whom I am sure we will hear in due course. In Committee, the noble Lords, Lord Clement-Jones, Lord Stevenson and Lord Skidelsky, and the noble Baroness, Lady Hollins, all highlighted that the editors’ code is incorrectly described in the Bill as the IPSO editors’ code. Having looked at this further, we concede the point and the Government’s amendment removes the reference to IPSO. The legal effect of this is nil but we should use the correct label. We are grateful to noble Lords for bringing this fault to our attention.
Government Amendment 61 is a further concession to deal with further concerns raised by noble Lords. Article 36 of the GDPR would have required investigative journalists to consult with the ICO before instigating covert filming, such as when investigating allegations of abuse against vulnerable residents at a care home. Article 44 of the GDPR might disproportionately impact on collaborative investigative journalism, including the sharing of data across borders where appropriate, such as with, for example, the Panama papers. The government amendment allows journalists to be exempted from these restrictions where the public interest test is otherwise met.
Government Amendments 150, 156 and 161, as well as a number of consequential amendments, create journalistic defences to the offences in Clauses 161 and 162 in respect of unlawfully obtaining personal data or unlawfully reidentifying de-identified data. We accept the arguments of my noble friend Lord Black that what processing is permitted for the special purposes under Schedule 2 should not be criminalised later in the Bill. These amendments remove any doubt on this matter. We wish to ensure that we do not criminalise journalistic or whistleblowing activities that are believed to be in the public interest.
Government Amendment 162 removes paragraph (c) from Clause 164(3). This measure allowed the Information Commissioner to determine prepublication whether processing could be done without reliance on the special purpose provisions. Many noble Lords felt this was a power to allow the commissioner to overreach and interfere in journalistic decisions. I am grateful for the advice of the noble Viscount, Lord Colville of Culross, together with that of my noble friend Lady Stowell of Beeston, who took the time to come and see me about this provision and further explain its dangers. The noble Lord, Lord McNally, set out similarly powerful arguments in Committee. Following further discussions with stakeholders and the commissioner, the Government have concluded that giving the commissioner power to take such enforcement action in relation to data being processed for the special purposes before the journalist or author publishes their work goes beyond what we consider is the appropriate role of the commissioner as the regulator and enforcer of the data protection legislation. With Amendment 162, the circumstances in which enforcement action would be available to the commissioner in relation to the special purposes would be limited to that of the existing position under the 1998 Act.
I will respond in full on the other amendments in this group once noble Lords have explained their intent. I beg to move.
My Lords, I have to inform the House that if Amendments 50 or 50A are agreed to, I cannot call Amendments 51 or 52 by reason of pre-emption.
My Lords, I follow what the noble Lord, Lord Low, said, which is of considerable importance. In doing so, I address Amendment 55, which has not yet been spoken to by the noble Lord, Lord Stevenson. I have both an observation and suggestion to make and I would be very grateful if he could let me have his views on them.
I suggest to your Lordships that Amendment 55, as it stands, goes too far, in that it gives great power to the commissioner, who is in no way subject to parliamentary control. Given the nature of the powers to determine appropriate guidance and practice, that is undesirable, on the face of it. That said, I have considerable sympathy for the proposition that the commissioner should be involved in the formulation of policy and in identifying amendments to the list. One way to address that is as follows: under subsection (6) of the clause we are dealing with, the Secretary of State has a power to make regulations that amend the list, which is itself subject to affirmative procedure. If we were minded to do so, we could make it explicit that the power exercised by the Secretary of State under subsection (6) should be used after representations made to him or her by the commissioner, and furthermore that, in any event and at all times, the power to amend the regulation should be used after consultation with the commissioner. If we went down this road, it would enable the commissioner to play a proactive role in shaping a very important list; in any event, it would involve the commissioner in the policy-making process.
It may have gone unnoticed in Committee, because we considered no fewer than 432 amendments, but I say this in the context of Amendment 55—to be spoken to by the noble Lord, Lord Stevenson—and in the light of observations made by the noble Viscount, Lord Hailsham: the then Amendment 181 amended Clause 169 to ensure that when regulations are made to amend the list of codes of practice, the Secretary of State must consult the Information Commissioner.
That is extremely helpful and I am grateful to hear it, but I do not think that it says that the commissioner can be proactive in the regulation. The point made by my noble and learned friend is that the Secretary of State must involve the commissioner in discussions but it does not make it explicit that the commissioner can be proactive by making suggestions to the amendment of the list. My suggestions are twofold and I would be grateful if the noble Lord, Lord Stevenson, would share his thoughts on the matter.
My Lords, I had better deal with Amendment 55, which is in my name and that of my noble friend Lord Kennedy. I am loath to do so at any length, so I simply say that it will be answered by the Minister when he responds. He has partially given me the answer and it would be wrong for me to anticipate the rest of it. I reassure him that I do not intend to press that amendment.
This debate is not about free speech; it is the latest exchange in a long-running debate on how in a democratic society we enshrine the press’s freedom to publish as it sees fit, root out the culture of abuse, illegality and criminality which has for too long involved all the newspapers at some point or other, and make sure that victims can get effective redress when such abuse happens. We should not lose sight of those cardinal aims.
If the House believes that everything in the garden is rosy, as the previous speaker tried to persuade us, we can of course do nothing and simply allow the Data Protection Bill to go forward as amended. I agree that the Minister has moved a long way and agree with the noble Lord, Lord Black, that we could now rely on the processes and procedures that have worked so well since 1998—for nearly 20 years. They could be allowed to continue, because they are tried and trusted and seem to do most of what we require.
But it is not like that. One could not listen to my noble friend Lord Prescott and the noble Lord, Lord McNally, for any length of time without feeling that there is still a canker. Something needs to be cut out of what we currently do and we are failing as a House if we do not do what we must to get this right. We have a lot of problems. We had a cross-party agreement; that has gone. We have let down the victims grievously time and again. We are unable to discuss this without accusations of a ridiculous nature being thrown at us about our intentions and processes. We need to do this properly; we need to do it coolly and with some consideration. We need evidence of the changes that are affecting the press. Is it true that the traditional press as we know it is going down the tube? Is it true that fake news, other news sources and the other things that our children are reading and reporting to us will destroy our understanding in a democratic society of what it is to be informed about the way things are done? Will we lose the extremely good points made by the noble Baroness, Lady Cavendish, who said that she was an investigative journalist and proud of her record, which is exemplary? We want that to continue, but we do not want people such as the noble Baroness, Lady Hollins, to suffer as a result of it. We have to be mature about this; we have to get it right.
I have an amendment, Amendment 165, to be taken on Wednesday 10 January—buy your tickets now—which will rehash a lot of our discussion today. It is focused on running a proper inquiry into what needs to happen now to deal maturely with the issues which the press does not wish to be regulated. It tries to find a way forward, to investigate the illegality of the past and learn lessons from it. Above all, it seeks to get a handle on this whole issue and come forward with a proper set of recommendations that we can implement. I hope that the House will look at that carefully when we come to it. In the interim, my advice to the noble Baroness, Lady Hollins, whom I admire for the fantastic work she is doing and I want to be with her on it, is to withdraw her amendment now and live to fight another day on 10 January.
My Lords, the noble Baroness, Lady Hollins, has reminded us a number of times in this House of the need for suitable press regulation, and she has some interesting arguments. I am grateful for the time she took earlier this week to meet me and explain her perspective and concerns. However, the position remains that the Government cannot accept her Amendment 50A. The Government support objective, high-quality journalism and a free press. We are committed to ensuring there is a sustainable, effective business model for high-quality media. Of course, we also need a fair system and this Bill is designed to strike a fair balance between individual privacy rights and the right to freedom of expression. The noble Lords, Lord Lester and Lord Pannick, and the noble and learned Lord, Lord Brown of Eaton-under-Heywood, have just alluded to the requirement in law for us to maintain that balance. I do not seek to repeat that, but I gladly adopt the observations they made about the need for balance in the context of convention rights with regard to privacy and freedom of expression.
The noble Lord, Lord Low, in an intervention on the noble Lord, Lord McNally, referred to a provision, the name of which I do not recall. They both agreed that that, if implemented by the Government, would resolve the problem. Can the Minister say what the position is on that?
It would not necessarily resolve any problem. As noble Lords may be aware, we have consulted on the question of Section 40 and the second part of the Leveson inquiry and there will in due course be a report upon that consultation. I notice that the noble Lord, Lord Stevenson, has assisted my lip-reading by saying “soon”. He may be aware that a letter was recently sent by the Secretary of State to the Committee with regard to the timing of that report. If not, I can bring that news to him. Sir Brian Leveson himself has indicated that he would like the opportunity to consider the responses to the consultation and that will take a little time—of course, that has to be accommodated.
Will the Minister do the House an enormous favour and make it clear that this not a debate between people who favour press freedom and people who are opposed to press freedom? There is nobody in your Lordships’ House who is opposed to press freedom. It is very important for all our sakes that this is made absolutely clear.
I hope that I indicated that in my earlier comments but I make it clear that we are all concerned with maintaining the very delicate balance between the right to privacy and press freedom.
(7 years ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I have been trying to search for words to explain what is going on at the moment. It seems to me that we are living in two parallel universes. My first thought was that we were back in World War I territory—the noble Lord, Lord Black, will get the reference—and that we were engaging in sniping over long pieces of dead ground over issues that nobody could understand, fought by people who did not want to be there and led by people even more stupid than that. But I have decided that this is the rerun of an acrimonious family dinner that we had before the break. We are now reflecting on that and trying to nerve ourselves up to talk again to each other and restore relationships, because relationships must go on.
Again, we have had these passionate stories, anecdotes and recollections of times when things have gone disastrously wrong. No amount of legal redress can undo that suffering. From others, we have heard a perfectly robust and understandable account of why things are perfectly all right at the moment and, given time, will be sorted out. I begin to think that Leveson, for all the great work he did and the excellence of his report—and the longevity of its recommendations—is a bit of a McGuffin here. This is about us and society; it is about Parliament. I tried to address some of that at the end of the last debate. We have to get serious about this and work out how to make progress. We have to restore the rightful balance between Parliament, which must be sovereign, and those who work within an environment in which Parliament seems at the moment to have been discounted.
If we do not get this sorted, we will continue to be like this for the rest of time. It is insufficient and ineffective. It will not be the way we want to live our lives and we will all be much the losers as a result. We must give credit to the noble Baroness, Lady Hollins, and her proposals. Yes, they come from Leveson—but underneath that there is the greater truth that things are not working as they could be. They should be working better.
My Lords, while we have already debated amendments that are challenging to a free press, I fear that this group of amendments would be potentially hostile to the concept of a free press. Where there are abuses the answer is to enforce the law, not to shut down the media. I adopt the observations of the noble Lord, Lord Pannick, and my noble friend Lady Wheatcroft in that regard.
Amendment 53 would remove the requirement to give special weighting to the public interest in freedom of expression and information. This is something that we consider an essential way of ensuring that information that is in the public interest is not buried due to the data protection regime that is put in place. In this context, giving special weight to the public interest in freedom of expression and information is an important way of ensuring that we provide constitutional protection of freedom of speech, as required pursuant to Article 10 of the European Convention and the Human Rights Act.
Amendments 54 and 56 relate to the codes of practice to guide journalists in conducting the essential public interest balancing test that has to be carried out. We have already debated this in the previous group, before the dinner break. Amendment 54 intends to take away the absolute requirement to have regard to the listed codes of practice when determining whether publication would pass the public interest test. This requirement is a way of strengthening the obligations on journalists. In line with the enhanced protection of the GDPR, we are making sure that those journalists who are covered by one of the listed codes must have regard to their relevant code.
In a related amendment, Amendment 56, the noble Baroness, Lady Hollins, has suggested that we alter the language of the condition on the special purposes exemption at paragraph 24 of Schedule 2 to the Bill by changing “relevant” to “appropriate”. This amendment makes it unclear which code should be consulted in a given case. We want to ensure that the code which pertains to a particular set of journalists is the code to which they have regard when carrying out the public interest test.
We are not being unreasonable in resisting Amendments 54 and 56. They may look innocuous, just slightly changing the language of the Bill, but if we are to be true to the GDPR, we must ensure that in our law we have resolved the article 85 requirement to set where the public interest lies in managing the balance between privacy and freedom of expression. If we make the use of these codes discretionary and their application vague, we will simply undermine that balance.
Finally, I turn to the amendments from the noble Baroness that aim to create a special group of exemptions only for those journalists who are members of an approved regulator. As drafted, the Bill is designed to protect journalists who should be able legitimately to rely on these exemptions when undertaking journalism in the public interest, regardless of which regulator they belong to or whether they belong to any at all. The reality of the press landscape today is that the vast majority of publishers are not members of an approved regulator. As such, limiting certain exemptions to only those who are members of an approved regulator would limit the ability of most journalists in this country to undertake investigative journalism in the public interest. Whatever the motive or the intention behind these amendments, they are, I am afraid, either wrecking amendments or amendments designed to force publishers to sign up to a regulator to which they object—and that is not acceptable.
Section 40 of the Crime and Courts Act 2013 was mentioned. As we have previously discussed, the Government are currently considering Section 40 with regard to part 2 of the Leveson inquiry. We do not believe that using data protection legislation is an appropriate means of trying to incentivise compliance with, for example, Section 40.
The noble Lord, Lord Stevenson, observed just three weeks ago, and earlier this evening, that this is not perhaps the place for this debate. He commented:
“I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson”.—[Official Report, 22/11/17; col. 195.]
I concur with that observation, which he just reinforced with his observations about the need for us perhaps to look more clearly at what the real issue is rather than being distracted by trying to act as tail-end Charlies to a particular piece of legislation on data protection.
There will be a response to the consultation on Section 40 and Leveson 2, but I shall make one comment with regard to the suggestion about delay in that consultation process. Noble Lords may recollect that the Secretary of State was the subject of a judicial review application which made it impossible for her to proceed with the consultation because the terms of the consultation were the subject of legal challenge. Thereafter, when the consultation proceeded, there were more than 174,000 responses. They had to be analysed and considered, but the fact that there was that number of responses perhaps gives weight to the observation of the noble Lord, Lord Stevenson, about there being an issue that needs to be addressed, and therefore we must look forward to the response to the consultation. I invite the noble Baroness to withdraw the amendment.
Before the Minister sits down, will he confirm that he will reflect on this debate, which has been very important, and in the light of the promised consultation report allow the debate to continue in the new year?
I cannot guarantee the continuation of this debate, although the noble Lord, Lord Stevenson, appears determined to see it continue in the new year, under reference to his Amendment 165, and I look to engaging with him in a further interesting discussion on the topic at that stage. Beyond that, I say to the noble Baroness that the Government and Ministers are listening and considering these issues.
The position with regard to the consultation and the response to the consultation is as I indicated before the break. Sir Brian Leveson has, very properly, asked to see material pertaining to the consultation and the responses to it because he is a necessary party in this context. Until he has had a reasonable opportunity to do that, it would not be appropriate for us to respond.
My Lords, I would like just to make one or two corrections for the record. The noble and learned Lord suggested that the amendment, which would reserve some exemptions for newspapers signed up to a recognised regulator, would actually prevent the majority of journalists from engaging in investigative journalism. That is not the case. The exemptions required for investigative journalism remain intact for all journalists, regardless of their regulator.
There are one or two other corrections. The noble Lord, Lord Black, continues to misrepresent the establishment of the Press Recognition Panel, for example by saying that it is subject to interference by the Secretary of State. That is just not the case. It is so patently untrue that I can only assume that the noble Lord has not researched the facts, because it is a point that he has made before.
With respect to my noble friend Lord Pannick’s faith in the legal profession being able to sort out any illegal acts by newspapers, I will just say that affording the money to pay a lawyer and the time to mount a legal claim is not usually possible or a priority for victims of press abuse, particularly when they are in the midst of personal trauma. It is just not a priority. I personally would prefer that newspapers behaved themselves and did not fill lawyers’ pockets with money.
I take exception to being described as a bully. I have heard no compassion or concern for the victims of press abuse. Do noble Lords have any idea what it is like to be bullied by newspapers day after day after day? Any idea at all? To call my amendments bullying is unforgivable. Imagine the effect on the lady I spoke about before, who had lost weight and was described as a “grubby gran”. Imagine what that did to her mental state. I wonder whether she has been able to retain her weight loss.
This is the right Bill for these amendments. They are amendments to data protection legislation, and the victims of press abuse have waited a considerable length of time for an opportunity to take them forward. They are not hastily drawn-up, but the result of an extensive and impartial inquiry, and are as relevant today as they were in 2012. Sir Brian Leveson’s recommendations relate to the processing of data, not to the medium of publication, so it is irrelevant that the media landscape is changing.
I am grateful for the contributions of noble Lords who have spoken, in part because they demonstrate just how much there appears to be two parallel worlds. I assure your Lordships that I will return to this matter, but I beg leave to withdraw my amendment.
My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.
Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.
I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.
My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.
We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.
The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.
I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.
Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.
It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.
(6 years, 11 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, the last time I cleared a room like this, it was a very bad film indeed.
Amendment 103A is connected to Amendments 103B, 103C, 124A, 124B and 125A, and I move it with the support of my noble friend Lord Stevenson and the noble Lords, Lord Clement-Jones and Lord Holmes. In a well-run world, this group of amendments should not really need to be moved or pressed. They are designed purely to ensure that we have the data commissioner—and the office of that commissioner—that we need. Frankly, they are the natural consequence of all the debates that have occurred during the passage of the data protection legislation.
There can be no more important role over the next few years than that of the Data Commissioner. The organisation she is being asked to regulate is the largest in the world. A quite extraordinary statistic is that the four largest companies—Google, Amazon, Facebook and Apple—have between them a larger market capitalisation than the FTSE 100. That is the scale of the businesses we are asking the Data Commissioner to regulate. At the same time, under the Bill at present the resources available to her are wholly inadequate to that task. We went through a similar operation 15 years ago with Ofcom, and out of that, and through the collective wisdom of this House, we were able to ensure that Ofcom had the resources to become what is genuinely the gold standard of any media and telecoms industry regulator in the world. That is an achievement of this House of which we should be very proud. The purpose of these amendments is to achieve exactly the same for our ICO—something we can be proud of and that can do the job given to it.
During the passage of the Bill, we have loaded the ICO with significant new and additional responsibilities. The idea that we might have an underfunded and underresourced regulator that is not adequate to the task we are giving it is unthinkable. The purpose of these amendments is to prevent that. I could go on at some length, but I think the mood of the House is that it wishes to move on, so I shall listen to the Minister’s response. I beg to move.
My Lords, it might be for the convenience of the House if I speak now as I have some information which may help the noble Lord, Lord Puttnam, and other noble Lords who have put their names to these amendments.
As I have repeatedly said during the debates on the Bill, the Government are committed to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in this Bill, so I agree with pretty well everything the noble Lord said. That is why we legislated for a new, GDPR-compliant charging regime in the Digital Economy Act, which we will turn to in the next group, but it is also why the commissioner needs to be able to recruit and retain expert staff.
I am therefore very pleased to announce that the Government have today granted the Information Commissioner’s Office pay flexibility up to 2020-21 so that it can review its pay and grading structure. The commissioner will have the independence to determine the levels of pay necessary for the ICO to maintain the expertise it needs to fulfil its new and revised functions as a supervisory authority, subject to the standard public spending principles. I am also pleased to say that the Information Commissioner has agreed these arrangements. She said:
“I welcome the positive response to my business case for pay flexibility at the ICO. I am confident that this will allow me to prepare the ICO for its critical role under the new data protection regime ensuring that the UK has a strong and expert regulator in an area recognised for its importance to the digital economy and society as a whole”.
This flexibility underscores the UK’s commitment to an independent and effective data protection regulator, and I think goes a long way in responding to the points raised by the noble Lord’s amendments. We all want an efficient, well-resourced ICO, so I am very pleased that this agreement has been reached. I should have said at the outset that I am very grateful to the noble Lord for coming to talk to me about it. I am glad to say he was pushing at an open door.
I thank the noble Lord, who has been extraordinarily generous with his time. He and his officials could not have been more helpful in reaching what I regard as a perfectly satisfactory conclusion. My only wish is that we have a regulator that can do the job required of it and tackle the abuses along the way confidently and competently. I am extraordinarily grateful for this outcome. I am very happy to withdraw the amendment.
My Lords, the noble Lord, Lord Deben, said that a small number of people do everything in small communities. It sometimes feels like that here. I do not think that we need to say much more; all the issues have been raised and I am sure that when he responds, the Minister will answer some, if not all, of the questions. The underlying theme is that we do not want to spoil what is a very good Bill with desirable aims by failing to pick up all the areas that it needs to address, because there will be benefits from it, as we have heard. I think that the Government understand that, but they must not be in the position of willing the ends of policy without also willing the means.
My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.
While the Minister is responding on this issue—I was not allowed to move Amendment 87A because somebody shouted out “not moved” when it was in fact not moved by myself—could he include schools in his comments?
We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.
I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.
I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.
Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.
Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.
Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.
My Lords, can the Minister explain what the trigger is for the payment of the fees?
A charge will need to be paid if you are the data controller.
That is not what I meant. That is not a trigger; it is notification by the data controller.
If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
On that basis, I am happy to beg leave to withdraw my amendment.
My Lords, in earlier amendments I have tried to interest the Government in the idea of establishing what I loosely call a copyright of one’s personal data. Another possibility put forward in a different amendment is that one could think of data provided by individuals as matters that would be controlled by them through the role of a data controller. I am not trying to be in any sense critical of the Government’s response to this but I think I was ahead of my time—a nice place to be if you can—and I do not think the idea is quite ready to be turned into legislative form. I suspect that the solution lies in a data ethics commission, an idea that we will come to later in the agenda. Such a commission may be established by statute, either today or through some future legislative process, so that we can begin to think through these important issues. I was interested in a lot of what the noble Lord, Lord Mitchell, said in his introduction of the amendment because it has bearing on these issues.
I agree with the noble Lord, Lord Clement-Jones, that we are not quite there yet. However, worrying issues have been raised that need to be addressed, particularly in relation to data that is acquired, used and commercially exploited without necessarily being certain that we are getting value for money from it. The amendments are relatively mild in their exhortations to the Government, but they certainly point the way to further work that should be done and I support them.
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
My Lords, I thank all noble Lords for their contributions to this short debate. I also thank the Minister for agreeing to see me prior to the Recess and for his comments today. However, this is an issue of precision—and we need precision on the statute book. All that has been suggested to me, which is that it can be found elsewhere or will be looked at in the future, does not give the definitive answer we require. That is why I would like to test the opinion of the House.
My Lords, government Amendment 118 responds to an amendment tabled in Committee by the noble Baroness, Lady Hamwee. I said then that I recognised the concern that had been expressed about the lack of transparency as regards national security certificates and that I would consider what more could be done to address this.
Having reflected carefully on that debate, and on representations from the Information Commissioner, I am pleased to move Amendment 118 to address this issue. It inserts a new clause into Part 5 of the Bill which requires a Minister of the Crown who issues a certificate under Clauses 25, 77 or 109 to send a copy of the certificate to the Information Commissioner, who must publish a record of the certificate. We would normally expect the published record to be a copy of the certificate itself. As I indicated in Committee, a number of the existing certificates are already available online.
As an important safeguard under the new clause, the commissioner must not publish the text or part of the text of the certificate if the Minister determines, and has so advised the commissioner, that to do so would be against the interests of national security or contrary to the public interest, or might jeopardise the safety of any person. Where it was necessary to redact information in a particular certificate, there would still be a public record of the certificate as set out in subsection (3) of the new clause. While in practice we expect that most certificates will continue to be published in full with no need for such restrictions, as is currently the case, this provides an important safeguard where it is necessary for a certificate to include operationally sensitive information. The commissioner must keep the record of the certificate available to the public while the certificate is in force, and if a Minister of the Crown revokes a certificate the Minister must notify the commissioner.
