All 15 contributions to the Data Protection and Digital Information Bill 2022-23 (Ministerial Extracts Only)

Read Full Bill Debate Texts

Wed 20th Mar 2024
Data Protection and Digital Information Bill
Grand Committee

Committee stage & Committee stage: Minutes of Proceedings & Committee stage: Minutes of Proceedings & Committee stage & Committee stage

Data Protection and Digital Information (No. 2) Bill

(Limited Text - Ministerial Extracts only)

Read Full debate
2nd reading
Monday 17th April 2023

(1 year, 2 months ago)

Commons Chamber
Data Protection and Digital Information Bill 2022-23 Read Hansard Text

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Julia Lopez Portrait The Minister for Data and Digital Infrastructure (Julia Lopez)
- Hansard - - - Excerpts

I beg to move, That the Bill be now read a Second time.

Data is already the fuel driving the digital age: it powers the everyday apps that we use, public services are being improved by its better use and businesses rely on it to trade, produce goods and deliver services for their customers. But how we choose to use data going forward will become even more important: it will determine whether we can grow an innovative economy with well-paid, high-skill jobs, it will shape our ability to compete globally in developing the technologies of the future and it will increasingly say something about the nature of our democratic society. The great challenge for democracies, as I see it, will be how to use data to empower rather than control citizens, enhancing their privacy and sense of agency without letting authoritarian states—which, in contrast, use data as a tool to monitor and harvest information from citizens—dominate technological advancement and get a competitive advantage over our companies.

The UK cannot step aside from the debate by simply rubber-stamping whatever iteration of the GDPR comes out of Brussels. We have in our hands a critical opportunity to take a new path and, in doing so, to lead the global conversation about how we can best use data as a force for good—a conversation in which using data more effectively and maintaining high data protection standards are seen not as contradictory but as mutually reinforcing objectives, because trust in this more effective system will build the confidence to share information. We start today not by kicking off a revolution, turning over the apple cart and causing a compliance headache for UK firms, but by beginning an evolution away from an inflexible one-size-fits-all regime and towards one that is risk-based and focused on innovation, flexibility and the needs of our citizens, scientists, public services and companies.

Businesses need data to make better decisions and to reach the right consumers. Researchers need data to discover new treatments. Hospitals need it to deliver more personalised patient care. Our police and security services need data to keep our people safe. Right now, our rules are too vague, too complex and too confusing always to understand. The GDPR is a good standard, but it is not the gold standard. People are struggling to utilise data to innovate, because they are tied up in burdensome activities that are not fundamentally useful in enhancing privacy.

A recently published report on compliance found that 81% of European publishers were unknowingly in breach of the GDPR, despite doing what they thought the law required of them. A YouGov poll from this year found that one in five marketing professionals in the UK report knowing absolutely nothing about the GDPR, despite being bound by it. It is not just businesses: the people whose privacy our laws are supposed to protect do not understand it either. Instead, they click away the thicket of cookie pop-ups just so they can see their screen.

The Bill will maintain the high standards of data protection that British people rightly expect, but it will also help the people who are most affected by data regulation, because we have co-designed it with those people to ensure that our regulation reflects the way in which real people live their lives and run their businesses.

Christine Jardine Portrait Christine Jardine (Edinburgh West) (LD)
- Hansard - - - Excerpts

Does the Minister agree that the retention and enhancement of public trust in data is a major issue, that sharing data is a major issue for the public, and that the Government must do more—perhaps she can tell us whether they intend to do more—to educate the public about how and where our data is used, and what powers individuals have to find out this information?

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I thank the hon. Lady for her helpful intervention. She is right: as I said earlier, trust in the system is fundamental to whether citizens have the confidence to share their data and whether we can therefore make use of that data. She made a good point about educating people, and I hope that this debate will mark the start of an important public conversation about how people use data. One of the challenges we face is a complex framework which means that people do not even know how to talk about data, and I think that some of the simplifications we wish to introduce will help us to understand one of the fundamental principles to which we want our new regime to adhere.