In the Information Commissioner’s briefing to this House on the Bill, she stated that there should be a presumption in favour of placing national security certificates in the public domain where to do so would not damage national security. She also noted that adopting a provision requiring her to be notified when a certificate was issued would provide a further safeguard to help inspire public confidence in regulatory oversight. I agree with her.
We have listened to concerns, and trust that this amendment will be widely welcomed. Indeed, it is worth recording that the ICO’s latest briefing on the Bill said that the amendment was,
“very welcome as it should improve regulatory scrutiny and foster greater public trust and confidence in the use of national security certificate process”.
I beg to move.
Amendment 118A (to Amendment 118)
My Lords, I sense that the House wishes to move on, to hear from the Minister and move to the inevitable vote, which I think would be a good thing for all of us. Therefore I will not speak at length. We have had a really important debate today, ranging from the deeply personal to the high realms of public policy, and it is very hard to find a balancing point at which we might, as the noble Lord, Lord McNally, has just said, actually find a reason for dividing on the various issues. It is complicated and multilayered. It is also time-sensitive and there are very inconvenient issues in the way. However, one can dig down a little and start with the fact that the Bill, as I have always said and will continue to say, is not the right Bill to solve all the problems in relation to press regulation in the future. It is a Bill about data protection and although it has elements that obviously bear on everything we have been saying today and in the previous debates around the need to balance the rights to privacy against those of freedom of expression, it is not a complete picture and we should not think it is.
It is important that we learn our lessons and move forward. We have an existing framework, set out in the Data Processing Act 1998. It has worked well; it has been said that it will work well in future, and the Bill establishes that again as the basic understanding on which we operate. I welcome that, but we are uncertain about how the issues that were raised between 2010 and 2013, the period that led to Leveson 1, are going to be resolved in the Bill—maybe they cannot be. They include the need to ensure that, for all time, there is an effective redress mechanism for those affected by illegality and bad culture in the press, and that we should understand and learn the lessons of what has happened in the past. We certainly have a lot of information but I do not think we have a full understanding of it all.
As has been said by a number of noble Lords, we must anticipate changes that are in train for the new media, the media sources of information and news and the changes in consumption. We have to explore—this is really important—how we sustain our huge tradition of quality journalism without which this democracy would be a shadow of its current self. My noble and learned friend Lord Falconer, in a very powerful speech, said we need to go back and rethink what we were thinking at the time Leveson was set up, the promises that were made and the impact it will have on the country if we do not deliver on those promises. We promised the completion of the Leveson inquiry. Whether it is Leveson 2 or another inquiry is a lesser point than the need to honour that promise. Too many people are relying on it, too many people will be upset if it does not happen and we will all be the losers.
The noble Viscount, Lord Hailsham, said that this is really a policy issue, not an issue around data processing: noble Lords will have understood from what I said earlier that I agree with him. The problem is that we do not control policy—we are unable to put any pressure on that. The victims do not control policy. The Cross-Benchers and Liberal Democrats do not. The Government control policy but successive Governments have seemed unable to move forward. I happen to think, from private conversations, that a lot more unites us on this issue than divides us across this Dispatch Box.
I would welcome some words from the Minister explaining precisely what will be the way forward. However, I do not think he will be able to do that, for all the reasons that have been given about the inconvenience of timing, the difficulty about cutting across other measures that are in place and the need to think through some implications. I am sympathetic, but the problem is that we need action; we need to move this forward, and the only power we have is to put an inconvenient roadblock in the current thinking. That is why I support the amendment in the name of the noble Baroness, Lady Hollins, and I will support—although I think that they are probably not the whole story—the amendments in the name of the noble Earl, Lord Attlee. It is important that the Government own up to the fact that this is a problem of their own making, show that they understand the issues and take action.
My Lords, the Government recognise that there is great deal of passion and genuine concern on all sides of the debate and on all sides of the House on these matters. I am obliged to the noble Baroness, Lady Hollins, for the passionate way in which she advanced her argument on these amendments, and also to the noble Earl, Lord Attlee. Casting my mind back to my limited experience in government—and limited it is—I am slightly perplexed. Usually, Government are accused of seeking to avoid issues or hard decisions and of kicking matters into the long grass by proposing an inquiry. For me, it is a novelty that the matter should be reversed in this fashion. Indeed, I note that a number of noble Lords have made the same observation in various ways in the course of this debate. For us, it is a matter of concern that we should move forward and look at how we can maintain a suitable, appropriate and respectable media for this country, but also the freedom of that media, which underpins our democracy.
It is appropriate to notice that the media landscape has changed significantly since the Leveson inquiry was set up. We have witnessed the completion of three detailed police investigations, extensive reforms to policing practice and significant changes to press self-regulation, which have moved on even further in the recent past, with the changes to IPSO. Of course, we have seen that civil remedies, civil proceedings, provide an effective route for parties, particularly in the context of litigation where conditional fee agreements are available. The Government published a consultation in November 2016 to look at whether part 2 of the Leveson inquiry was still appropriate and, indeed, proportionate and in the public interest.
I note that date, November 2016, because one noble Lord referred to the delay. I just make the point, which I have made before, that progress on that consultation was delayed because the Secretary of State was subject to an application for judicial review with respect to the consultation process. It was not a case of the Government trying to delay that process; we were really quite anxious to bring it forward. Once we were able to proceed with that consultation process, we received more than 174,000 responses. That in itself demonstrates the depth and strength of public feeling on this issue.
We are currently consulting with Sir Brian Leveson as the chair of the inquiry. Sir Brian has asked to see the results of the consultation, along with individual responses to the consultation that were submitted by core participants in the Leveson inquiry. I notice that the noble and learned Lord, Lord Falconer, observed that Sir Brian’s views need to be canvassed. I entirely agree: that is what we are in the process of doing at the present time. It is not only right that his views should be canvassed in this context, it is actually necessary. The Leveson inquiry has not been terminated; it proceeds under the Inquiries Act 2005 and it cannot be brought to an end until the Government have formally consulted Sir Brian and considered his comments with an open mind on how to proceed further. That consultation is in train. When Sir Brian has shared his formal views with us, we will look to publish the Government’s response to the consultation. It would be our intention, subject to Sir Brian’s views, to publish his response at that time as well, in order that that can be in the public domain.
Amendment 127A in the name of the noble Baroness, Lady Hollins, assumes that the existing inquiry will be brought to an end, but, as I say, that decision has not—indeed cannot—be taken at this stage. If, for example, Sir Brian produces compelling reasons for proceeding with part 2 of the inquiry in some shape or form, the Government would have to give reasonable consideration to those representations and will do so. However, we clearly do not need two public inquiries going on at the same time into the same issues: that is where we would end up, on one view of this process. We have to take events in their proper order and this amendment is plainly not in its proper order; it is plainly premature and cuts across the present statutory process that is being carried on pursuant to the Inquiries Act 2005.
However, I emphasise that the Government are determined to address the challenges of the new media landscape in which we all live—not just the obvious printed media but the digital media and the issues that turn on that. We are in the process of developing a digital charter to ensure that new technologies work for the benefit of everyone, with rules and protections in place to help keep people safe online and ensure that personal information is used appropriately. We are also working to deliver on a commitment to ensure a sustainable business model for high-quality media online. Again, that underpins freedom of expression and our democratic way of life.
These are matters of active consideration for the Government. It is in these circumstances that I emphasise that the noble Baroness’s amendment is not appropriate at the present time and would simply lead to confusion in this already difficult landscape. Let us move on: let us complete the process in which we are currently engaged; let us receive Sir Brian’s representations with regard to the consultation process; let the Government make a decision by way of their response to that consultation; let us look at it—the idea that it would not be examined in this House is almost mythical, to be perfectly candid. Of course it will come under scrutiny in this House. I would be amazed if it were simply to pass unnoticed in the night. There can be no question at all of that happening.
Turning briefly to Amendments 147 and 148, again, I recognise that these are modelled on Section 40 of the Crime and Courts Act 2013 and I recognise that Section 40, and press regulation more generally, is a matter that people have incredibly strong—and diverse and conflicting—opinions about. I understand and appreciate the work that the noble Baroness, Lady Hollins, has done in this area and I appreciate her own personal exposure to the difficulties that have emerged in the past with regard to the abuse and misuse of personal data. Again, I reassure noble Lords that the Government are firmly committed to ensuring that the sort of behaviour that led to the Leveson inquiry never happens again. We are determined to address that.
However, we cannot ignore the various concerns that have been raised regarding Section 40. I am not going to go into the issue of convention compliance or any technical issues about that; nor will I elaborate upon the point that Section 40 does, albeit by agreement between various parties, go further than the actual recommendations in Lord Justice Leveson’s original report. Again, that is why the Government have issued their consultation, which will look, among other things, at Section 40 of the 2013 Act. That matter will be addressed. As I say, the Government will publish their response to the consultation shortly. When I use a term such as “shortly” I see some rolling of eyes but let me be clear: the response to the consultation will await the opportunity for Sir Brian to make his own submissions. We will then give due consideration to those, as we will to the 174,000 responses to the consultation.
We understand the serious nature of the matter before us and it will be fully addressed but we do not believe that at this time it is appropriate to advance a provision similar to Section 40 but only in relation to data protection. There is a much wider issue at stake here and that is the issue that needs to be properly addressed and bottomed out. At the end of the day it would not be appropriate simply to carve out one provision on data protection for the purposes of this Bill in order to replicate the sorts of provisions that we see in Section 40 of the 2013 Act.
Of course we have to cast our minds to the abuses of the past but if we are going to make effective policy we have to look to the future and determine how the balance of interests is going to be achieved between the right to data protection, the right to privacy and the need to maintain a free and vibrant media and free expression. These amendments cut across the proper process that we are now following regarding part 2 of the Leveson inquiry and Section 40 of the 2013 Act. That work is ongoing. Of course we are determined to maintain that work and to bring it to a conclusion. This is not the time or the mechanism by which to try to address these issues. I fear that doing so would complicate an already complex picture. I urge noble Lords to withdraw or not move their amendments.
(6 years, 11 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.
By way of background, Clause162(3) and (4) provide a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.
As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.
A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.
We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.
My Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, I am very grateful to noble Lords for their comments. Although I have to say at the outset that we have some reservations about these amendments, I think we might be able to find a way forward this evening. I have listened to the noble Lords, Lord Stevenson and Lord Clement-Jones, and taken their remarks on board, but I have especially listened to the noble Baroness, Lady Kidron, who spoke about children. We have some experience of her input in this Bill. I obviously take a lot of notice of what the noble Lords, Lord Stevenson and Lord Clement-Jones, say but, as you know, familiarity and all that, so I have certainly listened especially to the noble Baroness, Lady Kidron.
The Government are sympathetic to the idea of facilitating greater private enforcement, but we continue to believe that the Bill as drafted provides significant and sufficient recourse for data subjects. In our view, there is no need to invoke article 80(2) of the GDPR, with all the risks and potential pitfalls that that entails. To recap, the GDPR provides for, and the Bill allows, data subjects to mandate a suitable non-profit organisation to represent their interests following a purported infringement. The power will, in other words, be in their hands. They will have control over which organisation is best placed to represent their interests, what action to take and what remedy to seek. The GDPR also places robust obligations on the data controller to notify the data subject if there has been a breach which is likely to result in a high risk to the data subject’s rights and freedoms. This is almost unprecedented and quite different from, say, consumer law where compulsory notification of customers is rarely proportionate or achievable.
These are very significant developments from the 1998 Act and augment a rapidly growing list of enforcement options available to data subjects. That list already includes existing provisions for collective redress, such as group litigation orders, which were used so effectively in the recent Morrisons data breach case, and the ability for individuals and organisations to independently complain to the Information Commissioner where they have concerns about how personal data is being processed.
What these initiatives have in common is that they, like the GDPR as a whole, seek to empower data subjects and ensure they receive the information they need to enforce their own data rights. By comparison, Amendments 175 and 175A would go much further. I stress that, as I have already said, we are not against greater private enforcement, and I have borne in mind the points the noble Baroness made about children. We also have reservations about the drafting and purpose of these amendments, all of which I could of course go through at length, if the House wishes, but in view of what I am about to say, I hope that will not be necessary.
Since Committee, the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of Clause 173 as it is currently drafted. The Government are fully prepared to look again at the issue of article 80(2) in the context of that review. We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions.
In view of that, I would be very grateful if the noble Lord will withdraw his amendment this evening and other noble Lords do not press theirs.
Before the Minister sits down, can I get absolute reassurance from him that this is not pushing it into the future, where it will languish? Will the Government be looking to this review to actually solve the problem that we have put forward on behalf of children?
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.
My Lords, I thank the Minister for his response and am only sorry that I, rather than the noble Lord, Lord Stevenson, have the privilege of responding. The Minister came back, I thought, very helpfully. The noble Baroness, Lady Kidron, made a superb case for these rights to be implemented earlier rather than later. If we are creating all those new rights for children under the Bill, as she says, we must have a mechanism to enforce them. I believe the Minister said that the review would be two years after the Bill comes into effect. I hope that that is an absolute—
Let us hope that that is treated as an important timetable. I was interested that the Minister expressed his sympathy—I know that that was genuine—but then went on to talk about risks and pitfalls, and very significant developments, which all sounded a bit timid. I understand that we are in relatively novel territory, but it sounded rather timid in the circumstances, especially where the rights of children are concerned.
One point the Minister did come back on was group litigation orders. Class actions are very different from the kinds of representative action that we are talking about under these amendments. For example, they would be anonymous and the consent of the data subject would not have had to be acquired, unlike with a class action. They are very different, which is worth pointing out. There are some egregious issues in terms of the use of people’s data—the Equifax case, Uber, and so on. We need to remind ourselves that these are really important data breaches and there need to be remedies available. We, on this side of the House, and those on the Benches of the noble Baroness, Lady Kidron, will be vigilant on this aspect.
The one area of clarification that I did not receive from the Minister was whether this would apply to processing of personal data that was not under the GDPR. Will it be under the applied GDPR, and would that apply?
I think it applies to the whole thing, but if I am wrong, I will certainly write to everyone who is here.
The noble Lord may be right but, of course, it is equally very rare that we turn down an affirmative order.
My Lords, I am grateful to all those who have participated. I take on board what the noble Lord, Lord Clement-Jones, said about our brief debate on the final day in Committee, so we can do a bit tonight. I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out. I am going to duck, if I may, the argument about the affirmative procedure and whether it should be amendable, particularly given other Bills that are coming before this House soon. After all, I was only reappointed yesterday.
It is helpful to have this opportunity to further set out the purpose and operation of Clauses 175 to 178 and, in doing so, explain why the amendments in this group are unnecessary—except, of course, the government amendments. As noble Lords will now be aware, the Bill creates a comprehensive and modern scheme for data protection in the UK. No one is above the law, including the Government. That partly answers the point made by the noble Lord, Lord Clement-Jones. The Secretary of State cannot do whatever she or he wants because they are subject to the GDPR and the Bill, like everyone else. When I go further and explain the relationship between this framework and the ICO’s guidance, if it is issued, I hope that will further reassure noble Lords.
While we are on this subject, the reason the Bill uses the term “framework” is that it uses the term “code of practice” to refer to a number of documents produced by the Information Commissioner. As this document will be produced by the Government, we felt that it would be clearer not to use that term in this case. It is purely a question of naming conventions—nothing significant at all.
Inherent in the execution of the Government’s functions is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is therefore intended to set out the principles and processes that the Government must have regard to when processing personal data. Government departments will be required to have regard to the framework when processing personal data. This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate. This sector, or organisation-specific guidance, coexists with the overarching guidance provided by the Information Commissioner.
This framework adopts a similar approach; it is the Government producing guidance on their own processing of data. The Information Commissioner was consulted during the preparation of these clauses and will be consulted during the preparation of the framework itself to ensure that the framework complements the commissioner’s high-level national guidance when setting out more detailed provision for government.
My Lords, the Minister said that the Information Commissioner was consulted, but what was her view? Can the Minister put on record what the Information Commissioner’s view about the final architecture was? She has made it fairly clear to us that this is not satisfactory, as far as she is concerned.
When I said that she was consulted, I said what I meant. This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner. I think that she is worried about complications regarding independence and the extent of her authority in this. I am not pretending that she is completely happy with this, but I hope that I will address how the two interlink and we can come back to this if the noble Lord wants. I acknowledge his point that she is not completely happy with this but, as I said before, it is one of the few areas in the whole Bill where that is the case. Certainly, we have a very good relationship with the Information Commissioner, as evidenced earlier this evening by her agreement on pay and flexibility. Importantly though, whatever she thinks of it, she will be consulted during the preparation of the framework itself to ensure that it complements the commissioner’s high-level national guidance when setting out more detailed provision for the Government.
As I explained in Committee, the Government’s view is that the framework will serve to further improve the transparency and clarity of existing government data processing. The Government can and should lead by example on data protection. Amendment 176 is designed to address concerns about the potential for confusion if the framework is produced by the Government, I respectfully suggest that these concerns are misplaced. The Secretary of State’s framework will set out principles for the specific context of data processing by government. It will, as I have set out, complement rather than supplant the commissioner’s statutory codes of practice and guidance, which will, by necessity, be high level and general as they will apply to any number of sectors and organisations.
Requiring the commissioner to dedicate time and resources to producing guidance specifically for the Government, as the noble Lord’s amendment would require, would hardly seem to the best use of her resources. Just like a sectoral representative body, it is the Government who have the experience and knowledge to devise a framework that speaks to their own context in more specific terms.
I am sorry to keep interrupting the Minister, but is he therefore saying that the frameworks cover government and that the ICO’s codes of practice cover government as well?
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
I am very grateful to the Minister for that response. That is probably the right way forward, and I beg leave to withdraw the amendment.
“the made affirmative resolution procedure | section 169” |
(6 years, 11 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
My Lords, when we debated the right to data protection on Report, the House decided to opt for a declaratory statement, as opposed to the creation of a new right enshrining Article 8 of the European Charter of Fundamental Rights into UK law. In that debate, my noble friend Lord Ashton committed to consider further a number of points made by noble Lords, in particular the suggestions of the noble Lord, Lord Pannick.
Government Amendments 1 and 2 are the result of our further consideration of this matter. Amendment 1 concerns fairness. Data must be processed fairly. We previously took the view that this is clear and does not need repeating. The requirement for processing to be fair can be found in article 5(1)(a) of the GDPR and Clause 35(1) of the Bill. None the less, Clause 2 is entirely declaratory and, if it helps understanding, there is little to object to in this repetition, and our amendment inserts a reference to fairness.
Amendment 2 concerns the right to rectification. The right to rectification is in article 16 of the GDPR, which will soon be part of our domestic law. It is also found in Clause 46 of the Bill. As with the previous amendment, if it helps, we have no objection to covering this matter, and the amendment inserts the reference.
The data subject rights and the controller-processor obligations set out in the Bill are subject to specific limitations, restrictions and exemptions and in this clause and these amendments to the clause we do not change that, but hope that these amendments add to the value the declaratory clause has, as we previously agreed.
It was suggested to us on Report that we should also add reference to “proportionality”. I am grateful to the noble Lord, Lord Pannick, for taking the time to discuss this with me, and to the noble Lord, Lord Stevenson, who has also had several conversations with my noble friend Lord Ashton as well as the Bill team. I am sure that the noble Lord, Lord Stevenson, will speak more fully on this point in the context of his Amendment 3 but it may help the House if I say a few words on this now.
The GDPR takes effect in May and will be part of domestic law when we leave the European Union. There are 26 references to proportionality in the GDPR. In resisting this amendment we are not saying that proportionality is irrelevant or a concept we are avoiding, but we cannot simply say that the restriction of personal data rights must be proportionate. That oversimplifies a complex issue with unintended consequences. I will sit down but I will return to this once the noble Lord has spoken to his amendment.
My Lords, I have signed up to Amendments 1 and 2 in the name of the noble Lord, Lord Ashton of Hyde, and do so in support of the position that we reached after considerable discussion and debate. The noble and learned Lord, Lord Keen, mentioned a few of the occasions on which we discussed these matters but did not refer to—perhaps it would be embarrassing to do so—the flurry of paper that accompanied those discussions, when drafts were traded back and forth as if they were some bitcoin or equivalent, and people snapped at them in excitement and feverishly opened emails when a new draft appeared. That is not overstating the case.
I jest slightly but stress that, as noble Lords will be aware, this issue was raised on day one of Committee. That signified a sense on our side of the House that this matter was so important that it needed to be addressed early on in the Bill. We have moved our position considerably during the discussions; we were wise to listen to the voices raised at that time. I look at no one in particular but the general voice to which we listened was that more time was needed to think through the implications of this amendment and try to come to an appropriate conclusion on it. That time has been well spent. We have looked at various ways of doing what we set out to do, we have thought hard about the Government’s response, and we have been happy to have meetings and discussions and, as I said, we traded possible options. The conclusion we reached—in keeping with the main thrust of the Bill, which has a large amount of detail in it that is of a signposting nature so that those who read it understand correctly where the source documentation and source principles can be found—was that it would be appropriate to have at the head of the Bill a statement around the basic rights which personal data processing involves and for which the protection and privacy issues are so important.
Therefore, in support of both the original amendment placed by the Government on Report, which was voted in after debate and discussion, and in full support of the amendments to that, which would include “fairly” and,
“and to require inaccurate personal data to be rectified”,
we are happy to sign up and support this amendment today. However, as the Minister said, a couple of other issues were raised in the context of those debates, one of which is this question of proportionality. He has given a sense of why the Government have resisted our approach, and I will spend a couple of minutes just to make sure that we have explored this properly in the context of this Third Reading.
The point about proportionality is that it can, as I think he has argued and will argue again, be brought into the very drafting of the Bill. It is suffused throughout the GDPR and exists alongside a number of other documents to which we will still be bound, both while we are in the EU and should we leave, in the light of current legislation that is going through the other place and is soon to come to this House. It is therefore possible to argue—I hope that the Minister will reflect a little on that when he speaks again—that proportionality is a matter of fact to be determined by the readings that one makes of the Bills that pass through this House. I am sure that there is a better way to express that in legal language but that is the sensibility I take from it.
However, the point made by the noble Lord, Lord Pannick, which is reflected in our amendment, is that at times in the future adjustments may be made as a result of changes in legislation itself or perhaps because of judgments made by courts that hear data protection cases, and that other strands of thinking, points and issues may come to bear on the relationship which an individual subject has to the data controller and on the relationship which the whole has to the law. In that sense, Amendment 3 in my name is an attempt to try to add to the present signposting amendment—that is all it is trying to do—that proportionality is not just fixed as of today’s date or the date the Bill receives Royal Assent but that it is to be brought forward on all fours with the Bill and the Act as that Act progresses. On Report the noble Lord, Lord Pannick, observed that Her Majesty’s Government’s amendment on Report made no mention of the principle of proportionality, despite it being an important element of the European Charter of Fundamental Rights, and noted that it featured in the wording we are putting forward. The response “We don’t need to do this because it is already well cooked into the Bill, the GDPR and the applied GDPR” may not take into account the issue I have been raising, which is about what will happen in the future. If the Minister can reassure us on that point, I would have little difficulty in not pressing the amendment, but at the moment I would like to hear his comments before I respond.
My Lords, I take this opportunity to further reassure noble Lords that proportionality is a concept that has a continuing role in the Bill. Not only will the obligations in the GDPR carry over to domestic law but they will continue to apply to the Government. If Ministers are minded to use the powers in Clauses 10 or 16, for example, that allow new processing conditions or exemptions to be created in the future, they will need to continue to be proportionate. Further, the courts will continue to apply a proportionality test where appropriate. The Human Rights Act ensures that any public body must act compatibly with the convention, and as data protection is within Article 8 —the right to privacy—the public authority must act proportionately.