Julian Lewis Portrait Sir Julian Lewis (New Forest East) (Con)
- Hansard - - - Excerpts

My hon. Friend gave a long list of people who found the rules we had inherited from outside the UK challenging. She might add to that list Members of Parliament themselves. I am sure I am not alone in having been exasperated by being complained about to the Information Commissioner, in this case by a constituent who had written to me complaining about a local parish council. When I shared his letter with the parish council so that it could show how bogus his long-running complaint had been, he proceeded to file a complaint with the Information Commissioner’s Office because I had shared his phone number—which he had not marked as private—with the parish council, with which he had been in correspondence for several years. The Information Commissioner’s Office took that seriously. This sort of nonsense shows how over-restrictive regulations can be abused by people who are out to stir up trouble unjustifiably.

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

Let me gently say that if my right hon. Friend’s constituent was going to pick on one Member of Parliament with whom to raise this point, the Member of Parliament who does not, I understand, use emails would be one of the worst candidates. However, I entirely understand Members’ frustration about the current rules. We are looking into what we can do in relation to democratic engagement, because, as my right hon. Friend says, this is one of the areas in which there is not enough clarity about what can and cannot be done.

We want to reduce burdens on businesses, and above all for the small businesses that account for more than 99% of UK firms. I am pleased that the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake), is present to back up those proposals. Businesses that do not have the time, the money or the staff to spend precious hours doing unnecessary form-filling are currently being forced to follow some of the same rules as a billion-dollar technology company. We are therefore cutting the amount of pointless paperwork, ensuring that organisations only have to comply with rules on record-keeping and risk assessment when their processing activities are high-risk. We are getting rid of excessively demanding requirements to appoint data protection officers, giving small businesses much more flexibility when it comes to how they manage data protection risks without procuring external resources.

Those changes will not just make the process simpler, clearer and easier for businesses, they will make it cheaper too. We are expecting micro and small businesses to save nearly £90 million in compliance costs every year: that is £90 million more for higher investment, faster growth and better jobs. According to figures published in 2021, data-driven trade already generates 85% of our services exports. Our new international transfers regime clarifies how we can build data bridges to support the close, free and safe exchange of data with other trusted allies.

John Penrose Portrait John Penrose (Weston-super-Mare) (Con)
- Hansard - - - Excerpts

I am delighted to hear the Secretary of State talk about reducing regulatory burdens without compromising the standards that we are none the less delivering—that is the central distinction, and greatly to be welcomed for its benefits for the entrepreneurialism and fleetness of foot of British industry. Does she agree, however, that while the part of the Bill that deals with open data, or smart data, goes further than that and creates fresh opportunities for, in particular, the small challenger businesses of the kind she has described to take on the big incumbents that own the data lakes in many sectors, those possibilities will be greatly reduced if we take our time and move too slowly? Could it not potentially take 18 months to two years for us to start opening up those other sectors of our economy?

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I am delighted, in turn, to hear my hon. Friend call me the Secretary of State—I am grateful for the promotion, even if it is not a reality. I know how passionate he feels about open data, which is a subject we have discussed before. As I said earlier, I am pleased that the Under-Secretary of State for Business and Trade is present, because this morning he announced that a new council will be driving forward this work. As my hon. Friend knows, this is not necessarily about legislation being in place—I think the Bill gives him what he wants—but about that sense of momentum, and about onboarding new sectors into this regime and not being slow in doing so. As he says, a great deal of economic benefit can be gained from this, and we do not want it to be delayed any further.

Kit Malthouse Portrait Kit Malthouse (North West Hampshire) (Con)
- Hansard - - - Excerpts

Let me first draw attention to my entry in the Register of Members’ Financial Interests. Let me also apologise for missing the Minister’s opening remarks—I was taken by surprise by the shortness of the preceding statement and had to rush to the Chamber.

May I take the Minister back to the subject of compliance costs? I understand that the projected simplification will result in a reduction in those costs, but does she acknowledge that a new regime, or changes to the current regime, will kick off an enormous retraining exercise for businesses, many of which have already been through that process recently and reached a settled state of understanding of how they should be managing data? Even a modest amount of tinkering instils a sense among British businesses, particularly small businesses, that they must put everyone back through the system, at enormous cost. Unless the Minister is very careful and very clear about the changes being made, she will create a whole new industry for the next two or three years, as every data controller in a small business—often doing this part time alongside their main job—has to be retrained.

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

We have been very cognisant of that risk in developing our proposals. As I said in my opening remarks, we do not wish to upset the apple cart and create a compliance headache for businesses, which would be entirely contrary to the aims of the Bill. A small business that is currently compliant with the GDPR will continue to be compliant under the new regime. However, we want to give businesses flexibility in regard to how they deliver that compliance, so that, for instance, they do not have to employ a data protection officer.

Ben Lake Portrait Ben Lake (Ceredigion) (PC)
- Hansard - - - Excerpts

I am grateful to the Minister for being so generous with her time. May I ask whether the Government intend to maintain data adequacy with the EU? I only ask because I have been contacted by some business owners who are concerned about the possible loss of EU data adequacy and the cost that might be levied on them as a result.

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I thank the hon. Gentleman for pressing me on that important point. I know that many businesses are seeking to maintain adequacy. If we want a business-friendly regime, we do not want to create regulatory disruption for businesses, particularly those that trade with Europe and want to ensure that there is a free flow of data. I can reassure him that we have been in constant contact with the European Commission about our proposals. We want to make sure that there are no surprises. We are currently adequate, and we believe that we will maintain adequacy following the enactment of the Bill.

Rebecca Long Bailey Portrait Rebecca Long Bailey (Salford and Eccles) (Lab)
- Hansard - - - Excerpts

I was concerned to hear from the British Medical Association that if the EU were to conclude that data protection legislation in the UK was inadequate, that would present a significant problem for organisations conducting medical research in the UK. Given that so many amazing medical researchers across the UK currently work in collaboration with EU counterparts, can the Minister assure the House that the Bill will not represent an inadequacy in comparison with EU legislation as it stands?

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I hope that my previous reply reassured the hon. Lady that we intend to maintain adequacy, and we do not consider that the Bill will present a risk in that regard. What we are trying to do, particularly in respect of medical research, is make it easier for scientists to innovate and conduct that research without constantly having to return for consent when it is apparent that consent has already been granted for particular medical data processing activities. We think that will help us to maintain our world-leading position as a scientific research powerhouse.

Alongside new data bridges, the Secretary of State will be able to recognise new transfer mechanisms for businesses to protect international transfers. Businesses will still be able to transfer data across borders with the compliance mechanisms that they already use, avoiding needless checks and costs. We are also delighted to be co-hosting, in partnership with the United States, the next workshop of the global cross-border privacy rules forum in London this week. The CBPR system is one of the few existing operational mechanisms that, by design, aims to facilitate data flows on a global scale.

World-class research requires world-class data, but right now many scientists are reluctant to get the data they need to get on with their research, for the simple reason that they do not know how research is defined. They can also be stopped in their tracks if they try to broaden their research or follow a new and potentially interesting avenue. When that happens, they can be required to go back and seek permission all over again, even though they have already gained that permission earlier to use personal data. We do not think that makes sense. The pandemic showed that we cannot risk delaying discoveries that could save lives. Nothing should be holding us back from curing cancer, tackling disease or producing new drugs and treatments. This Bill will simplify the legal requirements around research so that scientists can work to their strengths with legal clarity on what they can and cannot do.

The Bill will also ensure that people benefit from the results of research by unlocking the potential of transformative technologies. Taking artificial intelligence as an example, we have recently published our White Paper: “AI regulation: a pro-innovation approach”. In the meantime, the Bill will ensure that organisations know when they can use responsible automated decision making and that people know when they can request human intervention where those decisions impact their lives, whether that means getting a fair price for the insurance they receive after an accident or a fair chance of getting the job they have always wanted.

I spoke earlier about the currency of trust and how, by maintaining it through high data protection standards, we are likely to see more data sharing, not less. Fundamental to that trust will be confidence in the robustness of the regulator. We already have a world-leading independent regulator in the Information Commissioner’s Office, but the ICO needs to adapt to reflect the greater role that data now plays in our lives alongside its strategic importance to our economic competitiveness. The ICO was set up in the 1980s for a completely different world, and the pace, volume and power of the data we use today has changed dramatically since then.