Clause 6 of the EU withdrawal Bill has the effect that any question as to the validity, meaning or effect of any retained EU law, including the GDPR, is to be decided, where relevant, in accordance with any retained case law and any retained general principles of EU law. Proportionality is one of those retained principles, so it will live on for as long as this legislation is in force.
Indeed, leaving the EU will not shake proportionality out of our legal system—it has worked its way into public law. Any public body acting disproportionately must be at risk of being challenged. Whenever any public body acts, it must act compatibly with the convention rights. Where qualified rights are concerned, such as Article 8 of the convention, which has been held to encompass personal data protection, there exists a requirement for that action to be a proportionate means of achieving a legitimate aim. So to that extent it is implicit that the Executive as well as data controllers must act in a proportionate manner. With that explanation, I invite the noble Lord, Lord Stevenson, not to press his Amendment 3.
My Lords, I do not wish to detain the House. I thank the noble Baroness for raising the point; clarity is always important, as we have learned, and she is right to put her finger on it. However, the point made by the noble Lord, Lord Paddick, is correct.
We run the risk in this Bill of pouring fuel on an already raging fire: the more we try to focus on children as a group, the more we demonise and make difficult the Bill’s attempts—through an amendment we all supported on Report—to raise our sights and find a way of expressing how all people are dealt with in terms of internet access, with particular reference to those with developmental or other support needs to whom the word “child” could well be applied. But that does not mean that we want the more generic approach to fail because it did not mention vulnerable adults, the elderly who may be struggling with internet issues, those with special needs or others. These groups all need to be considered in the right way, and I am sure that, in time, “age appropriate” may not be the most appropriate way of dealing with it. It does get us to a particular point, however. It was a historic decision that we took on Report to do it this way, but we need to have an eye on the much wider case for a better understanding of under what conditions and with what impact those of us who wish to use the internet can do so safely and securely.
My Lords, I feel confident that I will be able to reassure the noble Baroness and other noble Lords who have spoken this afternoon.
Child online safety is an issue close to the heart of the noble Baroness, Lady Howe, and everyone in this House. It is right that children in the UK should be granted a robust data regime so that they can access online services in a way that meets their age and development needs. It was with this goal in mind that the Government, with a great deal of support from a number of Peers from all sides of the House, led by the noble Baroness, Lady Kidron, agreed and supported her amendment. It introduced a requirement on the Information Commissioner to prepare an age-appropriate design code. This amendment was the product of many hours of discussion and days of drafting and redrafting, and I am glad that it was accepted with no dissenting voices in this House. The code will contain guidance on standards of age-appropriate design for relevant online services which are likely to be accessed by children.
The aim of Amendment 4, as explained by the noble Baroness, is to add a definition to the age-appropriate design code to define “children” as those under the age of 18. We are determined to ensure that children of different ages are able to access online services in a way that is safe and takes into account their different needs. For that reason, we included in Clause 124(4) a requirement that the commissioner must have regard to the fact that children have different needs at different ages, and in Clause 124 (4)(b) that the commissioner must have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. So I maintain that it is explicitly included in the Bill.
Article 1 of the United Nations Convention on the Rights of the Child defines children as,
“every human being below the age of eighteen years unless under the law applicable to the child, majority is attained earlier”.
As such, the existing age-appropriate design code, which requires the commissioner to have regard to the convention, already addresses the point that the proposed amendment is making.
Article 2 of the convention obliges state parties to respect and ensure the rights in the convention to each child—all those under 18. By requiring the commissioner to have regard to the convention, Clause 124 ensures that in order to comply with the requirements for the code on age-appropriate design, children up to 18 would need to be considered. Therefore, the existing age-appropriate design code already ensures that the commissioner must have regard to the different needs and rights of children under the age of 18, and as a result this amendment is not necessary.
Not only is the amendment unnecessary, it is potentially unhelpful. One of the key features of the existing age-appropriate design code is that it recognises that children have different needs at different ages. The proposed amendment risks undermining this important point by presenting children as a homogenous group. The needs of a child aged 17 are very different from the needs of a child aged 10 and it is right that the requirements of the age-appropriate design code reflect that.
The noble Baroness asked—the noble Baroness, Lady Kidron, also alluded to this—whether the Bill is consistent in its approach to children. As I said, children are human beings under the age of 18. That is the consistent approach we are taking on this legislation. But the Bill works in tandem with the GDPR and we cannot amend the GDPR. Nor does the GDPR allow member states to come up with their own definitions, so we interpret the GDPR as adopting the definitions from the UN Convention on the Rights of the Child.
There are of course differences between young children and older children, and the provision needs to be age appropriate. A child who is 12 years old may consent to having their data processed in the offline world. Clause 201 ensures that is consistent in Scotland as well as England and Wales. A child who is 13 years old may consent to having their data processed online. That is provided by Clause 9. Any website or app maker providing services for children—meaning everyone under 18—will have the benefit of the code of practice on age-appropriate design provided by Clause 124. Of course, the law generally makes different provision for older children and for young children—for example, the age of sexual activity, marriage and serving in the Armed Forces.
There is a risk that the proposed amendment to the clause on age-appropriate design could also have serious unintended consequences. The Data Protection Bill contains numerous references to “children”. We cannot agree to an amendment that could have implications for issues elsewhere in the Bill.
Finally, it is worth emphasising that the existing wording of the age-appropriate design code is completely consistent with the wording of the general data protection regulation, which itself does not define children. I hope I have reassured the noble Baroness and as a result she feels able to withdraw her amendment at this late stage of the Bill.
My Lords, I turn now to an issue that is pertinent to us all: parliamentary privilege. I am sure that noble Lords will agree that it is paramount that both this House and the other place continue to be safeguarded in their processing of personal data in connection with parliamentary proceedings.
This issue was raised in previous debates by the noble and learned Lord, Lord Brown of Eaton-under-Heywood, to whom I am very grateful. Those debates influenced our thinking on how the Bill currently provides for parliamentary activity, and I am pleased to announce that the amendments in this group have been tabled to ensure that privileges under the current law will not disappear when we enter the new data protection framework.
I will start with Amendments 5 to 8. Amendments 5 to 7 restrict information, assessment and enforcement notices served by the commissioner from requiring a person to comply with the notice if compliance would involve infringing the privileges of either House of Parliament. Put simply, the commissioner’s notices are “switched off” where there would be an infringement of parliamentary privilege. Amendment 8 prevents the commissioner giving the House a penalty notice with respect to the processing of personal data by or on behalf of the House. These amendments have been tabled to ensure that parliamentary proceedings will not be impeded by the commissioner and that Parliament will maintain the freedom to do its work that it currently enjoys.
Amendments 9 to 13 relate to criminal liability and seek to prevent corporate officers of either House of Parliament being liable to prosecution as a data controller. This is the current position in the Data Protection Act 1998, and our amendments seek to clarify the Government’s intention to maintain the effect of Section 63A of the 1998 Act. The amendments also make equivalent provision for government departments and data controllers for the Royal Household. It should be noted, however, that these provisions do not prevent corporate officers being liable for their own conduct when acting as data controllers on behalf of either House, for government departments or for the Royal Household. This maintains the current position, and we believe that it is an important safeguard that allows full parliamentary privilege while balancing the rights of data subjects.
Amendments 14 and 15 revert to the current position under the Data Protection Act 1998 in relation to the processing that is necessary for the functions of the Houses of Parliament or for the administration of justice by removing the additional “substantial public interest” test. On reflection, we could not see how such processing would not be in the substantial public interest, so the test appeared redundant. On that basis, the Houses of Parliament will have to consider simply whether processing is necessary for the purposes of their functions, as is the position now.
Amendments 20 and 21 make a corresponding amendment to Schedule 8, where processing is necessary for the administration of justice under the provisions in Part 3 for law-enforcement processing, to maintain a consistent approach across the Bill.
Amendment 18 is to Schedule 2 and extends the exemptions from the GDPR relating to parliamentary privilege to include an exemption from article 34(1) and article 34(4) of the GDPR. Article 34 requires controllers to communicate a personal data breach to the data subject where the breach is likely to result in a high risk to the rights and freedoms of the subject. The amendment excludes this requirement from applying to parliamentary proceedings and also restricts the ability of the commissioner to oblige either House to comply with it.
I hope that the House will agree that these amendments, taken as a package, will ensure that there will be no chilling effect on the functions of Parliament and will restore the regime that applies under the Data Protection Act 1998. It has the approval of the House authorities. I beg to move.
My Lords, I strongly support this group of amendments, perhaps unsurprisingly given that they have now been brought forward in place of a series of broadly similar amendments which, as the Minister has mentioned, I tabled on Report. They achieve the same basic objective, which is to safeguard parliamentary privilege and thereby ensure that this House, along with the other place, can continue to go about its business and fulfil its vital constitutional role without inappropriate inhibitions and concerns with regard to the protection of data and privacy, which of course the Bill as a whole is rightly designed to protect.
As I made plain on Report, I was prompted to table the original amendments by and on behalf of the officials of both Houses, that is to say, the clerks and counsel, because of their concern about how, unamended as it then was, the Bill risked infringing parliamentary privilege in the various ways that the Minister has recounted. These concerns were raised and over recent months they have been discussed extensively between officials and the Bill team. Again I express my gratitude and pay tribute to the Bill team for its hugely constructive help and co-operation throughout. As now formulated, these amendments substantially and realistically meet the concerns of officials, and accordingly I welcome them.
I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.
Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.
My Lords, I am grateful for most of the comments. It is a pity that the noble Lord, Lord Stevenson, had to bring up the one bit that did not quite go through, but as he says, I am sure that we can rely on the other place.
My Lords, I am very pleased to be able to set out the Government’s reasoning in tabling this group of amendments in response to valid concerns from the insurance industry. There are three amendments in the group; one technical matter and two addressing processing for insurance purposes. Regarding Amendments 16 and 17, I am grateful to the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, for raising the challenges facing the insurance industry in previous stages of the Bill’s progress through the House and in discussions with me and my officials.
The Government recognise the fundamental importance of insurance products. They are vital to the public at large, who rely on insurance daily to protect them from financial loss due to an unfortunate emergency, accident or other unforeseen event. The industry is an important sector in the economy. On Report, we made clear our intention to propose an amendment addressing the noble Lords’ concerns at Third Reading. These amendments make good on that promise. Amendment 16 therefore replaces the three narrow conditions currently included in Schedule 1 with a single, more holistic condition permitting the processing of certain types of special category data where it is necessary for an insurance purpose.
There is a need to balance such processing with appropriate safeguards, and Amendment 16 provides these. First, as I have just said, processing must be necessary for a defined insurance purpose. For example, this condition will not be met if the organisation could achieve the purpose by some other reasonable means that did not require the processing of special categories of data, or if the processing was necessary only because the organisation has decided to operate its business in a particular way.
Secondly, processing must be necessary for reasons of substantial public interest. We consider that ensuring the availability of insurance at a reasonable cost to members of the public through risk-based pricing, the ability to detect and investigate fraudulent claims and the efficient administration and payment of insurance claims are matters of substantial public interest. Nevertheless, as this processing condition for insurance purposes is drawn more widely than those previously included in the Bill, we consider it reasonable to ask data controllers to consider whether, in respect of a particular processing activity they propose to undertake, it is necessary for a purpose that is in the substantial public interest.
Thirdly, the processing condition has been designed so that it affords additional safeguards to those data subjects who do not have rights or obligations in respect of the insurance contract or insured person. For example, a witness to an event giving rise to an insurance claim or a parent of a person seeking health insurance might fall into this category. Processing of data relating to these data subjects is permitted only if the data controller cannot reasonably be expected to obtain the consent of the data subject and they are not aware of the data subject withholding their consent.
Fourthly, data controllers relying on this new insurance condition will be required to have an appropriate policy document in place, as set out in Part 4 of Schedule 1 to the Bill.
Amendment 17 extends paragraph 13A so that the processing of criminal conviction and offences data is also permitted for an insurance purpose, which is clearly essential. Taken as a whole, we think that the processing condition set out in the new paragraph 13A provides the necessary balance between the rights of data subjects and the benefits that members of the public derive from the efficient and effective provision of insurance products.
Finally, Amendment 19 is a minor and technical matter. It merely deletes a reference to a provision elsewhere in the Bill that no longer exists. I am grateful to the helpful staff of the Public Bill Office who spotted this error when preparing the current print of the Bill last week. I am pleased that we have achieved what we agreed to do at the earlier stages of the Bill and I acknowledge the help of the Association of British Insurers and the Lloyd’s Market Association in reaching this solution. On that note, I beg to move.
My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.
If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.
The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.
The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.
My Lords, I am grateful to the noble Earl, Lord Kinnoull, and to the noble Lords, Lord Stevenson and Lord Clement-Jones. The noble Earl is absolutely right that there are various names for different insurance contracts, including reinsurance and retrocession, but they are all contracts of indemnity. The schedule absolutely covers all types of insurance, including reinsurance and retrocession contracts.
As for the clarificatory questions asked by the noble Lord, Lord Clement-Jones, they are very reasonable because this is not an easy part of the Bill to understand—even for people who have been looking at it for many weeks, as we have. First, he asked whether the provision permits processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management, and for insurance purposes. Technically speaking, paragraph 13A, introduced by Amendment 16, does not permit the processing of criminal convictions data because it exercises the derogation provided by article 9(2)(g) of the GDPR. Criminal convictions data is regulated by a separate article of the GDPR, article 10, but the noble Lord will be pleased to know that Amendment 17 extends paragraph 13A so that it also covers criminal convictions and offences data.
Secondly, as for the processing of special category data by insurance companies and related intermediaries such as reinsurers and brokers, which are important, as is managing claims, the noble Lord asked whether that will be regarded by the Government as purposes that are in the substantial public interest. The answer is that the Government have introduced paragraph 32A because they believe that the provision of core insurance products is in the substantial public interest. However, the world of insurance is an exciting and dynamic one—no, really it is—and controllers must be accountable for their own particular processing activities. I hope that answers his questions.
My Lords, in moving that the Bill do now pass, I shall say a few words about it. The Bill has been central to my life and the lives of a number of noble Lords for many weeks now. It was accepted right from the word go as a necessary Bill, and there was almost unanimity about the importance and necessity of getting it in place by next May, taking into account that it still has to go through the other place. I am very relieved to have got to this stage. Despite that unanimity, we have managed to deal with 692 amendments during the passage of the Bill, which is a very good indication of unanimity as far as I am concerned. I have to admit that of those 692, 255 were government amendments, but that is not necessarily a bad thing. The GDPR takes effect in May and many of the things that would have been put into secondary legislation have been dealt with in the Bill. I think most noble Lords would agree that that is a good precedent. Data protection is so pervasive that the previous Data Protection Act, passed 20 years ago in 1998, is referred to around 1,000 times in other legislation, so a lot of the amendments were to make sure that when we repeal that Act and this Bill becomes law it will be consistent with other legislation.
I am very appreciative of what we achieved and the way that we did it. One thing we managed to achieve was to accept a number of recommendations from your Lordships’ House, so we changed the way that universities, schools and colleges can process personal data in respect of alumni relations; we ensured that medical researchers can process necessary personal data they need without any chilling effect; we agreed that patient support groups can process health data; we ensured a fair balance between privacy and the right to freedom of expression when journalists process personal data; and we have talked about insurers today. The noble Baroness, Lady Kidron, one of the heroes of the Bill, helped us protect children online, which we all agreed with—in the end. We amended the way that some of the delegated powers in the Bill are effective and subject to the right parliamentary oversight.
I thank the Front Benches for their co-operation. This is meant to be the last Bill for the noble Lord, Lord Stevenson. I doubt that. Every time he says that, he comes back. He had a good team to help him: the noble Lords, Lord Kennedy and Lord Griffiths of Burry Port. It was the first Bill for the noble Lord, Lord Griffiths; if he can survive this, he can survive anything. I am sure we will see a lot of him in future. I thank the noble Lords, Lord Clement-Jones and Lord Paddick. I should have mentioned the noble Baroness, Lady Hamwee, and acknowledged her position on the privilege amendment. I must say that the way she withdrew her amendments one after the other on Report is a very good precedent for other legislation that might be coming before your Lordships’ House soon.
The Bill team has been mentioned several times, not only today but all through the passage of the Bill. The members of the team have been outstanding. They have worked incredibly hard. I should like to mention Andrew Elliot, the Bill manager, Harry Burt, who worked with him, Jagdeep Sidhu and, from the Home Office, Charles Goldie. They have all done a tremendous job and been great to work with.
Lastly, I have had a galaxy of talent to help me with large parts of the Bill. My noble friends Lady Williams, Lady Chisholm and Lord Young of Cookham and my noble and learned friend Lord Keen have made my life very easy and I am very grateful to them. I beg to move.
My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.
We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.
I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.
There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.
Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.
Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:
“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.
On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.
(6 years, 9 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move, That the Bill be now read a Second time.
This House has a noble track record of working with rather than against technology. Whether it was the Electric Lighting Act 1882, which paved the way for electricity in the 19th century, or the Television Act 1954, which opened up our airwaves to commercial TV broadcasters in the 20th century, we have always helped pioneers to overcome obstacles and to use technology to make life better. The Data Protection Bill will do this, too. It will give people more power and control over their online lives while supporting innovation and entrepreneurship in the digital age, helping to make Britain fit for the future.
The Bill will deliver real benefits across the country, helping our businesses to compete and trade abroad. Strong data protection laws give consumers confidence in the products and services that they buy, and that is good for business, not bad. The Bill provides a full data protection framework as we leave the EU, consistent with the general data protection regulation in EU law. In October, the House debated how our data protection landscape will look after we leave the EU. Members on both sides agreed that the unhindered flow of data between the UK and the EU is vital and in the interests of both. Through today’s Bill, we can make that a reality.
I am grateful to the Secretary of State for his opening remarks about the importance of the House supporting technology. He will know that data drives our economy and society in ways that people can find difficult to follow. The internet of things will increase exponentially the data trail we all leave, but the digital charter suggests only that private companies follow best practice. Does he not recognise the importance of data rights? Why is he not bringing forward a Bill of data rights?
I absolutely do, and the Bill does bring forward the right to the protection of personal data, as I will set out. It is incredibly important to ensure that such rights keep pace with the sort of modern technologies that the hon. Lady—she is extremely well informed on these topics—refers to, such as the internet of things. The Bill will directly address the issue she raises by strengthening citizens’ rights in this new digital era, and I will detail the new rights later.
As digital becomes default in our society, people are trusting businesses and public services with more personal and sensitive data than ever before, including through their personal use of the internet and the internet of things, yet without trust that that data will be properly handled, the digital economy simply cannot succeed. Trust underpins a strong economy, and trust in data underpins a strong digital economy. The Bill will strengthen trust in the use of data by enhancing the control, transparency and security of data for people and businesses across the UK. I will speak to each of these three in turn.
First, on control, the Bill delivers on our commitment in the digital charter to empower citizens to take control of their data—after all, data belongs to citizens even when it is held by others—and sets new standards for protecting data while giving new rights to remove or delete it. Everyone will have the right to make sure that the data held about them is fair and accurate, and held in a way that aligns with rigorous principles.
Is it really accurate to say that everyone will have that right, given the immigration exemption?
Yes, of course. Everyone who is a British citizen will have the right to make sure that data about them is held fairly and accurately, and in alignment with rigorous principles. The hon. and learned Lady raises obliquely the point that the Bill contains important exemptions, including those to allow MPs to act on behalf of constituents as part of their casework, and to ensure that we can properly police our borders. I will come to that in more detail later. Nevertheless, at the heart of the Bill is citizens’ ability to control the data that companies and other organisations hold about them.
Further to the point made by the hon. and learned Member for Edinburgh South West (Joanna Cherry), will the Secretary of State explain the legal basis for the immigration exemption from the general data protection regulation?
Yes, of course. Exemptions from the GDPR are allowed so that necessary activities can be carried out, including that of making sure that a minority of individuals cannot abuse data protection law with the sole intent of undermining immigration controls. That is provided for in the necessary exemptions. I know that this point was debated extensively in the other place, but we firmly believe not only that it is important to ensure that we can control our borders through immigration controls, but that this is provided for in the GDPR.
The Secretary of State says that the immigration exemption is covered by the GDPR, but is he aware of legal opinion saying that the text of parts 1 and 4 of schedule 2 does not in fact reflect the stated permissible exemptions under article 23 of the GDPR? That is independent legal opinion, not mine.
Of course, there are always legal opinions about everything, and our legal opinion is that that is consistent—that is the basis on which we are proceeding. As I am sure the vast majority of Members would agree, it is important that we control our borders.
The Bill provides new data rights, including a stronger right to be forgotten.
I welcome the element of the Bill about the right to be forgotten. I am sure that the Secretary of State is aware that the Digital, Culture, Media and Sport Committee is carrying out an inquiry into fake news, during which this whole issue of data—who owns it, who holds it and who knows what about whom—has come under the spotlight. Can he say how the Bill might help to control that?
Before he does, will the Secretary of State give way?
I will happily respond to both points. Under the Bill, data must be deleted unless there are legitimate grounds for retaining it. The details of what is meant by legitimate grounds will be set out in recitals and then guidance from the Information Commissioner. This is one area in which the right to be forgotten, which has been long dreamt of and thought about, is now being legislated for, and the precise details of where it applies will be set out in guidance, as the Bill states only that there need to be legitimate grounds for retaining data.
Can we be certain that this right to be forgotten will not impede freedom of speech? I am thinking of Max Mosley, of course, and the information that came out on what he said in 1961, which is relevant and pertinent to current debates. We should do nothing that limits the right of a free press.
I wholeheartedly agree with my hon. Friend about not limiting the rights of the free press. He might be aware of amendments that were made in the other place on exactly that issue and that are supported by a number of Members of this House, including, notably, some who are also supported by Max Mosley. I think that we should remove those two provisions. The ability of our press properly to scrutinise is important and should not be undermined in the ways proposed, but I will come to that in more detail later.
The right to be forgotten is an important element of making sure that data is held appropriately and when there are legitimate grounds. The Bill also allows for data portability—a person’s right to transfer their data from one provider to another.
As the Secretary of State is describing, the Bill puts into UK law the EU’s general data protection regulation, which is the right thing to do. I am confident that he would agree that we need to ensure that our data protection rules stay in line with the EU regulation as things develop. Does it trouble him that we will have less influence over the future content of the EU’s rules once we have left it?
I agree that this is a strong set of data protection standards. We intend to stay aligned with the EU standards, not least because they are extraterritorial, which means that anyone wanting to do any business or transactions with EU citizens would have to follow them anyway. There is therefore a very strong case for alignment in this area. Indeed, we have set out that we want the Information Commissioner to remain engaged with the future development of technical standards because we expect the GDPR effectively to become a standard that is increasingly followed around the world by companies that want to engage with the EU, and because we believe that high data protection standards go hand in hand with the capability to innovate and provide for customers. The Prime Minister was, of course, clear about the detail on Friday.
I am afraid that the Secretary of State has not answered the question asked by the right hon. Member for East Ham (Stephen Timms). Is it not true that UK companies will be bound by rules that the EU will decide? Those rules will affect a huge amount of business, but we will have no influence over them after we leave the EU?
I thought I had answered the question—the right hon. Member for East Ham (Stephen Timms) was nodding, so I thought I had at least had a crack at it. As the Prime Minister set out on Friday, and as we set out for the first time last August, we will seek, through the Information Commissioner’s Office, to remain engaged in those technical discussions about the future of the rules. As was proposed in the Conservative party manifesto, the Bill also gives young people the right to have data about them removed once they are 18 years old.