It is only right that we give the regulator the tools it needs to keep pace and to keep our personal data safe while ensuring that, as an organisation, it remains accountable, flexible and fit for the modern world. The Bill will modernise the structure and objectives of the ICO. Under this legislation, protecting our personal data will remain the ICO’s primary focus, but it will also be asked to focus on how it can empower businesses and organisations to drive growth and innovation across the UK, and support public trust and confidence in the use of personal data.

The Bill is also important for consumers, helping them to share less data while getting more product. It will support smart data schemes that empower consumers and small businesses to make better use of their own data, building on the extraordinary success of open banking tools offered by innovative businesses, which help consumers and businesses to manage their finances and spending, track their carbon footprint and access credit.

Jim Shannon Portrait Jim Shannon (Strangford) (DUP)
- Hansard - - - Excerpts

The Minister always delivers a very solid message and we all appreciate that. In relation to the high data protection standards that she is outlining, there is also a balance to be achieved when it comes to ensuring that there are no unnecessary barriers for individuals and businesses. Can she assure the House that that will be exactly what happens?

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I am always happy to take an intervention from the hon. Member. I want to assure him that we are building high data protection standards that are built on the fundamental principles of the GDPR, and we are trying to get the right balance between high data protection standards that will protect the consumer and giving businesses the flexibility they need. I will continue this conversation with him as the Bill passes through the House.

Mike Amesbury Portrait Mike Amesbury (Weaver Vale) (Lab)
- Hansard - - - Excerpts

I thank the Minster for being so generous with her time. With regard to the independent commissioner, the regulator, who will set the terms of reference? Will it be genuinely independent? It seems to me that a lot of power will fall on the shoulders of the Secretary of State, whoever that might be in the not-too-distant future.

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable. I know that concern about the independence of the regulator has been raised as we have been working up these proposals, but I wish to assure the House that we do not believe those concerns to be justified or legitimate. The Bill actually has the strong support of the current Information Commissioner, John Edwards.

The Bill will also put in place the foundations for data intermediaries, which are organisations that can help us to benefit from our data. In effect, we will be able to share less sensitive data about ourselves with businesses while securing greater benefits. As I say, one of the examples of this is open banking. Another way in which the Bill will help people to take back control of their data is by making it easier and more secure for people to prove things about themselves once, electronically, without having to dig out stacks of physical documents such as passports, bills, statements and birth certificates and then having to provide lots of copies of those documents to different organisations. Digital verification services already exist, but we want consumers to be able to identify trustworthy providers by creating a set of standards around them.

The Bill is designed not just to boost businesses, support scientists and deliver consumer benefits; it also contains measures to keep people healthy and safe. It will improve the way in which the NHS and adult social care organise data to deliver crucial health services. It will let the police get on with their jobs by allowing them to spend more time on the beat rather than on pointless paperwork. We believe that this will save up to 1.5 million hours of police time each year—

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I know that my hon. Friend has been passionate on this point, and we are looking actively into her proposals.

We are also updating the outdated system of registering births and deaths based on paper processes from the 19th century.

Data has become absolutely critical for keeping us healthy, for keeping us safe and for growing an economy with innovative businesses, providing jobs for generations to come. Britain is at its best when its businesses and scientists are at theirs. Right now, our rules risk holding them back, but this Bill will change that because it was co-designed with those businesses and scientists and with the help of consumer groups. Simpler, easier, clearer regulation gives the people using data to improve our lives the certainty they need to get on with their jobs. It maintains high standards for protecting people’s privacy while seeking to maintain our adequacy with the EU. Overall, this legislation will make data more useful for more people and more usable by businesses, and it will enable greater innovation by scientists. I commend the Bill to the House.

--- Later in debate ---
Damian Collins Portrait Damian Collins (Folkestone and Hythe) (Con)
- View Speech - Hansard - - - Excerpts

I am delighted to speak in support of this long-awaited Bill. It is a necessary piece of legislation to learn the lessons from GDPR and look at how we can improve the system, both to make it easier for businesses to work with and to give users and citizens the certainty they need about how their data will be processed and used.

In bringing forward new measures, the Bill in no way suggests that we are looking to move away from our data adequacy agreements with the European Union. Around the world, in north America, Europe, Australia and elsewhere in the far east, we see Governments looking at developing trusted systems for sharing and using data and for allowing businesses to process data across international borders, knowing that those systems may not be exactly the same, but they work to the same standards and with similar levels of integrity. That is clearly the direction that the whole world wants to move in and we should play a leading role in that.

I want to talk briefly about an important area of the Bill: getting the balance between data rights and data safety and what the Bill refers to as the “legitimate interest” of a particular business. I should also note that this Bill, while important in its own right, sits alongside other legislation—some of it to be introduced in this Session and some of it already well on its way through the Parliamentary processes—dealing with other aspects of the digital world. The regulation of data is an aspect of digital regulation; it is in some ways the fuel that powers the digital experience and is relevant to other areas of digital life as well.

To take one example, we have already established and implemented the age-appropriate design code for children, which principally addresses the way data is gathered from children online and used to design services and products that they use. As this Bill goes through its parliamentary stages, it is important that we understand how the age-appropriate design code is applied as part of the new data regime, and that the safeguards set out in that code are guaranteed through the Bill as well.

There has been a lot of debate, as has already been mentioned, about companies such as TikTok. There is a concern that engineers who work for TikTok in China, some of whom may be members of the Chinese Communist party, have access to UK user data that may not be stored in China, but is accessed from China, and are using that data to develop products. There is legitimate concern about oversight of that process and what that data might be used for, particularly in a country such as China.

However, there is also a question about data, because one reason the TikTok app is being withdrawn from Government devices around the world is that it is incredibly data-acquisitive. It does not just analyse how people use TikTok and from that create data profiles of users to determine what content to recommend to them, although that is a fundamental part of the experience of using it; it is also gathering, as other big apps do, data from what people do on other apps on the same device. People may not realise that they have given consent, and it is certainly not informed consent, for companies such as TikTok to access data from what they do on other apps, not just when they are TikTok.

It is a question of having trusted systems for how data can be gathered, and giving users the right to opt out of such data systems more easily. Some users might say, “I’m quite happy for TikTok or Meta to have that data gathered about what I do across a range of services.” Others may say, “No, I only want them to see data about what I do when I am using their particular service, not other people’s.”

The Online Safety Bill is one of the principal ways in which we are seeking to regulate AI now. There is debate among people in the tech sectors; a letter was published recently, co-signed by a number of tech executives, including Elon Musk, to say that we should have a six-month pause in the development of AI systems, particularly for large language models. That suggests a problem in the near future of very sophisticated data systems that can make decisions faster than a human can analyse them.

People such as Eric Schmidt have raised concerns about AI in defence systems, where an aggressive system could make decisions faster than a human could respond to them, to which we would need an AI system to respond and where there is potentially no human oversight. That is a frightening scenario in which we might want to consider moratoriums and agreements, as we have in other areas of warfare such as the use of chemical weapons, that we will not allow such systems to be developed because they are so difficult to control.

If we look at the application of that sort of technology closer to home and some of the cases most referenced in the Online Safety Bill, for example the tragic death of the teenager Molly Russell, we see that what was driving the behaviour of concern was data gathered about a user to make recommendations to that person that were endangering their life. The Online Safety Bill seeks to regulate that practice by creating codes and responsibilities for businesses, but that behaviour is only possible because of the collection of data and decisions made by the company on how the data is processed.

This is where the Bill also links to the Government’s White Paper on AI, and this is particularly important: there must be an onus on companies to demonstrate that their systems are safe. The onus must not just be on the user to demonstrate that they have somehow suffered as a consequence of that system’s design. The company should have to demonstrate that they are designing systems with people’s safety and their rights in mind—be that their rights as a worker and a citizen, or their rights to have certain safeguards and protections over how their data is used.