The second element is transparency, which is absolutely vital. All citizens should be able to know what is happening to their data and how it is being used. The Bill requires data controllers to give people information about who controls data, the purpose of processing it, and how long it will be stored. That is especially crucial in a world in which emerging technologies such as artificial intelligence are making increasingly important ethical decisions. The Bill therefore provides powers for the restriction of automated decision making and safeguards for those whose data is used. Our new centre for data ethics and innovation will advise on those safeguards, so that we can promote innovation and respond quickly to changes in technology with clear and transparent guidelines that are based on openness and consent.
The third principle is security. The Bill enhances requirements relating to the security of data and strengthens enforcement for those who do not comply. Data security and innovation go hand in hand, and this move will benefit customers and all responsible businesses. The Data Protection Act 1998 has served us well and placed the UK at the forefront of global data protection standards, but the world has changed since 1998, and the Bill updates the position to make our laws fit for purpose in an increasingly digital economy and society. It modernises many of the offences under the Act and creates new offences to help us to deal with emerging challenges.
The Secretary of State is being very generous in taking interventions. He has probably heard from the National Association of Local Councils, which represents parish and town councils. It has asked that an external data protection officer will not have to be appointed at every council level. There would be a cost of some £3.5 million to the smallest but most relevant authorities, so will the Secretary of State be sympathetic to its request for relief from that onerous responsibility?
I have received representations not only from the National Association of Local Councils, but from the Suffolk Association of Local Councils and many of my own parish councils—including Moulton Parish Council—which do an admirable job in telling me about the pressures facing parish councils throughout the country. I pay tribute to them for their efforts, and for the length of their representations to me.
Of course it is important for parish councils, and other local councils, to follow high-quality data protection standards. The Information Commissioner’s Office has provided extensive guidance to help organisations to prepare for their new responsibilities, and I urge councils to look at it.
The responsibilities of data protection officers—this is relevant to the issue raised by the hon. Gentleman—can be implemented in different ways. For instance, several parish councils can choose to share a single data protection officer, provided that he or she is easily accessible from each establishment. The system does not require the hiring of one person per organisation. Organisations have already been set up to provide this service, and the service itself is important. In the case of a small organisation, such as a very small business or a parish council on a low budget, it is still important for data to be handled and protected carefully, because small organisations too can hold very sensitive personal information. I am extremely sympathetic to the plight of small businesses that must deal with regulation—especially as I come from a small business background myself—but I am also convinced that it is good practice to follow high-quality data protection standards and that it is good for organisations to do so.
I thank my right hon. Friend for giving way. He is being very generous.
I knew that some small businesses in my constituency were concerned about the impact of the GDPR, so I telephoned the Information Commissioner’s Office to find out what support was available to them. The only answer that the office could give to every question that I asked about how the GDPR would affect small businesses was “Go to the website.” Does my right hon. Friend agree that we should expect better from a telephone line that is funded by the taxpayer?
I am glad that there is a telephone line. I am sure that the Information Commissioner will be watching the debate and will hear the plea for clear guidance on how small organisations in particular should implement data protection standards, whether they are small councils or small businesses. However, the Information Commissioner’s Office has already provided clearer guidance, as well as the telephone line. It is obviously listening, with the aim of getting the guidance right and ensuring that, in lay terms, meeting the new standards is straightforward. This issue came up in the other place as well. It is important for us to get the implementation right, especially in the case of small organisations.
The Secretary of State has referred to the right to be forgotten. May I suggest that there might be another right, namely the right to be remembered correctly? All too often, in response to freedom of information requests about, for instance, national security, the Government have imposed a blanket ban on the publication of any information—even many years after the individual concerned has died, when it is pretty difficult to see why there should still be a national security issue. I wonder whether it would not be a good idea for us to have some means of extracting such information in 20, 30, 40 or 50 years’ time.
The Bill does not change the freedom of information regime. However, it does establish a data protection regime relating to intelligence services and national security, about which I shall say more shortly, and which will no doubt be scrutinised by the House. The specific issue of the release of records is not in the scope of the Bill, because it is about the protection of live data rather than the release of records. The 30-year rule has, in the main, been changed to a 20-year rule, but of course there are national security opt-outs, some of which are incredibly important.
Of course there should be national security opt-outs, and when we were changing the rule from 30 to 20 years, I was one of the Ministers who ensured that they were strong. My anxiety is, however, that all too often the security services impose a complete blanket ban, which means that we as a nation are not properly able to understand what happened in the 1930s, 1940s and 1950s. If we were better informed about that, we might be able to make better decisions for our own national security in the future.
I do not wish to labour the point. I too was the Minister responsible for national security releases. All I can say is that that is not within the scope of the Bill, and I think the system works effectively.
As recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care, the Bill creates a new offence of the unlawful re-identification of de-identified personal data. It offers new safeguards for children, including a new code on age-appropriate website design. Currently, the law on parental consent for children on social media is complicated, but in most cases it applies to children up to 12 years old. The Bill provides for consent to be required in the case of children aged up to 13, so that parents have more control but the law is still practical.
The Bill also sets out clearer frameworks for data security—for example, by giving everyone a right to know when their data has been breached. We are strengthening the enforcement powers of the Information Commissioner to reflect a world in which data is held and used in much more sophisticated ways than ever before. Under the Bill, the commissioner can issue substantial penalties of up to 4% of global turnover. When she finds criminality, she can also prosecute. With greater control, greater transparency and greater security for our data, the Bill will help to give us a statute book that is fit for the digital age as we leave the EU.
Let me now touch on some specific areas in a little more detail. This is a forensic Bill with 208 clauses. It covers a vast area of British life, including financial services, sport, the protection of equality and much more. It also includes provisions that will support Members of this House in the work that we do, and it will make it easier for us to take up casework on behalf of our constituents.
The Bill provides for three parallel schemes to protect personal data. First, on general data, which accounts for the vast majority of data processing across all sectors of the economy and the public sector, this part of the Bill works in tandem with the EU’s GDPR, which we have discussed. We know that small businesses need advice on this, and it is important to get right the advice from the Information Commissioner’s Office. It says in my notes that the ICO has a small business helpline, but we have already heard about that in the debate.
I have been contacted by a number of businesses in Taunton Deane that are concerned about the work already placed on them to comply with data protection legislation. Can the Secretary of State confirm that this Bill will not give them a further workload, that it will indeed help those needing to trade in future across Europe and that it should, overall, be a benefit?
That is right. The Bill is structured to be consistent with the EU law elements of GDPR, which automatically apply from 25 May this year, to ensure that the non-EU elements of data protection, with respect to general data processing, national security data and law enforcement data, provide for a full spectrum framework for data protection once we leave the EU. The Bill is designed in such a way that it is as simple as possible for businesses to comply with the data protection standards that will be directly enforced from 25 May anyway. That is why from the point of view of small businesses, it is important that we get this Bill through by 25 May, and we have a fully functioning data protection framework. However, I certainly take on board, and am sympathetic to, the concerns my hon. Friend raises about small businesses and the need to ensure our data system is innovative in the future, and that people can comply with the rules. I hope that satisfies her on the concerns of small businesses in her constituency, as well as those of small councils and indeed small charities, which have to comply as well.
The schemes are designed to make sure the police can keep using and sharing personal data to prevent and investigate crime, to bring offenders to justice and to keep communities safe. Likewise, the Bill makes provisions for the personal data processed by our intelligence agencies, so they can continue to protect our country at a time of heightened terrorist threat. The intelligence services will be part of this new framework under the supervision of the Information Commissioner.
We also want to support the hard-hitting investigative journalism that holds the powerful to account and that we have touched on already—and it is good to see my hon. Friend the Member for North East Somerset (Mr Rees-Mogg) engaging with the digital economy on his smartphone; I am delighted that he welcomes at least some elements of the 21st century. On this point, I want briefly to comment on the proposed clauses inserted by the Lords. I set out our response to the consultation on the future of the Leveson inquiry last week, so I will not set out the arguments again in full this afternoon, but I will say this: the amendments are simply not the answer to today’s problems faced by the media. It has been six years since the Leveson inquiry reported; since then, we have seen the completion of three detailed police investigations, extensive reforms to police practices and some of the most significant changes to press self-regulation in recent times. Meanwhile, the media are facing critical challenges that threaten their sustainability, including fake news, declining circulations and in gaining revenue from online content.
On top of that, the amendments undermine our devolution settlement. The new clauses seek to legislate on a UK-wide basis, despite press regulation being a reserved matter for the devolved Administrations. I hope Scottish National party Members, and indeed all Members, will join me in voting these amendments down.
The Secretary of State is not sounding any more convincing than he did in his statement on Thursday. Failure to proceed with part two of Leveson and section 40 of the Crime and Courts Act 2013 is a disgusting and cowardly betrayal of the victims of media harassment. It does not even leave those victims in the same position as before, because since Leveson the Legal Aid, Sentencing and Punishment of Offenders Act 2012 has hobbled the ability of claimants in privacy and defamation actions to access no-win, no-fee representation. Therefore, section 40 is now the only way to ensure access to justice, which is as helpful to small publishers as it is to citizens. Why does the Secretary of State not put their interests before those of big newspaper groups, instead of currying favour for himself and his weak Government?
We debated this at length on Thursday and discussed the fact that it is vital that we look to what is needed for the media now, to ensure that instead of having a set of proposals that were designed several years ago and that would lead to any claimant being able to claim costs no matter the merits of their case, we have measures that enable our press to be sustainable for the future.
I support the Secretary of State in proposing that these amendments be removed. Like many in this place, I have been on the wrong end of fake news and misrepresentation many times, so I do not do so out of personal interest. I think there is a wider public interest: a free press is an extremely important part of a democracy. The press will not always get it right, but we need to be very careful about the amendments from the Lords.
I wholeheartedly agree with my right hon. Friend.
This Bill is an essential piece of legislation that makes the UK’s data laws among the most effective in the world. This House must never shy away from supporting new technology. The Electric Lighting Act 1882 was considered so important that the House sat on a Saturday to get it through. I hope that will not be necessary this time, but I do hope that the House will adopt similar enthusiasm in backing this Bill. Doing so would support our entrepreneurs in harnessing the value of data, while giving citizens confidence when they go online.
I was pleased a few weeks ago that the Opposition Front-Bench teams in the other place agreed that the Bill was a positive and necessary step. I hope the whole House will agree tonight, and I commend this Bill to the House.
As the hon. Gentleman may or may not know, it is entirely standard to count in that way. The same was done on the questions of equal marriage and of BBC charter reform, because there is a material difference between clicking a button to sign a preformed digital signature and writing in separately. This is how things have been in other big consultations. It is entirely normal, and the full details were set out last Thursday.
The Secretary of State is obviously living in the analogue age if he thinks that he can accept a coupon from The Sun but ignore 200,000 citizens expressing their concern about the inquiry.
I have only one question for the Secretary of State. Will the Government be able to detail what they will do if evidence of wrongdoing is revealed, in particular if editors misled or were partial in their evidence to the original inquiry? We still need Leveson 2, and Sir Brian agrees.
Like my hon. Friend the Member for Cambridge (Daniel Zeichner), who gave an excellent speech a few minutes ago, I will focus my remarks on the data protection aspects of the Bill. The Minister will have seen the press report this morning on research carried out by the Federation of Small Businesses showing that fewer than one in 10 small businesses is fully prepared for the obligations that this legislation imposes on them, and just under one in five has not yet heard of the GDPR. These obligations all take effect at the end of May—in less than three months’ time—so whatever the merits of this Bill, there is clearly a huge amount of work to be done in drawing the attention of those affected to what it means.
Ministers have made some changes to the Bill during its passage through the other place since we last discussed it in this Chamber on 12 October. In that debate, I and others made the point that my hon. Friend the Member for West Bromwich East (Tom Watson) made earlier—that leaving article 8 of the European charter of fundamental rights outside UK law poses a serious threat to our achieving a data adequacy determination from the European Commission in future. I therefore welcome the addition of what is now clause 2, which partly addresses that. However, I do not think it goes far enough, so I will be supporting my hon. Friend’s proposal that article 8 should be added to our statute book. Lord Stevenson tabled an amendment in the other place that said:
“The protection of personal data may not be lawfully restricted or limited unless such restrictions and limitations are consistent with the principle of proportionality.”
That is an important additional protection that ought to be in the Bill. I hope that we will be able to debate that amendment in Committee.
There is some confusion in the Government about all this. The Secretary of State set out how important it is that we keep our UK data regulation aligned with the regulation in the European Union because of the importance to the UK economy of personal data transfers between the UK and the EU. He is absolutely right about that. However, in recent months, the Foreign Secretary and the International Trade Secretary have suggested from time to time that it would be a good thing if the UK could deviate from EU rules on data protection. Last July, for example, the International Trade Secretary said in the United States—I am quoting from a report in the Financial Times—that the UK was more in line with US calls for information to be allowed to flow freely across borders while Germany and other EU countries insist on localisation. He was getting a bit confused about two different things, but he is clearly suggesting in that remark, as in others, that it could be a good thing for the UK to deviate from EU data protection rules. In fact—the Secretary of State is absolutely right about this—it would be a disaster for the UK to deviate from EU data protection regulation, because if the EU were to judge our data protection rules to be inadequate, a large chunk of the UK economy would immediately be without any lawful basis. That could affect exactly the kind of innovative company to which my hon. Friend the Member for Cambridge drew attention—a games company with players all over Europe who, as a part of playing the game, need to be able to send personal data between their country and the European Union.
The right hon. Gentleman has made this point in these debates several times, and I want to reassure him on the Government’s precise position. I stated this in my remarks, not speaking from notes, but let me read to him what the Prime Minister said in her speech on Friday:
“we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.”
So there you have it.
I am grateful to the Secretary of State, and I welcome that commitment on the part of the Prime Minister.
The problem is, however, that the International Trade Secretary and the Foreign Secretary have been saying different. That led to techUK, the industry body, writing to the International Trade Secretary last month to highlight the dangers. This was reported by that reliable publication, The Daily Telegraph, on 19 February, with the headline: “Tech industry warns Ministers not to drop EU security laws”. The report began:
“The British tech industry has issued a stark warning to leading Brexiteer ministers that diverging from EU data protection standards after Brexit will ‘undermine’ the UK’s status as Europe’s leading tech hub.”
The Secretary of State is absolutely right not to have gone down the same road as his right hon. Friends, and I very much welcome what the Prime Minister said about all this on Friday. However, there is clearly a problem in the Cabinet. I gather that after sending that letter, techUK received a reassuring response from the Department, and then a few days later a non-executive director at the Department for International Trade was quoted as saying, “Complying with EU standards on data is not the only solution.” But the truth is that for a large part of the UK economy, it is the only solution. We need to be absolutely clear about this. I am delighted that the Secretary of State is clear about it. Of course, that is why he is bringing this Bill before us and why he has altered it in line with what a number of us said in October.
I hate to take the wind out of the right hon. Gentleman’s sails, but it was unusual to receive that letter from techUK, because rarely as a Minister have I been lobbied so strongly in support of my own position.
I am glad that the Secretary of State has been lobbied in support of his own position, but he needs to watch his back against Ministers who lack the clarity that he has expressed—particularly the International Trade Secretary and the Foreign Secretary, who continue to say that there is merit in divergence. There is no merit in divergence at all. Significant numbers of tech start-ups are already going to Berlin rather than basing themselves in the UK because of the uncertainty about this issue. The more uncertainty there is, fanned by some members of the Cabinet, the greater the economic damage to the UK.
This is a very clear example of the situation we are going to find ourselves in more and more when we have left the European Union. It will be asserted that because of our economic interests, in this case, we should comply with rules drawn up by the European Union—in this case, the general data protection regulation—but we will no longer have a vote about what those rules should be. We will become a rule-taker. I welcome the commitment that the Prime Minister has made to a place for the UK’s Information Commissioner on the European data protection board. That will be helpful. It means that we will at least get a voice in these discussions when the rules are being drawn up—but we will not get a vote. We will be less influential in EU data protection laws than we have been as members of the European Union. We need to recognise that our influence, including over laws that we are going to have to implement ourselves, will be less in future than it has been up to now.
I would very much welcome the Minister telling us—my hon. Friend the Member for Cambridge made this point as well—how, in future, we are going to make adequacy determinations about other countries’ data protection laws. Are we going to adopt the EU list and say that those 12 countries are adequate and others are not, or are we going to have our own processes? How is it going to be done?
I echo the concerns expressed by a number of Members about the threats to our future data adequacy determination that come from the immigration exemption and the national security exemption. Those were not well defended by Ministers in the debates in the other place, and the justification for them is not clear. As others have said, they leave us open to criticisms of our data protection regulations that could threaten our future adequacy determinations. I am very keen to hear the Minister’s response to those concerns in particular.
I thank all Members for their contributions to this excellent and wide-ranging debate and their lordships for the immense amount of work that they have done on the Bill thus far. Members on both sides of the House want a Bill that protects personal data and allows individuals to maintain control over what is their property and what is important to them, and we want these rights to be enforceable. That is a positive start on which we can all agree.
Various Members, including the hon. Member for Bristol North West (Darren Jones), the right hon. Member for East Ham (Stephen Timms) and the shadow Minister, stressed the importance of the continuity of adequacy post Brexit. The hon. Member for Bristol North West asked what the Prime Minister meant by saying that she wanted to achieve more than adequacy. It was, I am sure, to ensure that the Information Commissioner can continue her excellent contribution to the evolution of the GDPR through her association with the European data protection board, when that comes into being.
The hon. Member for Argyll and Bute (Brendan O’Hara), the hon. and learned Member for Edinburgh South West (Joanna Cherry), the right hon. Member for Kingston and Surbiton (Sir Edward Davey) and many others mentioned immigration. I want to reassure the House that we are seeking not a blanket exemption, but something that can be applied only when complying with a certain right would be likely to prejudice the maintenance of effective immigration control. Every request to exercise a right under the GDPR would still have to be considered on its individual merits, and the rights of appeal required by the GDPR remain in place.
There was a great deal of debate about the freedom of the press. In the short time that I have, I cannot do justice to the fantastic contributions from my hon. Friends the Members for North Devon (Peter Heaton-Jones) and for South Dorset (Richard Drax) and the hon. Members for Edinburgh West (Christine Jardine) and for Keighley (John Grogan). We heard the real show stopper from my hon. Friend the Member for North East Somerset (Mr Rees-Mogg), who was listened to with rapt attention as he contrasted the pretence of freedom of speech with the reality of control, which would be the result of the amendments to which we have been asked to agree. The Government have been clear that we will attempt to defeat them in this place.
We have had a very valuable debate. We have touched on various issues—children and social media, artificial intelligence and cyber-resilience—and there are others that we will address subsequently.
I will have plenty of time in Committee to debate with the right hon. Gentleman. I am sure that we all agree that the Bill is important and timely.
On a point of order, Mr Speaker. I note that the Minister has not yet concluded her remarks, but it seems that she might do so before the moment of interruption. There are two outstanding motions on the Order Paper to be voted on following the decision on Second Reading: the programme motion and the money resolution. I note that, under Standing Order No. 83A(7) and Standing Order No. 52(1)(a), they are not subject to debate, but if there were any time left over between the conclusion of the Minister’s remarks and the moment of interruption, would it be possible to discuss those two motions?
It is for the Minister to decide how long she replies. I am sorry if the hon. Gentleman feels that his points have not been responded to by the Minister, but she is legendarily succinct, and has obviously decided—independently, or in consultation with her colleagues on a collective basis—that tonight shall be no exception to the general principle of Jamesian succinctness.
I commend the Bill to the House.
Question put and agreed to.
Bill accordingly read a Second time.
Data Protection Bill [Lords] (Programme)
Motion made, and Question put forthwith (Standing Order No. 83A(7)),
That the following provisions shall apply to the Data Protection Bill [Lords]:
Committal
1. The Bill shall be committed to a Public Bill Committee.
Proceedings in Public Bill Committee
2. Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 27 March 2018.
3. The Public Bill Committee shall have leave to sit twice on the first day on which it meets.
Proceedings on Consideration and up to and including Third Reading
4. Proceedings on Consideration and proceedings in legislative grand committee shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which proceedings on Consideration are commenced.
5. Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.
6. Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and up to and including Third Reading.
Other proceedings
7. Any other proceedings on the Bill may be programmed.—(Rebecca Harris.)
Question agreed to.
Well, it is most unusual that we are proceeding in quite such an efficient way before we have reached the moment of interruption. It is constitutionally notable, and colleagues will wish to take account of it, either for the purposes of repetition in the future or avoidance, depending upon their taste.
Data Protection Bill [Lords] (Money)
Queen’s recommendation signified.
Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),
That, for the purposes of any Act resulting from the Data Protection Bill [Lords], it is expedient to authorise the payment out of money provided by Parliament of:
(1) the payment out of money provided by Parliament of—
(a) any expenditure incurred under or by virtue of the Act by a Minister of the Crown or a government department; and
(b) any increase attributable to the Act in the sums payable under any other Act out of money so provided; and
(2) the payment of sums into the Consolidated Fund.—(Rebecca Harris.)
Question agreed to.
(6 years, 7 months ago)
Commons ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
Government new clause 22—Review of processing of personal data for the purposes of journalism.
Government new clause 23—Data protection and journalism code.
New clause 18—Data protection breaches by national news publishers—
“(1) The Secretary of State must, within the period of three months beginning with the day on which this Act is passed, establish an inquiry under the Inquiries Act 2005 into allegations of data protection breaches committed by or on behalf of national news publishers and other media organisations.
(2) Before setting the terms of reference of and other arrangements for the inquiry the Secretary of State must—
(a) consult the Scottish Ministers with a view to ensuring, in particular, that the inquiry will consider the separate legal context and other circumstances of Scotland;
(b) consult Northern Ireland Ministers and members of the Northern Ireland Assembly with a view to ensuring, in particular, that the inquiry will consider the separate legal context and other circumstances of Northern Ireland;
(c) consult persons appearing to the Secretary of State to represent the interests of victims of data protection breaches committed by, on behalf of or in relation to, national news publishers and other media organisations; and
(d) consult persons appearing to the Secretary of State to represent the interests of news publishers and other media organisations (having regard in particular to organisations representing journalists).
(3) The terms of reference for the inquiry must include requirements—
(e) to inquire into the extent of unlawful or improper conduct by or on behalf of national news publishers and other organisations within the media in respect of personal data;
(f) to inquire into the extent of corporate governance and management failures and the role, if any, of politicians, public servants and others in relation to failures to investigate wrongdoing at media organisations within the scope of the inquiry;
(g) to review the protections and provisions around media coverage of individuals subject to police inquiries, including the policy and practice of naming suspects of crime prior to any relevant charge or conviction;
(h) to investigate the dissemination of information and news, including false news stories, by social media organisations using personal data;
(i) to consider the adequacy of the current regulatory arrangements and the resources, powers and approach of the Information Commissioner and any other relevant authorities in relation to—
(i) the news publishing industry (except in relation to entities regulated by Ofcom) across all platforms and in the light of experience since 2012;
(ii) social media companies;
(j) to make such recommendations as appear to the inquiry to be appropriate for the purpose of ensuring that the privacy rights of individuals are balanced with the right to freedom of expression.
(4) In setting the terms of reference for the inquiry the Secretary of State must—
(k) have regard to the current context of the news, publishing and general media industry;
(l) must set appropriate parameters for determining which allegations are to be considered;
(m) determine the meaning and scope of references to national news publishers and other media organisations for the purposes of the inquiry.
(5) Before complying with subsection (4) the Secretary of State must consult the judge or other person who is likely to be invited to chair the inquiry.