Companies creating datasets should be able to demonstrate to the regulator what data they have gathered, how that data is being trained and what it is being used for. It should be easy for the regulator to see and, if the regulator has concerns up-front, it should be able to raise them with the company. We must try to create that shift, particularly on AI systems, in how systems are tested before they are deployed, with both safety and the principles set out in the legislation in mind.

Kit Malthouse Portrait Kit Malthouse
- Hansard - - - Excerpts

My hon. Friend makes a strong point about safety being designed, but a secondary area of concern for many people is discrimination—that is, the more data companies acquire, the greater their ability to discriminate. For example, in an insurance context, we allow companies to discriminate on the basis of experience or behaviour; if someone has had a lot of crashes or speeding fines, we allow discrimination. However, for companies that process large amounts of data and may be making automated decisions or otherwise, there is no openly advertised line of acceptability drawn. In the future it may be that datasets come together that allow extreme levels of discrimination. For example, if they linked data science, psychometrics and genetic data, there is the possibility for significant levels of discrimination in society. Does he think that, as well as safety, we should be emphasising that line in the sand?

--- Later in debate ---
Paul Scully Portrait The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Paul Scully)
- View Speech - Hansard - - - Excerpts

I thank all Members for their contributions, including the hon. Members for Manchester Central (Lucy Powell), for Glasgow North West (Carol Monaghan), for Bristol North West (Darren Jones), for Cambridge (Daniel Zeichner), for Oxford West and Abingdon (Layla Moran), for Strangford (Jim Shannon) and for Barnsley East (Stephanie Peacock) and my right hon. Friend the Member for Maldon (Sir John Whittingdale) and my hon. Friends the Members for Folkestone and Hythe (Damian Collins), for Loughborough (Jane Hunt) and for Aberconwy (Robin Millar). The debate has been held in the right spirit, understanding the importance of data, and I will try to go through a number of the issues raised.

Adequacy has come up on a number of occasions. We have been straight from the beginning that adequacy is very important and we work with the EU Commission on this; we speak to it on a regular basis, but it is important to note that the EU does not require exactly the same rules to be in place to be adequate. We can see that from Japan and from New Zealand, so we are trying to get the balance right and making sure that we remain adequate not just with the EU but with other countries with which we want to have data bridges and collaboration. We are also making sure that we can strip back some of the bureaucracy not just for small businesses, but for public services including GPs, schools and similar institutions, as well as protecting the consumer, which must always be central.

Automated decision-making was also raised by a number of Members. The absence of meaningful human intervention in solely automated decisions, along with opacity in how those decisions can be reached, will be mitigated by providing data subjects with the opportunity to make representations about, and ultimately challenge, decisions of this nature that are unexpected or seem unwarranted. For example, if a person is denied a loan or access to a product or services because a solely automated decision-making process has identified a high risk of fraud or irregularities in their finances, that individual should be able to contest that decision and seek human review. If that decision is found to be unwarranted on review, the controller must re-evaluate the case and issue an appropriate decision.

Our reforms are addressing the uncertainty over the applications of safeguards. They will clarify when safeguards apply to ensure that they are available in appropriate circumstances. We will develop that with businesses and other organisations in guidance.

The hon. Member for Glasgow North West talked about joint-working designation notices and it is important to note that the police and intelligence services are working off different data regimes and that can make joint-working more difficult. Many of the changes made in this Bill have come from learning from the Fishmongers’ Hall terrorist incident and the Manchester Arena bombing.

Members raised the question of algorithmic bias. We agree that it is important that organisations are aware of potential biases in data sets and algorithms and bias monitoring and correction can involve the use of personal data. As we set out in our response to the consultation on the Bill, we plan to introduce a statutory instrument that will provide for the monitoring and correction of bias in AI systems by allowing the processing of sensitive personal data for this purpose with appropriate safeguards. However, as we know from the AI White Paper we published recently, this is a changing area so it is important that we remain able to flex in Government in the context of AI and that type of decision-making.