(6) The inquiry may, so far as it considers appropriate—
(n) consider evidence given to previous public inquiries; and
(o) take account of the findings of and evidence given to previous public inquiries (and the inquiry must consider using this power for the purpose of avoiding the waste of public resources).
(7) This section comes into force on Royal Assent.”
This new clause would require the establishment of an inquiry under the Inquiries Act 2005 as recommended by Lord Justice Leveson for Part two of his Inquiry.
New clause 20—Publishers of news-related material: damages and costs (No. 2)—
“(1) This section applies where—
(a) a relevant claim for breach of the data protection legislation is made against a person (‘the defendant’),
(b) the defendant was a relevant publisher at the material time, and
(c) the claim is related to the publication of news-related material.
(2) If the defendant was a member of an approved regulator at the time when the claim was commenced (or was unable to be a member at that time for reasons beyond the defendant’s control or it would have been unreasonable in the circumstances for the defendant to have been a member at that time), the court must award costs against the claimant unless satisfied that—
(d) the issues raised by the claim could not have been resolved by using an arbitration scheme of the approved regulator, or
(e) it is just and equitable in all the circumstances of the case, including, for the avoidance of doubt—
(i) the conduct of the defendant, and
(ii) whether the defendant pleaded a reasonably arguable defence, to make a different award of costs or make no award of costs.
(3) If the defendant was not an exempt relevant publisher and was not a member of an approved regulator at the time when the claim was commenced (but would have been able to be a member at that time and it would have been reasonable in the circumstances for the defendant to have been a member at that time), the court must award costs against the defendant unless satisfied that—
(f) the issues raised by the claim could not have been resolved by using an arbitration scheme of the approved regulator (had the defendant been a member), or
(g) it is just and equitable in all the circumstances of the case, including, for the avoidance of doubt—
(i) the conduct of the claimant, and
(ii) whether the claimant had a reasonably arguable claim, to make a different award of costs or make no award of costs.
(4) This section is not to be read as limiting any power to make rules of court.
(5) This section does not apply until such time as a body is first recognised as an approved regulator.”
This new clause would provide that court costs of non-abusive, non-vexatious, and non-trivial libel and intrusion claims would be awarded against a newspaper choosing not to join a Royal Charter-approved regulator offering low-cost arbitration, but that newspapers who do join such a regulator would be protected from costs awards even if they lose a claim.
New clause 21—Publishers of news-related material: interpretive provisions (No. 2)—
“(1) This section applies for the purposes of section (Publishers of news-related material: damages and costs (No. 2)).
(2) “Approved regulator” means a body recognised as a regulator of relevant publishers.
(3) For the purposes of subsection (2), a body is “recognised” as a regulator of relevant publishers if it is so recognised by any body established by Royal Charter (whether established before or after the coming into force of this section) with the purpose of carrying on activities relating to the recognition of independent regulators of relevant publishers.
(4) “Relevant claim” means a civil claim made in respect of data protection under the data protection legislation, brought in England or Wales by a claimant domiciled anywhere in the United Kingdom.
(5) The “material time”, in relation to a relevant claim, is the time of the events giving rise to the claim.
(6) “News-related material” means—
(a) news or information about current affairs,
(b) opinion about matters relating to the news or current affairs, or
(c) gossip about celebrities, other public figures or other persons in the news.
(7) A relevant claim is related to the publication of news-related material if the claim results from—
(d) the publication of news-related material, or
(e) activities carried on in connection with the publication of such material (whether or not the material is in fact published).
(8) A reference to the “publication” of material is a reference to publication—
(f) on a website,
(g) in hard copy, or
(h) by any other means,
and references to a person who “publishes” material are to be read accordingly.
(9) A reference to “conduct” includes a reference to omissions; and a reference to a person’s conduct includes a reference to a person’s conduct after the events giving rise to the claim concerned.
(10) “Relevant publisher” has the same meaning as in section 41 of the Crime and Courts Act 2013.
(11) A relevant publisher is exempt if it satisfies Condition A or B.
(12) Condition A is that the publisher has a constitution which—
(a) requires any surplus income or gains to be reinvested in the publisher, and
(b) does not allow the distribution of any of its profits or assets (in cash or in kind) to members or third parties.
(13) Condition B is that the publisher—
(a) publishes predominantly in Scotland, or predominantly in Wales, or predominantly in Northern Ireland or predominantly in specific regions or localities; and
(b) has had an average annual turnover not exceeding £100 million over the last five complete financial years.”
This new clause would provide that the penalty incentives in New Clause 20 would not apply to companies which publish only on a regional or local basis and have an annual turnover of less than £100m. It sets out that only data protection claims are eligible, and provides further interpretive provisions.
Amendment (a), line 33 leave out subsection (10) and insert—
“(10) ‘Relevant publisher’ has the same meaning as in section 41 of the Crime and Courts Act 2013, subject to subsection (10A).
(10A) For the purposes of this Act, a publisher shall only be a ‘relevant publisher’ if—
(a) it has a registered address in England or Wales; and
(b) its publications are published in, or in any part of, England or Wales.
(10B) A relevant claim may be made under the data protection legislation only in respect of material which is published by a relevant publisher (as defined by subsections (10) and (10A)) and which is read or accessed in England or Wales.”
Government amendments 146 to 150 and 145.
Amendment 144, page 122, line 10, in clause 205, leave out “Section 190 extends” and insert—
“Sections (Publishers of news-related material: damages and costs (Amendment 2)), (Publishers of news-related material: interpretive provisions (Amendment 2)) and 190 extend”.
Amendment 14, page 156, line 4, in schedule 2, at end insert—
“(d) any code which is adopted by an approved regulator as defined by section 42(2) of the Crime and Courts Act 2013.”
This amendment would give the Standards Code of an approved press regulator the same status as the other journalism codes recognised in the Bill (The BBC and Ofcom Codes, and the Editors’ Code observed by members of IPSO).
The Data Protection Bill sets out a full new data protection regime for Britain, giving people more control over their data.
First, I wish to address new clauses 20 and 21, before turning to the other new clauses. These new clauses are essentially the provisions contained in sections 40 and 42 of the Crime and Courts Act 2013, although they would apply only to breaches of data protection law and only in England and Wales.
Let me first set out exactly what these new clauses would mean and then our approach to them. They would set new cost provisions for complaints against the press, which means that any publication not regulated by IMPRESS would have to pay the legal costs for any complaint against it, whether it won or lost. Many would object to that and say that it goes against natural justice. It is grounds enough to reject these new clauses on the basis that the courts would punish a publication that has done no wrong, but that is not the only reason. Let us consider the impact of these new clauses on an editor. Faced with any criticism, of any article, by anyone with the means to go to court, a publication would risk having to pay costs, even if every single fact in a story was true and even if there was a strong public interest in publishing. Let us take, for example, Andrew Norfolk, the admirable journalist who uncovered the Rotherham child abuse scandal. He said that section 40 would have made it “near impossible” to do his job. He went on to say that it would have been “inconceivable” to run the front page story naming one of the abusers in a scandal that had ruined the lives of 1,400 innocent young people with disgusting crimes that had gone on for years and years and years. Without Andrew Norfolk’s story, the scandal would have gone on for years and years more.
If the Secretary of State is so opposed to section 40, why did he support it?
I will come on to what has changed in the many years since 2013, not least of which is the fact that we now have a full-blown independent press regulator, the Independent Press Standards Organisation, which did not exist back then.
I am most grateful to my right hon. Friend for giving way. First, IPSO is not a press regulator, because it does not comply with the requirements to be a regulator; it is merely a complaints handler. Secondly, he may have inadvertently misled the House, because it is not necessary to join IMPRESS as he said earlier on. It is necessary for regulators to comply with the rules, which is slightly different.
There is no recognised press regulator other than IMPRESS. As many journalists have pointed out, the truth is that these new clauses would have made it near impossible to uncover some of the stories of abuse, including the abuse of all those children in Rotherham. Another example is that of Mark Stephens, who represented phone hacking victims. He wrote today that the new clauses would
“return Britain to the legal Dark Ages and make it easier for wealthy people to suppress negative stories.”
The impact on local newspapers, too, risks being catastrophic. I say do not just take my word for it. The editor of the Express & Star, well known to the hon. Member for West Bromwich East (Tom Watson), said that the new clauses could spell the end of newspaper printing in this country on a large scale and are a
“ludicrous and patently unfair…piece of legislation.”
Will the Secretary of State confirm to the House that the BBC, Channel 4 and every other broadcaster operates under much more stringent rules, and yet nothing seems to have got in the way of their powers of interrogation and investigation? Does he think that they are operating second-class investigations today?
We have three separate systems of media regulation in this country: a separate system for broadcasters; an essentially self-regulated system under IPSO for newspapers; and then there is the issue of how we make sure that what happens online is properly regulated as well. I will come on to that last point, because it is a very important part of the debate. The impact of the new clauses on the local press should not be underestimated. Two hundred local newspapers have already closed since 2005, and these new clauses would accelerate that decline. However, there is one national newspaper that is carved out in the small print of the new clauses as it only covers newspapers run for profit. Which newspaper is exempted? It is The Guardian. If those who tabled these new clauses thought that they were making friends with The Guardian, they were wrong. The Guardian has said that
“the Data Protection Bill should not be used as a vehicle for imposing an unfair and partial system on publishers.”
It did not ask for the measures, and it, too, opposes them. Indeed, in a recent consultation, 79% of direct responses favoured full repeal of section 40, compared with just 7% who favoured full commencement.
The Secretary of State quoted The Guardian. In fact, its statement released this morning went even further. The Guardian News and Media said that these new clauses would
“further erode press freedom and have a chilling effect on the news media.”
It did, yes. I am trying to ensure that we have a debate on these measures that takes into account the fact that, yes, we want a free press that can hold the powerful to account, but also that it is fair. I know—as does everyone in this House—that there has been irresponsible behaviour by the press. Although I want to see a press that is free to report without fear or favour, to uncover wrongdoing and to hold the powerful to account, I also want to see a press that is fair and accurate. I am determined that we have a strengthened system so that people have recourse to justice when things go wrong.
Does my right hon. Friend agree that, in many ways, there are two forms of media already operating in this country? One is printed, published and broadcast from reputable sources, which have assets in this country that we can take action against, or not, and the other form is websites that have either very low assets or no assets in this country with very different accountability. Bizarrely, could we not find ourselves in a position under this system where the only people who can get justice are those who are rich enough, such as Peter Thiel, to destroy the website Gawker, in this case, because it was acting against him, rather than those of us on more modest means who would have absolutely no recourse against these organisations, but yet all the news would have gone online because these regulations would force out our newspapers?
My hon. Friend is completely right about the gap between online and print in terms of standards of regulation. That is because IPSO was brought into force—I was glad to see it being introduced in 2014. He is also right that tackling the problems online is critical. Our internet safety strategy, which will be published in the next couple of weeks, will address that matter directly. I know that there are many Members who have concerns about the impact of content online, of abuse online, and of the ability to get redress online, and we will not let that rest. We will ensure that we take action to tackle the problems online in the same way that IPSO deals with the press and indeed that these new clauses deal with publications in the press.
I am glad that IPSO now has the power to require front page corrections as it did, for instance, just a couple of weeks ago with The Times. As the House knows, I have pushed IPSO to bring in further measures. It recently introduced a system of compulsory low-cost arbitration. This means that ordinary people who do not have large sums of money can take claims to newspapers for as little as £50. Almost all of the major national newspapers have signed up to it. That means that anyone who has been wronged by a national newspaper can, for the first time, ask for arbitration and the newspaper cannot refuse. The scheme applies not just to words, but to images. This must be the start of a tougher regime, and not the conclusion.
Is not one of the problems that the scheme does not include everyone? It is compulsory, but does not include everyone. When MailOnline is excluded, does that not leave a whacking great hole in it?
I have a lot of sympathy with the views of my hon. Friend. MailOnline is, of course, an online publication, and we are looking at that as part of our internet safety strategy. I am very happy to talk to him about how that can be done. Only in the past week, however, many publications have joined the IPSO low-cost arbitration scheme, which is binding on them, and I very much hope that more will join in the future.
Will my right hon. Friend also confirm that the new scheme will allow for a higher maximum level of damages of up to £60,000 and that it can be run for as little as £100?
That is absolutely right. The minimum access cost will be £50, which means that everybody has access to justice at low cost. There is more to it than that, however. Some people argue that the £60,000 limit on damages is too low, but the arbitration scheme does not stop somebody going to court, so there is access to justice where damages should be higher. The arbitration scheme is an addition to, rather than a replacement for, going to court. It introduces a robust and fair system that is easy for everybody to access, so everyone can have access to justice.
The section 40 amendments would, ironically, have the opposite effect, because anybody with the means to take small newspapers to court could stop them publishing stories for fear of having to pay the costs, even if they get everything right.
Is it not the case that IPSO proposed its arbitration scheme only when a number of colleagues had tabled amendments that were distinctly unhelpful to the print media? Can we trust that organisation? Will my right hon. Friend be extremely careful about removing the boot from the neck of IPSO, particularly in relation to the review period? I know that he will come on to talk about that shortly, but will he consider tightening the review period, because at the moment it gives IPSO the best part of a decade before there is any prospect of further change if the industry does not behave itself?
I agree with the sentiment, which is that we have to ensure that the press remains free but also fair and reasonable, and that is the purpose of the amendment proposing a review period of four years. We will not let matters lie.
Some have asked, “What happens if newspapers pull out of the IPSO scheme?” I think that would send a terrible signal of the newspaper industry’s attitude to the standards that it rightly ought to sign up to. The review is there precisely to address my hon. Friend’s concerns.
I am pleased to hear the Secretary of State refer to a low-cost scheme. People have told me about their concern that £60,000 may be too low because there needs to be a deterrent. Will the four-year review also cover that £60,000 cap?
Given that this is a Data Protection Bill, the review will consider data protection issues, but I would expect it to be as broad as necessary, to ensure that all those matters are considered.
We have listened to concerns raised during the passage of the Bill, including in this debate.
I am grateful to the Secretary of State for giving way just before he moves off the subject of IPSO. He has set out arguments in IPSO’s defence. It is not just MailOnline that is outside the arbitration scheme; that is also true of Newsquest and Archant, so a significant chunk of the press is outside it. Brian Leveson said that the regulator needed to have independent board members, independence of operation, fair remedy for complaints, the ability to carry out investigations, the ability to issue fines, and universal arbitration. None of those conditions is put in place by IPSO, so which of those principles does the Secretary of State think should be retired?
On the contrary, the scheme introduces new, compulsory, low-cost arbitration to ensure that people can have exactly the recourse to justice mentioned by the right hon. Gentleman. In order to address some of the concerns, we have tabled two new clauses. First, new clause 19 requires the Information Commissioner to publish information on how people can get redress. The point is to ensure that there is a plain English guide to help anyone with a complaint to navigate the system. Secondly, new clause 22 requires the Information Commissioner to create a statutory code of practice, setting out standards on data protection. The point is that, when investigating a breach of data protection law, the commissioner has to decide whether a journalist acted reasonably. When making that judgment, a failure to comply with the statutory code will weigh heavily against the journalist.
How binding is the arbitration, and how binding is the code of practice?
The arbitration is binding on the newspapers, meaning that anybody who wants to get redress from a newspaper in the scheme can do so up to a limit of £60,000, and then the recourse is through the courts. The Information Commissioner’s statutory code of practice is binding with respect to data protection standards; after all, this is a Data Protection Bill, so that is what is in scope.
Taken together, the changes from IPSO and the new clauses mean that Britain will have the most robust system we have ever had of redress for press intrusion and it will be accessible to all. It will achieve that and the benefits of high-quality journalism, without the negative effect that section 40 would have.
I thank the Secretary of State for giving way; he is being very generous in taking interventions. Before he finishes his peroration on the new clauses, will he confirm that they are purely procedural and will give members of the public, including our constituents, absolutely no new rights whatsoever?
No, that is not right. The statutory code of practice for journalists must be a consideration in the Information Commissioner’s judgments, and a failure to comply with the statutory code will weigh against the journalist in law. It has precisely the impact that we are trying to bring about.
New clause 18, tabled by the former Leader of the Opposition, the right hon. Member for Doncaster North (Edward Miliband), requires the Government to, in effect, reopen the Leveson inquiry, but only in relation to data protection. I want to say something specific and technical about the new clause. Even on its own terms, it would not deliver Leveson 2 as envisaged. It focuses on data protection breaches, not the broad question of the future of the press. The new clause, therefore, is not appropriate for those who want to vote for Leveson 2.
The first Leveson inquiry lasted more than a year and heard the evidence of more than 300 people, including journalists, editors and victims. The inquiry was a diligent and thorough examination of the culture, practices and ethics of our press, in response to illegal and improper press intrusion. There were far too many cases of terrible behaviour, and having met some of the victims, I understand the impact that had. The inquiry was followed by three major police investigations, leading to more than 40 criminal convictions. More than £48 million was spent on the police investigations and the inquiry.
This is probably a good point for the Secretary of State to remind the House about Brian Leveson’s view of the future of the inquiry. Will he set that out for us?
Sir Brian was very clear in his letter to me. He stated that he wanted the inquiry to continue on a different basis. I think, having considered his view and others, that the best approach is to ensure that we do the work necessary to improve the standards of the press, but we do it based on what is needed now to improve things in the future. I will come back to that.
I am glad that my right hon. Friend acknowledges the diligence and hard work of Sir Brian Leveson in the inquiry. He highlighted the particular vice of corrupt police officers giving the names of persons—perhaps whose premises are being searched—to corrupt journalists who publish them before charge, and very often those people are never charged. No amount of redress can undo that damage. Will my right hon. Friend meet me and other concerned Members to consider revisions and what additional legal protection can be given to people post-charge to prevent this trade in muck and dirt, sometimes without anybody ever coming before a criminal court, which undermines the presumption in favour of innocence?
Yes, I will. My hon. Friend makes a very important point. We are discussing the rules around the disclosure of the names of people who are under investigation before arrest. This is a sensitive area, and we have got to get it right. I want to work with colleagues and others to explore the reporting restriction rules further, and I look forward to meeting him and any others who share those concerns.
I am grateful to the Secretary of State for giving way; it is very generous of him. Some years ago, I put forward a private Member’s Bill calling for anyone who was accused to keep their anonymity until they were charged. It is all there—it is effectively good to go. I too would very much like to meet the Secretary of State, because this is the right thing to do. People should not be named before they are even charged, unless a judge orders otherwise.
I am aware of my right hon. Friend’s proposals, and I look forward to meeting her. Getting the details of this right is incredibly important, and I am happy to take that forward.
To go back to the key question of holding an inquiry, the Secretary of State rather implies that the first Leveson inquiry is closed and we now face the possibility of starting a new one. Does he not accept that, from the moment it was set up, the Leveson inquiry was always going to be in two parts? That was the commitment of the Government in which he and I served. It was only suspended so that police operations could take place, and it was quite clearly agreed that part 2 of the inquiry would then resume. The case he has to make is: why is he cancelling a previously promised inquiry endorsed by Leveson? What on earth is the reason for stopping investigations into the kind of things we are all talking about? No one would stop investigations of this kind against any other body in this country.
I have a huge amount of respect for my right hon. and learned Friend. I was about to come on to precisely the reason for that. The reason is that inquiries are not costless, and not just in terms of taxpayers’ money; that is one consideration, but inquiries also take hours of official time and ministerial time. They divert energy and public attention—[Interruption.] Hold on. The question for the House is this: given all the other challenges facing the press, is this inquiry the right use of resources?
There is something in the calls to reopen the inquiry that implies that the problem is that we do not know what happened, but we do know what happened, and then we had police investigations and the convictions. It is fundamental that we get to the bottom of the challenges that the press face today. I want to divert our attention and resources to tackling and rising to the problems of today and ensuring we have a press that is both free and fair.
In answer to the point made by my right hon. and learned Friend the Member for Rushcliffe (Mr Clarke), surely the question here is not that further issues should not be settled, such as those that have been raised, but how one should go about it. An open-ended continuation of this inquiry will not necessarily resolve those issues but could travel into all sorts of areas, which would take time. Will the Secretary of State commit to dealing with all these issues raised in a more effective way, rather than just opening a further point in the inquiry? That is the point.
Yes, and my right hon. Friend has pre-empted what I was about to say, which is that the choice is not between doing something and doing nothing, but between doing something and doing something better. New clause 18 calls on us to go into a backward-looking inquiry when what we need to do is ensure that we allow the press to rise to the challenges we face today.
I thank the Secretary of State for giving way, not least in view of what I am going to say. Is the truth not that he has broken promises to the victims, ignored the opinions of Sir Brian Leveson and ridden roughshod over the cross-party, unanimous opinion of the Digital, Culture, Media and Sport Committee? Much has happened since Leveson 1, and one thing that Leveson 2 could establish is who told Sir Brian the truth and nothing but the truth the first time round. Why is the Secretary of State afraid of establishing the truth?
I want to focus on the challenges we face now. That is my job as Secretary of State, and it is my judgment as to what the proposals I have put forward do, and do in a better way than re-establishing the inquiry.
Has this not been decided in the jewel of our legal system—that is to say, in front of a jury? Some people accused of things that would have been part of Leveson 2 have been acquitted, and a very few have been convicted, but once someone has been tried in front of a jury, it is fundamentally unfair, unjust and a question of double jeopardy if they are then brought before another tribunal and put once more on oath to repeat evidence that they have given before and then been acquitted for. It would be against British justice to proceed in that way.
The police inquiries and the prosecutions that followed were exhaustive, so much so that in 2015, the Director of Public Prosecutions said that the end had been reached of the need to inquire further into those criminal acts. Of course, the criminal acts were punished, and people were convicted and went to prison.
Crucially, the arrival of the internet has fundamentally changed the landscape. That was not addressed at the core of the first Leveson inquiry, but it must be addressed. Later this month we will publish our internet safety strategy, as I mentioned, in which we will set out the action we need to take to ensure that the online world is better policed. Many colleagues have raised with me huge concerns about online abuse and the inability to get redress. That is a significant challenge for the future, and we must address it.
However, the internet has also fundamentally undermined the business model of our printed press. Today’s core challenge is how to ensure a sustainable future for high-quality journalism that can hold the powerful to account. The rise of clickbait, disinformation and fake news is putting our whole democratic discourse at risk. This is an urgent problem that is shaking the foundations of democracies worldwide. Liberal democracies such as Britain cannot survive without the fourth estate, and the fourth estate is under threat like never before. These amendments would exacerbate that threat and undermine the work we are doing through the Cairncross review and elsewhere to support sustainable journalism.
The terms of reference of part 2 of the inquiry have already largely been met. Where action is needed, I do not back down from taking it. The culture that allowed phone hacking to become the norm has changed fundamentally and must stay that way. We have already seen reforms of police practices, with a new code of conduct for the College of Policing. As I said, we are discussing rules around disclosure. I can confirm that we have asked Her Majesty’s inspectorate of constabulary to undertake a new review of how police forces are adhering to new media relations guidance, as recommended by Sir Brian, and we will not hesitate to strengthen the rules further if that is needed.
The Secretary of State has talked about victims of abuse, but he seems to have forgotten that Leveson was set up because of the victims of press harassment and abuse in the first place. Many of those victims have written to Members on both sides of the House, rejecting the ridiculous IPSO scheme and asking for part 2 of Leveson to proceed. He has heard concerns from Members on both sides of the House today, so why will he not think again? What has changed his mind about those victims over the last three or four years?
In the period in which people have raised concerns and said that they must be looked into in Leveson 2, every one that has been raised with me was covered in Leveson 1. Leveson 1 was exhaustive, and there were then police investigations, which went further. My judgment is about what is right now, and the challenges the press face now are fundamentally different.
Does the Secretary of State accept that many of the challenges that the press face now are the result of the behaviour that led to Leveson 1 and undermined public confidence? The fact that the victims are not perceived as having had justice further undermines the press, and we would be helping the future of the press in this country if we continued along the lines of Leveson 2 and looked at how best to implement the recommendations of Leveson 1.
I think the representations from the press themselves show that they are not looking for help of that sort. Let us, however, look at the public: there is not a great public cry for this. In response to the consultation, 79% of direct responses favoured the full repeal of section 40. It is my job to address what we face now and the needs of the country now.
The Secretary of State has made the very interesting point that he will try to address some of the grievances and outcomes by way of a review. Doing so specifically in relation to Northern Ireland was in effect precluded by the first part of Mr Leveson’s inquiry. Will the Secretary of State tell us how he will try to resolve this problem in Northern Ireland?
Through new clause 23, as I have mentioned, we will require the Information Commissioner to conduct a statutory review of media compliance with the new law over the next four years. Alongside that review, we propose to have a named person review the standards of the press in Northern Ireland, and we will take that forward as part of and alongside new clause 23.
I thank the Secretary of State for his generosity. Would it be fair for me to characterise that review as a Leveson for Northern Ireland?
I would characterise it as a review aligned with new clause 23, which we are bringing in for the whole country, specifically to look at the effects in Northern Ireland. The crucial point is that we will make sure, through the review in new clause 23, that the future of the press is both free and reasonable, that its behaviour is reasonable, and yet that it is not subject to statutory regulation. I want to see a press that is both free and fair.
This is an extraordinary way to make policy. Will the Secretary of State explain to us why there can be a Leveson for Northern Ireland, but not for the rest of the United Kingdom?
I have explained that new clause 23, which I hope the right hon. Gentleman supports, will in the future bring in a review of behaviour following the new system that we are putting into place. That is true here, and it is true right across the country.
May I bring the Secretary of State back to the United Kingdom and to Manchester last year? The Kerslake review said:
“The panel was shocked and dismayed by the accounts of the families of their experiences with some of the media.”
That happened last year, so the Secretary of State should not represent the threats posed by press misbehaviour as being from the past; this is a real and pressing problem now. Will he keep his promise to the victims who have suffered from this in the past and are continuing to suffer from it?
New clause 23 is for the whole of the UK, which includes Northern Ireland. On the hon. Gentleman’s broader point, I have read the Kerslake review, and we asked to see all the evidence that fed into it, but we have not received specific allegations. The crucial point is that the low-cost IPSO arbitration is precisely to make sure that everybody has access to justice and that the press improves the way in which it behaves so that it is both free and fair, and that is what we want to achieve.
The Secretary of State may not be aware of this, but my daughter, aged seven, was spoken to and recorded by a journalist in 2016. The incident, which was in our own garden, traumatised her greatly, as has been stated by her school and by her doctor, but it was ignored by IPSO. Will he meet me and my daughter to explain how children like her will be protected by his amendments and what he is trying to do, because she has no faith in the system?
Yes, I absolutely will. This is the sort of thing that I am trying to put right. It is about making sure that the system is right now: rather than going over the past—there is an enormous amount of evidence of what happened in the past—this is about making sure that we look to the future.
The hon. Member for North Antrim (Ian Paisley) mentioned Northern Ireland and the review I have committed to in Northern Ireland will take place at the same time as the review under new clause 23 for the UK that is before the House.
Further to the point made by the hon. Member for North Antrim (Ian Paisley) about the special review for Northern Ireland, may I ask the Secretary of State in reference to the Hurst case—the former Army intelligence officer whose computers were hacked by newspaper journalists working for newspapers in England about his activities protecting our state in Northern Ireland—whether his review will also examine such criminal activity?
If there are allegations of criminal activity—the hon. Gentleman has just made such an allegation—then that is a matter for the courts.
A newspaper group has admitted liability for criminally hacking the computers of a former Army intelligence officer.
In a way, the hon. Gentleman has summed up my case. My case is that we want a press that is free and that is fair. Statutes already exist to ensure that, when there are cases of wrongdoing, people can be brought to account through the courts. That already exists, and we now also have a system of compulsory, low-cost arbitration to make sure everybody can get recourse.
I am focused on ensuring that we have high-quality political discourse and a press that can survive and thrive, with high-quality journalists who can hold the powerful to account, and on ensuring that we face the challenges of today rather than those of yesterday. That is what we want to work towards, and new clauses 18, 20 and 21 would make it harder to find solutions to today’s real problems.
The Secretary of State will correct me if I am wrong, but new clause 23, to which he has referred at the Dispatch Box, looks at cases going forward; it is not retrospective—I hope I am correct. Therefore, it addresses some of the deficiencies in the other new clauses before the House about having just a consultation process on what has happened previously.
New clause 23 is about ensuring that in the future there is a review of activity from now onwards, and alongside it we will ensure that there is a named person to ensure that the issues in Northern Ireland are looked into properly.
Overall, I want to ensure that the law that applies to the press is applied fairly, and that we have a free press and one that is responsible. I therefore oppose new clauses 18, 20 and 21, which would make that more difficult, not easier, and I urge every Member of the House to do the same.
I rise to support in particular new clause 18, in the name of my right hon. Friend the Member for Doncaster North (Edward Miliband), and indeed our new clause 20 and the consequential amendments.
The background to this is fairly well rehearsed, but it is worth remembering the level of shock we all felt when the revelations about phone hacking first became public. It is worth remembering the shock we felt when we heard that Milly Dowler’s phone had been hacked. It does not often happen in this House that Members on both sides unite to try to construct a shared way forward through an extremely difficult problem, yet that is exactly what we managed to do with the Leveson inquiry.
That was very difficult, but it was always going to be a game of two halves. There were too many cases coming to court at the time; there was too much evidence still under wraps; and there was too much that had to be left in the dark. As the Father of the House so rightly pointed out, it was never a question of opening a new inquiry; this is about letting the existing inquiry actually finish its work.
When the previous Prime Minister, Mr Cameron, having spoken to victims, made a statement, the point he wanted to impress on Members on both sides of the House was the need for Leveson to finish the job:
“One of the things that the victims have been most concerned about is that part 2 of the investigation should go ahead—because of the concerns about that first police investigation and about improper relationships between journalists and police officers. It is right that it should go ahead, and that is fully our intention.”—[Official Report, 29 November 2012; Vol. 554, c. 458.]
The then Prime Minister was not speaking simply on his own behalf; he was speaking on behalf of Government Members, including members of today’s Government Front Bench such as the Chief Whip, the right hon. Member for Skipton and Ripon (Julian Smith), who wrote not too long ago to one of his constituents:
“The Government has been clear all along that the status quo is not an option and I, personally, am determined to see Lord Justice Leveson’s principles implemented.”
Where has that commitment gone this afternoon?
What I want to learn is the truth. I want to learn the truth about police-press collusion and I want to know how we improve our press regulation in the future, so that we have not just a free press but a clean press.
Let me make some progress. The Secretary of State offered us a second line of argument that has now collapsed. I am not quite sure of the exact words he used when he came to the House, but most of us walked away thinking that Lord Leveson was pretty content that the whole thing was going to be shuttered. The House can therefore imagine our surprise when Sir Brian Leveson said that he “fundamentally disagreed” with the Government’s decision to end part two of the inquiry. When Lord Leveson said that he wanted the terms to be revised, he meant that he wanted them to be expanded, not cancelled all together. The Secretary of State says that malpractice is in the past and that there is nothing more to see, officials are busy, inquiries are expensive and so we must move on. He intimated that Lord Leveson agreed with him when that was not in fact the case.
A third line of attack from the Secretary of State was that the review looked to the past and ignored the challenges for the press in the future. That was a legitimate challenge and if he studies carefully the words of the amendment tabled by my hon. Friend the Member for West Bromwich East (Tom Watson), he will see that there is a new ambition to get into some of the challenges around fake news that were looked at by Brian Leveson. That was not enough to satisfy the Secretary of State, however. In a letter to Conservative Members—I did not receive a copy—he offered some more objections, each one of which we can knock down.
The Secretary of State, in his letter to his colleagues, says that the first half of Leveson was “full and broad” when in fact it was partial and incomplete. He says that newspaper margins are under pressure, as if economic hardship is now some sort of defence against the full glare of justice. He says that the effect of the proposals will be “chilling”, when he knows that our fine broadcasters in this country operate under far more rigorous regulation than newspapers and that does not stop them pursuing the most extraordinarily brilliant investigations. He says that Sir Joe Pilling has “cleared” the IPSO scheme, but Joe Pilling was appointed by IPSO and IPSO itself says it does not comply with Leveson. He says that IPSO now has a low-cost arbitration scheme, but as the hon. Member for Wellingborough (Mr Bone) pointed out, MailOnline, Newsquest and Archant are all outside it, so it is not a universal scheme in the way the Secretary of State has tried to present it to the House this afternoon.
The final line of argument is that officials are very busy and inquiries are very expensive, and we should therefore just walk on by. I just do not think that that is good enough.
I am happy to hear from the Secretary of State why he thinks I am wrong.
The right hon. Gentleman is not making much progress. He is implying that broadcasters are under regulation but there is no chilling effect. The description of a chilling effect, raised by my hon. Friend the Member for Croydon South (Chris Philp), is the expected impact of section 40, under which anybody would be able to take a newspaper to court and get costs awarded against the newspaper even if they did not have anything in their case. The broadcasters do not have to deal with anything like that. On the point about things being brought to light, will he confirm that the case of Mr Ford, which he raised and was raised in an argument for Leveson 2, was in fact raised in the original Leveson inquiry and was therefore covered?
Mr Ford’s activity was, but not Mr Ford’s allegations that the activity is already under way.
Let me come on to the point the Secretary of State made about the future of press regulation. The scheme he voted for—it was elegantly designed, I think, by the right hon. Member for West Dorset (Sir Oliver Letwin)—was a good scheme. There have been a couple of important objections to it made by many of our constituents, but more importantly by many journalists in our local media. The first objection is that a royal charter is somehow tantamount to a state authorised, state-operated regulator, which will somehow impede free speech. Royal charters have for centuries been the basis by which we have given stature to universities and learning societies like the Royal Society. None of them confront restrictions on free speech in any way whatever. That argument, frankly, is fanciful.
I beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
Government new clause 14—Destroying or falsifying information and documents etc.
Government new clause 15—Applications in respect of urgent notices.
Government new clause 16—Post-review powers to make provision about representation of data subjects.
Government new clause 17—Reserve forces: data-sharing by HMRC.
New clause 3—Bill of Data Rights in the Digital Environment—
‘Schedule [Bill of Data Rights in the Digital Environment] shall have effect.’
This new clause would introduce a Schedule containing a Bill of Data Rights in the Digital Environment.
New clause 4—Bill of Data Rights in the Digital Environment (No. 2)—
‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.
(2) Before making regulations under this section, the Secretary of State shall—
(a) consult—
(i) the Commissioner,
(ii) trade associations,
(iii) data subjects, and
(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and
(b) publish a draft of the Bill of Data Rights.
(3) The Bill of Data Rights in the Digital Environment shall enshrine—
(a) a right for a data subject to have privacy from commercial or personal intrusion,
(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),
(c) a right for a data subject to have their access to their data profiles or personal data protected, and
(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.
(4) Regulations under this section are subject to the affirmative resolution procedure.’
This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.
New clause 6—Targeted dissemination disclosure notice for third parties and others (No. 2)—
‘In Schedule 19B of the Political Parties, Elections and Referendums Act 2000 (Power to require disclosure), after paragraph 10 (documents in electronic form) insert—
‘10A (1) This paragraph applies to the following organisations and individuals—
(a) a recognised third party (within the meaning of Part 6);
(b) a permitted participant (within the meaning of Part 7);
(c) a regulated donee (within the meaning of Schedule 7);
(d) a regulated participant (within the meaning of Schedule 7A);
(e) a candidate at an election (other than a local government election in Scotland);
(f) the election agent for such a candidate;
(g) an organisation or individual formerly falling within any of paragraphs (a) to (f); or
(h) the treasurer, director, or another officer of an organisation to which this paragraph applies, or has been at any time in the period of five years ending with the day on which the notice is given.
(2) The Commission may under this paragraph issue at any time a targeted dissemination disclosure notice, requiring disclosure of any settings used to disseminate material which it believes were intended to have the effect, or were likely to have the effect, of influencing public opinion in any part of the United Kingdom, ahead of a specific election or referendum, where the platform for dissemination allows for targeting based on demographic or other information about individuals, including information gathered by information society services.
(3) This power shall not be available in respect of registered parties or their officers, save where they separately and independently fall into one or more of categories (a) to (h) of sub-paragraph (1).
(4) A person or organisation to whom such a targeted dissemination disclosure notice is given shall comply with it within such time as is specified in the notice.’’
This new clause would amend the Political Parties, Elections and Referendums Act 2000 to allow the Electoral Commission to require disclosure of settings used to disseminate material where the platform for dissemination allows for targeting based on demographic or other information about individuals.
New clause 10—Automated decision-making concerning a child—
‘(1) Where a data controller expects to take a significant decision based solely on automated processing which may concern a child, the controller must, before such processing is undertaken—
(a) deposit a data protection impact assessment with the Commissioner, and
(b) consult the Commissioner (within the meaning of Article 36 of the GDPR), regardless of measures taken by the controller to mitigate any risk.
(2) Where, following prior consultation, the Commissioner does not choose to prevent processing on the basis of Article 58(2)(f) of the GDPR, the Commissioner must publish the part or parts of the data protection impact assessment provided under subsection (1), relevant to the reaching of that decision.
(3) The Commissioner must produce and publish a list of safeguards to be applied by data controllers where any significant decision based solely on automated processing may concern a child.
(4) For the purposes of this section, the meaning of “child” is determined by the age of lawful processing under Article 8 of the GDPR and section 9 of this Act.’
New clause 11—Education: safe use of personal data—
‘(1) The Children and Social Work Act 2017 is amended as follows.
(2) In section 35 (other personal, social, health and economic education), after subsection (1)(b) insert—
‘(1A) In this section, “personal, social, health and economic education” shall include education relating to the safe use of personal data.’’
This new clause would enable the Secretary of State to require that personal information safety be taught as a mandatory part of the national PSHE curriculum.
New clause 12—Health bodies: disclosure of personal data—
‘(1) In section 261 of the Health and Social Care Act 2012 (Health and Social Care Information Centre: dissemination of information) after subsection (5) insert—
‘(5A) A disclosure of personal data may be made under subsection (5)(e) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(5B) In subsection (5A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences Against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(2) In section 13Z3 of the National Health Service Act 2006 () at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(3) In section 14Z23 of the National Health Service Act 2006 (clinical commissioning groups: permitted disclosure of information) at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(4) In section 79 of the Health and Social Care Act 2008 (Care Quality Commission: permitted disclosures) after subsection (3) insert—
‘(3A) A disclosure of personal data may be made under subsection (3)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(3B) In subsection (3A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’’
This new clause would prevent personal data held by the NHS from being disclosed for the purpose of the investigation of a criminal offence unless the offence concerned is serious, which is consistent with the NHS Code of Confidentiality and GMC guidance on confidentiality. It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials.
New clause 24—Safeguards on the transfer of data for lethal force operations overseas—
‘(1) A transferring controller may not make any transfer of personal data outside the United Kingdom under Part 4 of this Act where—
(a) the transferring controller knows, or should know, that the data will be used in an operation or activity that may involve the use of lethal force, and
(b) there is a real risk that the transfer would amount to a breach of domestic law or an internationally wrongful act under international law.
(2) Where the transferring controller determines that there is no real risk under subsection (1)(b), the transfer is not lawful unless—
(a) the transferring controller documents the determination, providing reasons, and
(b) the Secretary of State has approved the transfer in writing.
(3) Any documentation created under subsection (2) shall be provided to the Information Commissioner and the Investigatory Powers Commissioner within 90 days of the transfer.
(4) A “transferring controller” is a controller who makes a transfer of personal data outside the United Kingdom under Part 4 of this Act.
(5) For the purposes of subsection (1)(b),
(c) “domestic law” includes, but is not limited to,
(i) soliciting, encouraging, persuading or proposing a murder contrary to section 4 of the Offences Against the Person Act 1861,
(ii) conspiracy to commit murder contrary to section 1 or 1A of the Criminal Law Act 1977,
(iii) aiding, abetting, counselling, or procuring murder contrary to section 8 of the Accessories and Abettors Act 1861,
(iv) offences contrary to section 44, 45 and 46 of the Serious Crime Act 2007,
(v) offences under the International Criminal Court Act 2001.
(d) “International law” includes, but is not limited to, Article 16 of the 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts.
(6) The Secretary of State must lay before Parliament, within six months of the coming into force of this Act, guidance for intelligence officers on subsections (1) and (2).
(7) The Secretary of State must lay before Parliament any subsequent changes made to the guidance reported under subsection (6) within 90 days of any changes being made.’
Amendment 18, in clause 7, page 5, line 24, after “subsections” insert “(1A),”.
Government amendment 22.
Amendment 19, page 5, line 24, at end insert—
‘(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—
(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or
(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).’
Government amendments 23 and 24.
Amendment 4, in clause 10, page 6, line 37, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 5, in clause 14, page 8, line 11, at end insert—
‘(2A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).
(2B) A decision is “based solely on automated processing” for the purposes of this section if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.’
This amendment would ensure that where human rights are engaged by automated decisions these are human decisions and provides clarification that purely administrative human approval of an automated decision does make an automated decision a ‘human’ one.
Amendment 6, page 9, line 36, leave out clause 16.
This amendment would remove delegated powers that would allow the Secretary of State to add further exemptions.
Government amendment 143.
Amendment 7, in clause 35, page 22, line 14, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 151, in clause 49, page 30, line 19, at end insert—
‘(1A) A controller may not take a significant decision based solely on automated processing if that decision affects the rights of the data subject under the Human Rights Act 1998.’
Amendment 2, in clause 50, page 30, line 28, at end insert—‘and
(c) it does not engage the rights of the data subject under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 8, in clause 86, page 51, line 21, leave out subsections (3) and (4).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 3, in clause 96, page 56, line 38, after “law” insert—
‘unless the decision engages an individual’s rights under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 9, page 63, line 27, leave out clause 113.
This amendment would remove delegated powers that would allow the Secretary of State to create new exemptions to Part 4 of the Bill.
Government amendments 25 to 37.
Amendment 20, in clause 144, page 81, line 11, leave out “7 days” and insert “24 hours”.
This amendment would reduce from 7 days to 24 hours the minimum period which must elapse before a controller or processor has to comply with an assessment notice which has been issued by the Commissioner and which the Commissioner has stated should be complied with urgently.
Government amendments 38 to 71.
Government new schedule 3—Transitional provision etc.
New schedule 1—Bill of Data Rights in the Digital Environment—
‘The UK recognises the following Data Rights:
Article 1—Equality of Treatment
Every data subject has the right to fair and equal treatment in the processing of his or her personal data.
Article 2—Security
Every data subject has the right to security and protection of their personal data and information systems.
Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.
Article 3—Free Expression
Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.
Article 4—Equality of Access
Every data subject has the right to access and participate in the digital environment on equal terms.
Internet access should be open.
Article 5—Privacy
Every data subject has the right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.
Article 6—Ownership
Every data subject has the right to own and control his or her personal data.
Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.
Article 7—Control
Every data subject is entitled to know the purpose for which personal data is being processed. Data controllers should not deliberately extend the gathering of personal data solely for their own purposes. Government, corporations, public authorities and other data controllers must obtain meaningful consent for the use of people’s personal data. Every data subject has the right to own curate, move, revise or review their personal data.
Article 8—Algorithms
Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.
Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.
Article 9—Participation
Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.
Article 10—Protection
Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.
Article 11—Removal
Every data subject is entitled to revise and remove their personal data.
Compensation
Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.
Application to Children
The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child. Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code set out in section 123 of this Act.’
Government amendments 72 and 73.
Amendment 16, in schedule 2, page 140, line 15, at end insert—
‘(1A) The exemption in sub-paragraph (1) may not be invoked in relation to offences under—
(a) sections 24, 24A, 24B or 24C of the Immigration Act 1971,
(b) section 21 of the Immigration, Asylum and Nationality Act 2006, or
(c) sections 33A and 33B of the Immigration Act 2014.’
Amendment 15, page 141, line 17, leave out paragraph 4.
Government amendments 141 and 142.
Amendment 10, page 152, line 24, leave out paragraph 19 and insert—
‘19 The listed GDPR provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 139, 74 and 75.
Amendment 11, in schedule 11, page 196, line 39, leave out paragraph 9 and insert—
‘9 The listed provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 140 and 76 to 80.
Amendment 21, in schedule 15, page 206, line 11, at end insert—
‘(1A) A warrant issued under subparagraph (1)(b) or (1)(c) of this paragraph does not require any notice to be given to the controller or processor, or to the occupier of the premises.’
This amendment would make it clear that a judge can issue a warrant to enter premises under subparagraphs 4(1)(b) or 4(1)(c) without the Commissioner having given prior notice to the data controller, data processor or occupier of premises.
Government amendments 81 to 85.
Amendment 12, page 208, line 13, leave out
“with respect to obligations, liabilities or rights under the data protection legislation”.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Amendment 13, page 208, line 21, leave out from “proceedings” to the end of line 23.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 86 to 138.
I shall start by addressing the Government amendments—[Interruption.]
Order. Will people who are leaving the Chamber please do so quietly? The Minister is making an important speech and people want to hear it. It is just rude to make a noise—unless you happen to be in the Chair.
I propose to start my remarks by addressing the Government amendments to strengthen the powers of the Information Commissioner.
The investigation of the Information Commissioner’s Office into Cambridge Analytica is unprecedented in its scale and complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998 and the parliamentarians who scrutinised it could have envisaged. Although we recognise that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in the light of the commissioner’s experience. Following extensive discussions with the commissioner and in Committee, we concluded that such provision is desirable. Our amendments will strengthen the commissioner’s ability to enforce the law, while ensuring that she operates within a clear and accountable structure. I will give a few examples.
First, amendments 27 and 28 will allow the commissioner to require any person who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. That might be important where, for example, a former employee has information about the organisation’s processing activities.
Secondly, new clause 13 will allow the commissioner to apply to the court for an order to force compliance when a person fails to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.
Thirdly, amendments 30 and 45 will allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. Amendment 38 will allow the commissioner, in certain circumstances, to issue an assessment notice that can have immediate effect. Those amendments will allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities in a prompt and effective way. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.
Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the commissioner’s investigation.
Finally, we have taken this opportunity to modernise the commissioner’s powers. Storing files on an office server is rapidly becoming a thing of the past. Amendment 79 will enable the commissioner to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.
When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, when an information, assessment or enforcement notice containing an urgency statement is served on a person, new clause 15 will allow them to apply to the court to disapply the urgency statement. In effect, they will have a right to apply to the court to vary the timetable for compliance with the order. A court considering an application from the commissioner for an information order will be able to take into account all the relevant circumstances at the time, including whether an application has been brought by the person concerned under new clause 15 and whether the person has brought an appeal against the notice itself in the tribunal. These amendments have been developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions.
I now turn to the representation of data subjects. I am very grateful to Baroness Kidron for her continued engagement on this subject. In particular, we agree that children merit special protection in relation to their personal data and that the review the Government will undertake shall look accordingly at the specific barriers young people and children face in enforcing their rights. Government new clause 16, as well as amendments 61, 62, 63, 70 and 75, ensures that they will.
Government new clause 17 concerns maintaining contact with ex-regular reserve forces. This will allow Her Majesty’s Revenue and Customs to share contact detail information with the Ministry of Defence to ensure that the MOD is better able to locate and contact members of the ex-regular reserve.
New clause 12, on data sharing by health bodies, is in the name of my hon. Friend the Member for Totnes (Dr Wollaston), who chairs the Health and Social Care Committee. I know she and the Committee have significant and legitimate concerns about the operation of the memorandum of understanding between NHS Digital and the Home Office, which currently allows the sharing of non-clinical information, principally address information, for immigration purposes. The Select Committee has argued for the suspension of the MOU pending the outcome of a review of its impact by Public Health England. New clause 12 seeks to adopt a more long-term approach by narrowing the ability of NHS Digital to disclose information in connection with the investigation of criminal offences. The aim is to narrow the MOU’s scope, so that it only facilitates the exchange of personal data in cases involving serious criminality.
The Government have reflected further on the concerns put forward by my hon. Friend and her Committee. As a result, and with immediate effect, the data sharing arrangements between the Home Office and the NHS have been amended. This is a new step and it supersedes the position set out in previous correspondence between the Home Office, the Department for Health and Social Care and the Select Committee.
I know my hon. Friend and her colleagues have been particularly exercised by the contents of a letter dated 23 February from both the above-mentioned Departments to her Select Committee, in which it is stated that
“a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in exercise of their lawful powers”.
The bar for sharing data will now be set significantly higher. By sharing, I mean sharing between the Department of Health and Social Care, the Home Office and, in future, possibly other Departments. No longer will the names of overstayers and illegal entrants be sought against health service records to find current address details. The data sharing, relying on powers under the Health and Social Care Act 2012, the National Health Service Act 2006 and the Health and Social Care Act 2008, will only be used to trace an individual who is being considered for deportation action having been investigated for, or convicted of, a serious criminal offence that results in a minimum sentence of at least 12 months in prison.
The Government have a long-held policy on what level of serious criminality is deserving of deportation, given statutory force by the UK Borders Act 2007. When a custodial sentence of more than 12 months has been given, consideration for deportation must therefore follow. Henceforth, the Home Office will only be able to use the memorandum of understanding to trace an individual who is being considered for deportation action having been convicted of a serious criminal offence, or when their presence is considered non-conducive to the public good—for example, when they present a risk to public security but have yet to be convicted of a criminal offence.
Can the Minister give me more reassurance about the Home Office and its activity in this regard? At the moment, I have constituents who, under paragraph 322(5) of the immigration rules, face being deported for making legitimate changes to their tax return through HMRC data being accessed. Will she reassure me about what the Home Office can do to make sure that this is not abused and misused for the purposes of meeting immigration targets?
I will write to the hon. Lady and I hope to give her reassurance. This new higher bar concerns NHS data and that would obviously not catch within it errors on a tax return.
As now, the memorandum of understanding would also continue to operate when there are concerns about the welfare and safety of a missing individual—for example, vulnerable children and adults. That has always been the case. Personal information will only be disclosed to the Home Office or agencies under the purview of the Home Office. This is a significant restriction on the Home Office’s ability to use data held by the NHS. It is estimated that the change will exclude over 90% of the requests that have been satisfied to date.
The Minister talks about a memorandum of understanding giving reassurance to the House. I refer her to part 2 of schedule 2, which talks about exemptions from the general data protection regulation in respect of crime and taxation. Surely, the rights of individuals to have their data protected under that provision would address all these issues, and it would potentially supersede the memorandum of understanding.
I will come on to the exemptions in terms of criminal activity and immigration in a wider context than NHS information in due course.
My right hon. Friend the Minister for Immigration is committed to sending a copy of an updated MOU to the Health and Social Care Committee shortly, but as I have indicated, the significant narrowing of the MOU will have immediate effect. This commitment is consistent with the intention underpinning new clause 12. I trust that on that basis, my hon. Friend the Member for Totnes and her colleagues will not press new clause 12. I am sure that if she has any questions, she will intervene on me, or that when she makes her remarks later, I might be invited to intervene on her. I thank my hon. Friend and all her Committee members for their work to establish higher principles in this area.
I turn to Opposition amendments 16 and 15 and Government amendments 141 and 142, on immigration. Amendment 15 would remove the provisions relating to effective immigration control in schedule 2. In responding to the amendment, I want to address some of the continued misunderstandings that have arisen around the purpose and scope of the provision, and I hope to persuade the House that this is a necessary and proportionate measure to protect the integrity of our immigration system. It has been suggested that the provisions have no basis in the GDPR, but article 23 expressly allows member states to restrict certain specified rights for the purpose of safeguarding
“other important objectives of general public interest of a…Member State”.
The maintenance of effective immigration control is one such objective.
Will the Minister confirm that article 23 of the GDPR does not specify immigration?
It does not rule out immigration and it does allow the restriction of certain specified rights—not wholesale restrictions—for the purpose of safeguarding
“other important objectives of general public interest”.
The purpose is to provide a derogation for member states wide enough that they can pursue an overall Government policy in the general public interest. I would conclude that immigration is one such example. It has been suggested that the provisions represent a blanket carve-out of all a data subject’s rights. That is certainly not the case. I would like to reassure the right hon. Gentleman that we are being very selective about the rights that could be disapplied. The exemption will be applied only on a case-by-case basis and only where it is necessary and proportionate.
Has the Minister learnt nothing from the Windrush scandal? Here we have a Department of State that is not fantastic at keeping records. The idea of selectively carving out particular rights of particular people who need this information to fight tribunal cases strikes me as lunacy, given what we have learnt about the dysfunction at the Home Office.
Perhaps if I continue my remarks, I can reassure the right hon. Gentleman that of course lessons have been learnt, not least by the Home Office itself, as both the former Home Secretary and the current Home Secretary have made abundantly clear to the House.
The exemption in the amendment is to be applied only on a case-by-case basis and only where it is necessary and proportionate. It cannot and will not be used to target any group of people. Nor does the application of the exemption set aside all a data subject’s rights; it sets aside only those expressly listed. A further limitation is that it can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
Effective safeguards for crime prevention are already written into the Bill, which gives the Minister the power she is seeking to fulfil the purpose she is setting out for the House. If we selectively discard rights for selected people, we come pretty close to arbitrary decision making, and it is practically impossible to do that consistently and in way make it defendable in a judicial review. These provisions will result in injustice and cases that the Home Office loses, so just dump them now!
The right hon. Gentleman should know that different structures govern crime and immigration. I reiterate that we are disapplying these rights selectively—the data subjects will hang on to the majority of their rights—but it cannot be right for the Home Office to have to furnish someone who is in contravention of immigration law with information it has been given.
I am shocked by what the Minister is saying. These provisions were drafted before the Windrush scandal broke, and she is not learning the lessons at all. She says she wants these decisions made on an individual basis and in a way that is necessary and proportionate, but necessary and proportionate to achieve what? None of us knows what her definition of immigration control is. Does it mean meeting the net migration target, which is what we normally hear Ministers say? Necessary and proportionate to meet the net migration target could mean anything.
I understand that it is a matter of interpretation. I also understand that the Home Office is considering these matters in the fallout from the Windrush case. I am sure that, as Chair of the Home Affairs Committee, the right hon. Lady will have ample opportunity to question the new Home Secretary on exactly what he might mean by “necessary and proportionate”. When someone is seeking access to data from the Home Office to prove their immigration history, such as in the Windrush cases, there will be no basis for invoking the immigration exemption in the Bill. I trust that that provides the right hon. Lady with some comfort.
I will give way for the last time to the right hon. Lady, if the right hon. Gentleman does not mind.
That is not what the Bill says. That may be what the Minister intends, but if that is what she intends, she should change the Bill.
I shall have to write to the right hon. Lady once I have communicated with Home Office Ministers. According to my understanding, the Bill says that the exemption applies—
On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?
I understand the right hon. Gentleman’s point of order, but the fact is that the Minister, who is a very capable Minister, speaks for the Government, who are seamless. The Minister who is currently at the Dispatch Box is in a position to speak for all Ministers on this matter, which is why she has this responsibility and is responding to the questions that are currently being asked of her.
Thank you, Madam Deputy Speaker. I might as well give way to the right hon. Member for Kingston and Surbiton (Sir Edward Davey) now.
I am grateful to the Minister. To help other Members consider amendment 15, let me point out that one of the data protection provisions that are being exempted for immigration purposes is the right to make subject access requests. It is critical to the rule of law for people and their representatives to know on the basis of what information the Home Office has made its decisions. The Bill provides no safeguards, no balance, and no restrictions to the use of that law by Home Office officials. As we heard from the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), those are simply not in the Bill. It is entirely wrong for the House to be asked to pass a Bill that does not contain real safeguards for the people involved, given what happened in the Windrush cases.
I will continue to make some progress, as I feel that those points have already been made.
The application of the exemption does not set aside all data subjects’ rights, but only those expressly listed. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
It is an established term. It is used in the Immigration Act 2014 and the Freedom of Information Act 2000 uses a similar term, namely “operation of immigration controls”.
Without this immigration exemption, might not the Home Office have to disclose sources of tip-offs, which would not be conducive to ensuring that illegal immigration is properly controlled?
I think it highly likely that if, for example, someone were to undertake a full data subject review of whatever information the Home Office held about them—as was posited earlier by the right hon. Member for Kingston and Surbiton—the review would contain sources of information as well as the information itself. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of immigration control. This “prejudice” test must be applied first, and as a result the situations in which the exemption can be used are limited. The Government recognise the concerns that have been expressed in this debate.
Can the Minister give us a couple of examples to illustrate why these additional powers are necessary, and where the other powers in the Bill—in relation to criminal offences and investigations, for example—would not already suffice to do everything that the Home Office wishes?
We are permitted under GDPR to make these exemptions and are doing so in a very selective way and on a case-by-case basis, so it will not result in a widespread denial of people’s data rights.
The exemption should be as limited as possible, which is why we have brought forward amendments 141 and 142. These amendments will ensure that migrants enjoy the rights afforded under all of the data protection principles, except where a restriction on those principles is a consequence of restricting one of the other rights coming within the scope of the exemption.
I now turn to Opposition amendments 18 and 19 on primary care providers, and Government amendments 22 to 24 on parish councils. Parish and community councils are not exempt from the new law. None the less, by describing parish and community councils as “public authorities” the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement, and have concluded that as parish and community councils process very little personal data, the burden they would face would be disproportionate. Amendments 22, 23 and 24 therefore take these councils out of the definition of “public authorities” for data protection purposes.
I commend my hon. Friend the Minister on amendment 24, which recognises that councils are often so tiny—indeed, some are not even parish councils, and some do not employ any staff—that it would be wholly disproportionate to treat them in the way originally intended. I commend the Minister for listening to so many Members who made these points and recognising that parish councils must be treated separately.
I thank my hon. Friend for his comments. He and other colleagues across the House made these arguments, and given that such organisations are often very small and process only small amounts of personal data, we have decided to take parish councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected, however.
Similar arguments have been advanced in respect of primary care providers, but although I have sympathy with amendments 18 and 19, primary care providers are different from parish councils in that they process sizeable quantities of sensitive health data, whether that be an individual’s mental health status, the fact that they are pregnant, or details of their prescription for a terminal illness. All of these matters are highly personal, and in the world of health, data protection is rightly paramount.
The Dean Street Express case in 2015 illustrates the potential harm that even a single data breach can cause. In that incident, the names and email addresses of almost 800 people, many living with HIV, were disclosed to other recipients. It does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters.
Government amendments 139 and 140 relate to legal professional privilege. We recognise the importance of protecting legal professional privilege and that is why in the Bill we have replicated the existing measures and exemptions for legal professional privilege found in the Data Protection Act 1998, which have worked well for many years.
Amendments 10 and 11 seek to widen the legal professional privilege exemptions found in schedules 2 and 11. They offer some thoughtful changes that are intended to recognise the broader range of material covered by a lawyer’s ethical duty of confidentiality. We agree that the Bill could be clearer, and have tabled amendments 139 and 140 in response.
It is interesting that we are making lots of exemptions for the Government, parish councils, lawyers and so on. I spoke to some lawyers this morning, and they were not convinced by the measures either. However, small businesses seem to be disproportionately affected, and there is real confusion out there. As I say, a lot of work has been done to protect the Government, parish councils and lawyers, but what about the little people—the people who make this country grow? There is even confusion in the Information Commissioner’s Office, which gave the wrong advice in briefings here to MPs’ staff only the other week. What are we going to do to protect the small people? They think that they are doing the right thing, but they have probably been ill advised. They are spending a lot of money trying to get things right, but there is real confusion out there.
My right hon. Friend raises several important points. As for the effect on small businesses, he will be reassured to learn that the issues with the processing of highly personal data that I was discussing do not apply to the majority of SMEs. They will not have to appoint a data protection officer, so that is one comfort.
As for training and guidance, I am sorry that colleagues and their research staff attended courses that were put together before the Bill was even in Committee, and thus did not take numerous amendments into account—not least the amendment clarifying the rights of Members of Parliament and other elected individuals. I apologise for that confusion.
I draw businesses’ attention to the excellent ICO website, which contains good sources of guidance for SMEs, including frequently asked questions. The ICO also provides an advice line for any follow-up questions on subjects that businesses might not be clear about. Ultimately, there is a need for better data protection, and that is not just what is set out in the GDPR. Dreadful examples, such as the case of Facebook and Cambridge Analytica, have demonstrated the need for more rigorous data rights and for greater security of data.
The Minister is being ever so generous in giving way not just to me, but to Members from across the House, and I thank her. Returning to the parliamentary stuff—we are only a small part of all this—some of the staff present at the briefing I mentioned left in tears, and I know that for a fact, because a member of my staff was there. Believe it or not, even though the ICO knew that the briefing was completely flawed, it has today issued certificates of attendance saying that it was the right thing for staff to have done.
More important, however, are the SMEs. Small businesses have approached me today to tell me that they have been told to delete all their data unless they get permission from the relevant people. Companies that did work for people three, four or five years ago—even last year—must get permission to hold their addresses so that they can fulfil, for example, warranty agreements. Other companies are getting completely different advice, and the lawyers are getting different advice. There seems to be a rush to protect Government agencies, local government, parish councils and lawyers, but not enough is being done to protect the small people of this country—the people who account for so much of our money.
I thank my right hon. Friend for his points. I want to reassure the small businesses that he mentions. I sympathise with businesses that are getting conflicting advice, and with those that are approached by firms of consultants who appear to be exaggerating the scale of the task of complying with the legislation. I am afraid that that always happens when there is change; people think that they can exaggerate the impact and the implications of a change and—who knows?—perhaps they will be remunerated for helping businesses to comply.
I also want to reassure my right hon. Friend about the specific case that he mentioned, in which companies were being advised that they needed to delete all the data for which they did not have consent. I want to reassure him that the vast majority of businesses will not have to delete the personal data that they hold. If they have gained the personal data lawfully, there are five, if not six, lawful bases on which they can process that personal data, of which consent is only one. I draw his attention particularly to legitimate interests, which is a lawful basis for processing data. For example, if a small firm has been supplying a much-needed service to people for a number of years, it is in the pursuit of its legitimate interests to communicate with its database of customers or new prospects, and it does not need to have consent. I would advise people not to delete their data without very careful consideration, or without consultation with the ICO website in particular.
I will give way to my right hon. Friend in a second. I want to respond to my right hon. Friend the Member for Hemel Hempstead (Sir Mike Penning) on the alleged discrimination involved in our taking steps to protect lawyers, parliamentarians, local councillors and so on but not to protect small businesses. The reason is that small businesses are less affected, in the sense that most of them do not process huge quantities of personal data. They therefore come under the purview of the ICO to a lesser extent, and enforcement is less likely to focus on organisations that do not process highly personal data. Those organisations do not need to appoint a data protection officer. I hope that I have gone some way towards allaying my right hon. Friend’s—
I will come back to my right hon. Friend in a moment, but I did say that I would give way to my right hon. Friend the Member for Broxtowe (Anna Soubry).
I thank my hon. Friend for that information, but it was mainly complete news to me, as I suspect it was to my right hon. Friend the Member for Hemel Hempstead too. We have a really serious problem here. I just cannot overestimate the amount of concern among small businesses. Medium-sized businesses with more than 250 employees have the benefit of a team of people, but this is a real crisis for small businesses and I am afraid that the lack of information is truly troubling. There are solutions, and perhaps we should discuss them in a different debate, but as a Government we have an absolute duty to get this right. There are devices available—HMRC sends out tax returns, for example—and there are many opportunities to get this information out there. At the moment, however, there is a lot of disinformation, and as my right hon. Friend the Member for Hemel Hempstead says, these businesses are the lifeblood of our economy. They do not know what is happening, and they are worried.
I sympathise with the points that my right hon. Friend has raised. In fact, we have secured almost £500,000 to launch an information campaign to bolster what the Information Commissioner’s Office is already doing for small businesses. I also draw her attention to the need for this legislation, and to the need for businesses and all of us in public life to respect people’s data rights. The landscape has changed. We now live in a digital world, and there is so much abuse of people’s privacy and data that I must bring her attention back to the need for the Bill. Of course she is right, however, to say that people need to be properly informed, and that is what the ICO is doing and what the Government campaign that we are about to launch will also do.
What the Minister said at the Dispatch Box a moment ago was also news to me. I have been campaigning and pushing on this for months—I spoke to the Secretary of State over the bank holiday weekend—and I was going to vote against the Bill this evening. Yes, we need data protection, but we do not want to destroy or frighten our businesses in the process. However, I take my hon. Friend at her word, and I will vote for the legislation this evening.
I quite agree. In fact, both the Secretary of State and I were small business owners before entering this place, so I feel what my right hon. Friend says very deeply. I must commend my hon. Friend the Member for Mid Worcestershire (Nigel Huddleston) on the excellent advice that his office has put together on what it will be doing in this respect. For the benefit of my staff, I have set out exactly what my office will be doing to comply with the legislation. If my right hon. Friend has any concerns about his own situation—
I am not worried about us; I am worried about small businesses.
In that case, I will proceed no further down that path. I am glad that I have been able to reassure my right hon. Friend and thank him for raising those important points.
I thank the Minister for that clarification, but I am not sure that it is clear enough. She will undoubtedly be aware that the Windrush documents were supposedly destroyed as a result of data protection requirements. There remains a significant possibility that there will be a wholesale destruction of data, some of which might be important, useful and legitimately kept, unless the Government take further action.
I commend the hon. Lady for that observation, because she has a fair point. I will raise her concern with the Information Commissioner. My right hon. Friend the Member for Hemel Hempstead said that some businesses have been advised that they should delete their data, so I can see where the hon. Lady is going on that. It raises the prospect that some organisations might use this as an excuse to delete data that it would be in the data subject’s interests to preserve.
I have not been able to address every amendment in the time available, but I am mindful of the number of colleagues who wish to contribute, and we have less than 60 minutes remaining. I have addressed most of the matters that came up in the Public Bill Committee, and the Government’s position will remain the same on many of them.
In short, we have enhanced the ICO’s enforcement powers, we have changed the way we share data, we have reached out to parish councils, we have narrowed the immigration exemption and we have responded to calls to better protect lawyer-client confidentiality. We have also dealt—effectively, I hope—with the concern expressed by my hon. Friend the Member for Totnes about the sharing of data between the Department of Health and Social Care and the Home Office.
May I start by welcoming the new powers for the Information Commissioner, which we called for in Committee? Nobody who observed the debacle of the investigation into Cambridge Analytica will have needed persuading that that those powers are necessary—it took the court five or six days to issue the requisite search warrants, and that time might well have been used by Cambridge Analytica to destroy evidence—so I am glad that the Minister has heeded our calls and introduced the proposals this afternoon. We are happy to give them our support.
I will speak to a number of new clauses and amendments in the group, particularly new clause 4, which is our enabling clause for creating a bold and imaginative Bill of data rights for the 21st century. I want to make the case for universal application of those rights, including their application to newcomers, who need rights in order to challenge bad decisions made by Governments, which is why our amendment 15 would strike out the immigration provisions that have so unwisely been put into the Bill. I will also say a few words about new measures that are needed in the Bill to defend the integrity of our democracy in the digital age.
The Minister took the time to make a comprehensive speech, which included an excellent explanation of the Government amendments, so I will be brief. Let me start with the argument for a Bill of data rights. Every so often we have to try to democratise both progress and protections. In this country we are the great writers of rights—we have been doing it since Magna Carta. Over the years, the universal declaration of human rights, the UN convention on the rights of the child, the charter of fundamental rights, the Human Rights Act 1998, the Equality Act 2010 and, indeed, the original Data Protection Act have all been good examples of how good and wise people in this country have enshrined into charters and other legal instruments a set of rights that we can all enjoy, that give us all a set of protections, and that help us to democratise progress.
My hon. Friend is right. We have been on the receiving end of a huge number of data breaches in this country—really serious infringements of basic 21st-century rights—which is why we need a bold declaration of those rights so that the citizens of this country know what they are entitled to. Unless we get this right, we will not be able to build the environment of trust that is the basis of trade in the digital economy. At the moment, trust in the online world is extremely weak—that trust is going down, not up—so we need to put in place measures now, as legislators, to fix this, turn it around and put in place preparations for the future.
The Government’s proposal of a digital charter is a bit like the cones hotline approach to public service reform. The contents of the charter are not really rights but guidelines. There are no good methods of redress or transparency. Frankly, if we try to introduce rights and redress mechanisms in that way, they will basically fail and will not lead to any kind of change. That is why we urge the Government to follow the approach that we are setting out.
I put on record my profound thanks to Baroness Kidron and the 5Rights movement. Her work forms the basis of the bill of rights we are proposing to the House: the right to remove data, as enshrined in the GDPR—that right is very important to children—the right to know; the right to safety and support; the right to informed and conscious use; and the right to digital literacy. Those are the kinds of rights we should now be talking about as the rights of every child and every citizen.
The right hon. Gentleman makes some good points. I agree with the rights he is talking about, but those rights exist under the GDPR and are intrinsic to the Bill, so I see no need for his amendment.
There is no right to digital literacy under the Bill, which is why we propose the five rights as the core of new schedule 1 in which, as the Minister knows, we go much further. The provision sets out rights to equality of treatment, security, free expression, access, privacy, ownership and control, the right not to be discriminated against as a result of automated decision making, and rights on participation, protection and removal.
Rights are sometimes scattered through thousands and thousands of pages of legislation, which is where we are on data protection today. That is why from time to time, as a country, we decide to make bold declaratory statements of what principles should guide us. These are methods of simplification and consolidation, and we are pretty good at that in this country. When we press our proposal to enable the creation of such a bill of rights to a Division a little later, we hope that it will be the call that the Government need to begin the process of consultation, thought, argument and debate about the digital rights that we need in this century and what they need to look like. Rights should not be imposed from the top down; they should come from the grassroots up, and the process of conversation and consultation is long overdue. To help the Government, we will accelerate that debate during this year.
The second point I wish to make is about amendment 15, which would ensure that the rights set out in the GDPR would stretch to everyone in this country. It would mean that the Government would not be permitted to knock out selective rights for certain people who just happen to be newcomers to this country. The proposal to withhold data rights from migrants and newcomers is a disgrace and does not deserve to be in the Bill. In Committee, Ministers were unable to tell us why the Bill’s crime prevention provisions could not be stretched to accommodate their ambitions for immigration control. The Minister has not been able to give us a succinct definition of “immigration control” today, and we have not been able to hear about the lessons learned from Windrush. Frankly, the debate has been left poorly informed, and we have had promises that letters will be sent to hon. Members long after tonight’s vote.
I rise to speak to new clause 12, which was tabled in my name, that of my colleague, the hon. Member for Stockton South (Dr Williams), and those of other members of the Health and Social Care Committee and Members from all parties.
I wish to speak about the importance of medical confidentiality, because it lies at the heart of the trust between clinicians and their patients, and we mess with that at our peril. If people do not have that trust, they are less likely to come forward and seek the care that they need. There were many unintended consequences as a result of the decision enshrined in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, which allowed the sharing of addresses at a much lower crime threshold than serious crime. That was permitted under the terms of the Health and Social Care Act 2012, but patients were always protected, in effect, because the terms of the NHS constitution, the guidance from the General Medical Council and a raft of guidance from across the NHS and voluntary agencies protected the sharing of data in practice.
This shift was therefore particularly worrying. There were many unintended consequences for the individuals concerned. The Health and Social Care Committee was also deeply concerned about the wider implications that this might represent a shift to data sharing much more widely across Government Departments. There was a risk, for example, that the Department for Work and Pensions might take an interest in patients’ addresses to see whether people were co-habiting for the purpose of investigating benefit fraud. There was a really serious risk of that.
I am afraid that the letter that we received from the Department of Health and Social Care and the Home Office declining to withdraw from the memorandum of understanding made the risk quite explicit. I would just like to quote from the letter, because it is very important. I also seek further clarification from the Minister on this. The letter states that
“it is also important to consider the expectations of anybody using the NHS—a state provided national resource. We do not consider that a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in the exercise of their lawful powers in cases such as these.”
I profoundly object to that statement. There was no such contract in the founding principles of the NHS. As I have said, it is vital that we preserve that fundamental principle of confidentiality, including for address data. I was delighted to hear the Minister’s words at the Dispatch Box, but can she just confirm for me absolutely that that statement has now been superseded?
Yes, I can confirm absolutely that the statement that my hon. Friend quoted from the letter of 23 February has been superseded by today’s announcements.
The significance of the Bill and the importance of data and data protection to the economy and the whole of society is reflected in this debate. The fact that amendments have been tabled on Report through the work of three different departmental Select Committees shows how wide-ranging this issue is.
I principally want to talk about amendments 20 and 21, which stand in my name and those of other members of the Digital, Culture, Media and Sport Committee and which are addressed by Government amendments, too. Before I do so, I want to add that the Chair of the Home Affairs Committee, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), made a very important point about the fact that some people—particularly those involved in immigration cases—may not have full access to the data rights enjoyed by others. If the Minister can provide any further clarification, I will be happy to give way before I move on.
After the exchange I had with the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), I wanted to confirm that the Home Office will certainly not destroy any data for which there is still a legitimate and ongoing need not just for the Home Office but for data subjects.
I am grateful to the Minister for that further clarification.
Amendments 20 and 21 get to the heart of an issue that has been raised by a number of Members, which is the power of the Information Commissioner to act in data investigations. The Minister, the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and others have referenced the Cambridge Analytica data breach scandal, which is a very good example of why these additional powers are needed. We raised that in the Select Committee with the Secretary of State. The Information Commissioner raised it with us and it was raised on the Floor of the House on Second Reading.
The ability to fine companies for being in breach of data rules is important, but what is most significant is that we get hold of the data needed by investigators, so that we understand who is doing what, how they are doing it and how wide-ranging this is. It is crucial that the Information Commissioner has the enforcement powers she needs to complete those investigations.
In the case of Cambridge Analytica, an information notice was issued by the Information Commissioner to that company to comply with requests for data and information. Not only did Cambridge Analytica not comply, but Cambridge Analytica and Facebook knew that. That information notice expired at 5 o’clock on the evening of the day when that deadline was set; it was the beginning of the week. Before the notice had expired and a warrant could even be applied for, Facebook had sent in its own lawyers and data experts to try to recover data that was relevant to the Information Commissioner’s request.
The Information Commissioner found out about that live on “Channel 4 News” and then effectively sent a cease and desist note to Facebook, telling it to withdraw its people. She might very well not have been made aware of what Facebook was doing that evening, and data vital for her investigation could have been taken out of her grasp by parties to the investigation, which would have been completely wrong. Not only did that happen—thankfully, Facebook stood down—but a further five days expired before a warrant could be issued—before the right judge in the right court had the time to grant the warrant to enable her to complete her work. We live in a fast-moving world, and data is the fuel of that fast-moving world, so we cannot have 19th or even 20th-century legal responses. We must give our investigatory authorities the powers they need to be effective, which means seizing data on demand, without notice, as part of an investigation, and having the ability to see how data is used in the workplace or wider environment.
The Government are bringing forward amendments, which I think have the support of the House, that will give us one of the most effective enforcement regimes in the world. They will give us the power to do something we have not been able to do before, which is to go behind the curtain to see what tech companies, even major tech companies, are doing and make sure they comply with our data rules and regulations. Without that or an effective power to inspect, we would largely be in the position of having to take their word for it when they said they were complying with the GDPR. Particularly with companies such as Facebook that run closed systems—they have closed algorithms and their data is not open in any way—there are very good commercial reasons for doing so, but there are also consumer safety reasons. We must have the power to go in and check what they are doing, so the amendments are absolutely vital.
There are further concerns. The shadow Minister, the right hon. Member for Birmingham, Hodge Hill, was right to raise concerns about honesty and transparency in political advertising. Both the Information Commissioner and the Electoral Commission are examining the use of data in politics, as well as looking at who places the ads. It is already a breach of the law in the UK, as it is in other countries, for people outside our jurisdiction to run political advertising during election campaigns in this country.
In the case of Facebook, it is unacceptable that its ad check teams have not spotted such advertising and stopped it happening when someone is breaking the law. If this were about the financial services sector, we would not let a company say, “Well, we thought someone was breaking the law, but we weren’t told to do anything about it, so we didn’t”. We would expect such a company to spot it and to take effective action. We need to see a lot more progress on this, particularly in relation to the placement of micro-targeting ads and dark ads. The Institute of Practitioners in Advertising has called for a moratorium on the micro-targeting of political ads, which may be seen only by the person who receives an ad and the person who places it.
When the chief technology officer of Facebook, Mike Schroepfer, gave evidence to the Select Committee, I asked him whether, if someone set up a Facebook page to run ads during a campaign and micro-targeted individual voters before taking down the page at the end of the campaign and destroying the adverts, Facebook would have any record that that advertising had ever run, he said that he did not know. We have written to him and Mark Zuckerberg saying that we need to know, because unless we know, a bad actor could run ads in huge volumes, investing a huge amount of money in breach of electoral law, and if they did not declare it, there would be no record of that advertising ever having been placed.
I will be very brief, Madam Deputy Speaker, because we are incredibly tight for time.
There is so much in the Bill that I would like to talk about, such as effective immigration control, delegated powers and collective redress, not to mention the achievement of adequacy, but I will concentrate on amendment 5, which appears in my name and those of my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) and the hon. Member for Brighton, Pavilion (Caroline Lucas).
The amendment seeks to provide protection for individuals where automated decision making could have an adverse impact on their fundamental rights. It would require that, where human rights are or could be impacted by automated decisions, ultimately, there will always be a human decision maker at the end of the process. It would instil that vital protection of human rights in respect of the general processing of personal data. We believe strongly that automated decision making without human intervention should be subject to strict limitations to promote fairness, transparency and accountability, and to prevent discrimination. As it stands, the Bill provides insufficient safeguards.
I am talking about decisions that are made without human oversight, but that can have long-term, serious consequences for an individual’s health or financial, employment, residential or legal status. As it stands, the Bill will allow law enforcement agencies to make purely automated decisions. That is fraught with danger and we believe it to be at odds not just with the Data Protection Act 1998, but with article 22 of the GDPR, which gives individuals the right not to be subject to a purely automated decision. We understand that there is provision within the GDPR for states to opt out, but that opt-out does not apply if the data subject’s rights, freedoms or legitimate interests are undermined.
I urge the House to support amendment 5 and to make it explicit in the Bill that, where automated processing that could have long-term consequences for an individual’s health or financial, employment or legal status is carried out, a human being will have to decide whether it is reasonable and appropriate to continue. Not only will that human intervention provide transparency and accountability; it will ensure that the state does not infringe an individual’s fundamental rights and privacy—issues that are often subjective and are beyond the scope of an algorithm. We shall press the amendment to the vote this evening.
I would give way, Minister, but I am very pushed for time.
I would like to voice my support and that of the SNP for amendment 15 on effective immigration control. We believe that the exemption is fundamentally wrong, disproportionate and grossly unfair, and we call on the Government to stop it.
I can now inform the House that I have completed certification of the Bill, as required by the Standing Order. I have confirmed the view expressed in the Speaker’s provisional certificate issued on 8 May. Copies of the final certificate will be made available in the Vote Office and on the parliamentary website.
Under Standing Order No. 83M, a consent motion is therefore required for the Bill to proceed. Copies of the motion are available in the Vote Office and on the parliamentary website, and have been made available to Members in the Chamber. Does the Minister intend to move the consent motion?
indicated assent.
The House forthwith resolved itself into the Legislative Grand Committee (England and Wales) (Standing Order No. 83M).
[Dame Rosie Winterton in the Chair]
I beg to move, That the Bill be now read the Third time.
What a great pleasure this is. The Bill gives people more power and control over their lives online while supporting innovation and entrepreneurship in the digital age. It will deliver real benefits across the country and help our businesses to compete and trade abroad. Strong data protection laws give customers confidence in the products and services that they buy, and that is good for business. The Bill provides a full data protection framework as we leave the EU, consistent with the general data protection regulation.
We have heard many things during our debates in the Chamber and in Committee, including concerns about small businesses. I reassure colleagues that the Information Commissioner’s Office has produced specific advice for them, as well as detailed advice for charities and local government.
The Bill provides a bespoke tech framework that is tailored to the needs of our criminal justice agencies and the intelligence services. That will protect the rights of victims, witnesses and suspects while making sure that we can tackle the changing nature of the global threats that the UK faces.
The Bill has received coverage from around the world, including Australia, the Philippines and, indeed, Suffolk. Let me be clear: the Bill is about preparing Britain for the future. As we leave the EU, the Bill sets out full spectrum data protection legislation, and I hope that the House will give it its Third Reading.
I am very grateful for the way in which the House has engaged with the Bill. I want to put on record my thanks to many people: my hon. Friend the Minister for Digital and the Creative Industries, in particular, for her sterling work day in, day out; my predecessor, who is now Northern Ireland Secretary, who worked hard with me on the Bill before her promotion; the Under-Secretary of State for the Home Department, my hon. Friend the Member for Louth and Horncastle (Victoria Atkins), for grappling with the Bill in a brand new brief; the Digital, Culture, Media and Sport Committee, whose members made many contributions; the Public Bill Committee; the Information Commissioner herself, with whom we have worked very closely on the Bill and who is a great star; and the Whips, Clerks, Committee Chairs, Mr Speaker and the Deputy Speakers. They have all been of great assistance. I also thank the Front-Bench teams of Her Majesty’s loyal Opposition, the Scottish National party and other parties for, on the whole, their highly constructive attitude to this important legislation.
The Bill that we send back to the other place has been improved in three key respects. First, we have made good on the promises made by Lord Ashton in the other place. For instance, we have delivered certainty for patient support groups—a cause passionately championed by my noble Friend Baroness Neville-Jones. We have provided reassurance for those on the frontline, safeguarding the emotional, physical and mental health of some of our most vulnerable citizens. We have legislated for a statutory review of the private enforcement provisions of the Bill, which will ensure that we leave no stone unturned in our search for strong and effective oversight of data controllers, particularly where children are concerned.
Secondly, the House has ensured that we have learned the lessons from the Cambridge Analytica scandal, which exploded during the passage of the Bill. The ongoing investigation into that is unprecedented in its scale and importance. We have increased the powers of the Information Commissioner to ensure she has enough resources. Some say that that scandal put data protection at the top of the news. Some even say it made data protection sexy. With the Bill, we can be assured that the Information Commissioner will have the powers that she needs to ensure that those who flout the law are held to account for their actions. I want particularly to thank the Digital, Culture, Media and Sport Committee for its proposals, which we took on board to strengthen the Bill in response to that scandal. Finally, we have ensured that when it comes to the freedom of the press, we are prepared for the future, not stuck in the past.
The Bill will give people more control over their data, support businesses in their use of data and prepare Britain for Brexit. Over a generation, the Data Protection Act 1998, which this Bill replaces, has commanded broad public consensus and cross-party support. That has been one of its strengths. I hope that this Bill will gain cross-party support on Third Reading so that no matter the debate on some of the points of detail, we will have a broad consensus behind our data protection approach here in the UK for the years to come, because that is one of the strengths of our digital economy—a digital economy that is powering ahead. I hope that the Bill can add to the fundamental underpinnings of the strength of our economy and our society for the future. I commend it to the House.
It is a pleasure to be able to speak briefly at the conclusion of our proceedings on the Bill. I have followed it with interest throughout all its stages, and I had the pleasure of sitting on the Public Bill Committee. I echo what has been said about the fine contributions made by Members on both sides of the House at all stages, and I thought that the Committee was extraordinarily well conducted. I particular enjoyed my light-hearted sparring with the right hon. Member for Birmingham, Hodge Hill (Liam Byrne), and the people at BBC Radio Essex will have been delighted that they got a disproportionate amount of airtime as a result.
This is a good Bill. Data protection is incredibly important—and increasingly so. The Bill has successfully navigated the choppy waters that are coming towards us, created by the need for the GDPR to be implemented in only about 14 days’ time. If I may say so, the Secretary of State and his entire team have navigated those waters with skill and elegance to ensure that we in the UK now have legislation that does what it needs to do as far as the GDPR is concerned, on which I congratulate them. The Government, the House and the other place have looked into this matter very carefully and rigorously, and they have arrived at what I think is a good package of measures that will do what it needs to do as far as data protection is concerned.
My interest has been in the amendments concerning press regulation, as Members on both sides of the House will remember. I believe that the House has reached the right decision on what started off as an amendment in the other place and what was set out in new clause 18 today. Not to go ahead with Leveson 2 is the right decision. However, I agree with the sentiment that we must keep the victims of what will undoubtedly still be a difficult press environment at the centre of our thinking. It is important that we have not lost the opportunity to do that, and I know the Secretary of State and his team will continue to do so, but I think we have got the balance right today.
I congratulate the whole ministerial team and all those who have taken part in these deliberations. I have followed with interest the arguments made by Members on both sides.
My hon. Friend mentioned some people he wanted to thank, and there is one other person I want to thank: my hon. Friend the Member for Chelmsford (Vicky Ford). She was involved with the development of the GDPR in the European Parliament right from the start, and I want to put on the record our thanks, and my personal thanks, for her guidance. She has lived with the Bill for far longer than anybody else in the Chamber.
Yet another mention for Essex, where people will be absolutely delighted.
This is the Government getting on with business. We promised that we would do this in our manifesto, on which we were elected, and we have got on with and delivered it. I will be delighted to see the Bill reaching the statute book. This is the Government delivering what they need to deliver, and doing it in a very rigorous, elegant and clever way. This is a digital Bill for the digital age, and I am pleased to support it.
Question put and agreed to.
Bill accordingly read the Third time and passed, with amendments.
Deferred Divisions
Motion made, and Question put forthwith (Standing Order No. 41A(3)),
That, at this day’s sitting, Standing Order No. 41A (Deferred divisions) shall not apply to the Motion in the name of Jeremy Corbyn relating to Education (Student Support).—(Jo Churchill.)
Question agreed to.
(6 years, 7 months ago)
Lords ChamberThis text is a record of ministerial contributions to a debate held as part of the Data Protection Act 2018 passage through Parliament.
In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.
This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here
This information is provided by Parallel Parliament and does not comprise part of the offical record
That this House do not insist on its Amendment 62B proposed instead of the words left out by Commons Amendment 62, to which the Commons have disagreed, and do agree with the Commons in their Amendments 62BZA to 62BA and 62BC to 62BF in lieu of Amendment 62B.
Noble Lords will recall that Amendment 62B would require the establishment of an inquiry into allegations of data protection breaches committed by or on behalf of national news publishers and other media organisations. This House has debated the necessity and proportionality of such an inquiry on several occasions during the passage of the Bill. It has been an informative and sometimes impassioned debate as noble Lords from all sides of the House have brought their experiences to bear, and the Government have been listening throughout.
The last time that we debated this topic, the noble Lord, Lord Stevenson, and the noble Baroness, Lady Hollins, asked about the past. Before I get into the substance of my speech, I think I can offer some reassurance on that point. When the Information Commissioner undertakes the review described in Commons Amendment 108, she will be reviewing the extent to which the processing of personal data for the purposes of journalism complied with data protection law in the next four years; as my right honourable friend the Secretary of State has said, we must look forward, not back. Her hands are not tied, though, and the commissioner’s existing enforcement powers are not time-limited. Indeed, compliance with the new law and compliance with the old law are deeply intertwined. That is why the Commons sent us 20 pages of amendments on transitional provision.
Most of what we have heard about relates to wrongs in the past that were illegal. If at some future date new evidence came to light that showed that the press were acting in breach of the law, the Government would expect the relevant enforcement bodies, including the Information Commissioner’s Office, to investigate and possible sanctions to follow. The Government are clear that what was illegal then remains illegal now.
There is no lacuna and no amnesty. Anyone who thinks that that is what the Government are proposing is quite wrong. What we are doing, however, is providing the institutions we need for the challenges of the future.
We have given the Bill a thorough examination. My noble friend Lord Ashton of Hyde has reminded us several times of the number of amendments that have been secured, not just on media regulation but on issues that impact on everyone. This is a good Bill, but we have now, I suggest, run out of road. The question now is whether the Bill is good enough to justify passing it into law.
To assess that requires two things. First, it requires knowledge of the Government’s proposed way forward on the issues we asked the other place to reconsider last week. Secondly, it requires knowledge of what would happen if this House did not pass the Bill which is before it today.
On the first point, I have already mentioned the Information Commissioner’s review of compliance with data protection law. Since we last debated the merits of having a review, the Government have further proposed that that should not be a one-off event but a recurring fixture. We have also given her additional powers to make sure that her review is as comprehensive and robust as it can be.
Between now and then, the commissioner will produce guidance for data subjects seeking redress and a code of practice for those who process data for the purposes of journalism. My right honourable friend the Secretary of State will report on the availability and effectiveness of alternative dispute resolution procedures, including IPSO’s new mandatory low-cost arbitration scheme, and Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services will report on police forces’ adherence to its guidance on how to interact with the media.
I am confident that, when these amendments are viewed alongside the improvements IPSO has already made to its processes and procedure, this country now has the most robust system of redress for press intrusion it has ever had, and it has achieved it without resorting to state regulation.
But noble Lords know all this already, especially if they, like the noble Lord, Lord Stevenson, watched last Wednesday’s debate in the other place. So I want to spend my remaining time on the subject of not media regulation but data protection.
The GDPR will take effect in the United Kingdom at midnight on Friday. It will do so irrespective of whether or not we are prepared for it. If we do not pass implementing legislation in the next three days, medical research will grind to a halt. The administration of justice will stutter as chambers attempt to work out whether it is preferable to breach court disclosure rules or data protection law. Sectoral regulators will have to tip off the people they are investigating. It will potentially be chaotic, and this House will be held responsible.
The noble Lord, Lord Paddick, said it well at Second Reading, when he welcomed the Bill:
“It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit … it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union”.—[Official Report, 10/10/17; col. 205.]
The damage done by not passing this Bill today would be irreversible, and the only winner would be data protection lawyers.
As is quite proper, the House has asked the elected Chamber to think again about the detail of this Bill. It did so, and it has returned it to us as a Bill that is now ready to go to Her Majesty for signature. Two votes in the House of Commons in the past two weeks have come to the same conclusion. If we further delay this essential legislation, that decision will be on us.
Is this Bill good enough to pass? We are convinced that it is, and I therefore beg to move.
Motion A1 (as an amendment to Motion A)
My Lords, I am grateful for the contributions of noble Lords. The noble Lord, Lord McNally, referred to me making blood-curdling threats. I made no threats—blood curdling or otherwise—and what I did say was essentially true.
This Bill is about data protection. The primary concern of your Lordships’ House, which we have debated over recent months, is whether individuals have the ability to defend themselves against excessive press intrusion, and the Bill now provides a number of mechanisms to address this concern. These are all designed to maintain the freedom of the press and the independence of self-regulation, albeit in compliance with the law. For example, it was announced three weeks ago that IPSO will introduce a low-cost mandatory arbitration scheme. We are determined that there will be no backsliding on that kind of commitment, and Commons Amendment 62BC is designed to ensure that the use of such schemes is reported on—a point to which I will return in a moment—to reduce any temptation there might be to turn away from them once the heat of the Bill is off.
The noble and learned Lord, Lord Falconer, sought, with vim and vigour, to address two points. I was slightly taken aback because, a few minutes before we began this debate, I had endeavoured to explain to him the operation of Clause 174(3)(b) and its interrelationship with Clause 144, and thought I had done so quite well. However, clearly I failed to some extent in that regard. I had also sought to give him further assurances about the role of the Secretary of State.
On the first point—the operation of the Information Commissioner’s powers—as I had sought to explain to the noble and learned Lord, under his amendment the Information Commissioner would have had access to prepublication material gathered for journalistic purposes. It was acknowledged across the House, and by the noble Lord, Lord McNally, during earlier debates that that could not be tolerated given the intrusion it would involve upon press freedom and journalistic preparation. The interrelationship between Clauses 174 and 144 is complex, but I again make it clear that the effect is that the commissioner will not be able to access prepublication journalistic material but will be able to access material that has been processed for the purposes of journalism.
On the second point, about the power of the Secretary of State, one has to be clear that this is not actually a power but simply a duty to report. It is for the Secretary of State to report, and he could do so even without an express statutory power, but this is to underline it. We are making it a clear duty, to import transparency into the process. He will essentially be reporting on the metrics available with regard to the take-up of alternative dispute resolution. The effectiveness of dispute resolution will be determined by reference to its take-up and its resolution. It will then be for us—Parliament and the people—to determine in light of those facts whether we consider that further steps have to be taken.
Let us be absolutely clear: the Bill imports no power on the part of the Secretary of State to compel the media to act in any way on the report that he is putting in place. This is simply a mechanism by which he can ensure that the relevant facts and figures—if I can put it that way—are laid before Parliament at the appropriate time. I hope that I have been able to put both those reassurances with greater clarity than I did a few minutes earlier, and to reassure the noble and learned Lord on those points.
I am obliged to the noble Lord, Lord Stevenson, for the observations he has made, and I hope again that he is reassured by the position the Government have now adopted regarding the intent and consequences of the amendments from the House of Commons. As regards the observations from other noble Lords around the House, I recognise that there has been widespread concern about the way in which we have been able to address the past and the need to address the future, having regard to the fundamental requirement for freedom of the press—one of the foundations that underpins our democratic process. Before closing, I acknowledge the contributions of the noble Baroness, Lady Hollins, to this entire debate. I quite understand why she has maintained the need to bring these matters before the House on a number of occasions, and I do not seek to imply any criticism of her in that regard.
We have reached a point where the Bill should pass, however. It has to, really. It is in those circumstances that I invite the noble Lord to withdraw his amendment to Motion A.
My Lords, when I studied the British constitution 50 years ago I read the books by Sir Ivor Jennings, who said that one of the only weapons that an Opposition have against a Government is time, and that an Opposition—and, indeed, critics on a Government’s own Benches—are perfectly entitled to use time to put pressure on Governments. My goodness, we have had a cascade of useful changes because we have used time to press the Government further on the issue.
As I said before, the line between the Daily Mail and the MailOnline is increasingly blurred. This legislation will be tested against that blurred background. At some stage, the old print media may regret not being in the comfortable protection of a royal charter, as my learned friends listening to this debate must think that there is a lot of work ahead for them as this Bill is tested.
We never wanted to stop the Bill coming into law, and I beg leave to withdraw Motion A1.