The hon. Member for Bristol North West talked about biometrics. That is classed as sensitive data under the UK GDPR, so is already provided with additional protection. It can only be processed if a relevant condition is met under article 9 or schedule 1 of the Data Protection Act. That requirement provides sufficient safeguards for biometric data. There are significant overlaps in the current oversight framework, which is confusing for the police and the public, and it inhibits innovation. That is why the Bill simplifies the oversight for biometrics and overt surveillance technologies.

The hon. Gentleman talked about age-appropriate guidance. We are committed to protecting children and young people online. The Bill maintains the high standards of data protection that our citizens expect and organisations will still have to abide by our age-appropriate design code. Any breach of our data protection laws will result in enforcement action by the Information Commissioner’s Office.

The hon. Gentleman also talked about data portability. The Bill increases data portability by setting up smart data regulations. He talked about social media, but it is far wider than that. Smart data is the secure sharing of customer data with authorised third parties on the customer’s request. Those third parties can then use that data to provide innovative services for the consumer or business user, utilising AI and data-driven insights to empower customer choice. Services may include clear account management across services, easier switching between offers or providers, and advice on how to save money. Open banking is an obvious live example of that, but the Bill, with the smart data changes within it, will turbocharge the use of this matter.

My hon. Friend the Member for Loughborough talked about policing. It will save 1.5 million police hours, but it is really important that we do more. We are looking at ways of easing redaction burdens for the police while ensuring we maintain victim and witness confidence. It is really important to them, and in the interests of public trust, that the police do not share information not relevant to a case with other organisations, including the Crown Prosecution Service and the defence. Removing information, as my hon. Friend says, places a resource burden on officers. We will continue to work with the police and the Home Office on that basis.

On UK-wide data standards, raised by my hon. Friend the Member for Aberconwy, improving access to comparable data and evidence from across the UK is a crucial part of the Government’s work to strengthen the Union. The UK Government and the Office for National Statistics have an ongoing and wide-ranging work programme to increase coherency of data across the nations, as my hon. Friend is aware. We remain engaged in discussions and will continue to work with him, the Wales Office and the ONS to ensure that we can continue.

On international data transfer, it is important that we tackle the uncertainties and instabilities in the current regime, but the hon. Member for Strangford is absolutely right that in doing that, we must maintain public trust in the transfer system.

Finally, on the ICO, we believe that the Bill does not undercut its independence. It is really important that, for the trust issues I have talked about, we retain its independence. It is not about Government control over an independent regulator and it is not about a Government trying to exert influence or pressure for what are deemed to be more favourable outcomes. We are committed to the ICO’s ongoing independence and that is why we have worked closely with the ICO. The Information Commissioner himself is in favour of the changes we are making. He has spoken approvingly about them.

This is a really important Bill, because it will enable greater innovation while keeping personal protections to keep people’s data safe.

Question put and agreed to.

Bill accordingly read a Second time.

Data Protection and Digital Information (No. 2) Bill (Programme)

Motion made, and Question put forthwith (Standing Order No. 83A(7)),

That the following provisions shall apply to the Data Protection and Digital Information (No. 2) Bill:

Committal

(1) The Bill shall be committed to a Public Bill Committee.

Proceedings in Public Bill Committee

(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 13 June 2023.

(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.

Consideration and Third Reading

(4) Proceedings on Consideration shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which those proceedings are commenced.

(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.

(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and Third Reading.—(Joy Morrissey.)

Question agreed to.

Data Protection and Digital Information (No. 2) Bill (Money)

King’s recommendation signified.

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Data Protection and Digital Information (No. 2) Bill, it is expedient to authorise the payment out of money provided by Parliament of—

(a) any expenditure incurred under or by virtue of the Act by the Secretary of State, the Treasury or a government department, and

(b) any increase attributable to the Act in the sums payable under any other Act out of money so provided.—(Joy Morrissey.)

Question agreed to.

Data Protection and Digital Information (No. 2) Bill (Ways and Means)

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Data Protection and Digital Information (No. 2) Bill, it is expedient to authorise:

(1) the charging of fees or levies under or by virtue of the Act; and

(2) the payment of sums into the Consolidated Fund.—(Joy Morrissey.)

Question agreed to.

Data Protection and Digital Information (No. 2) Bill (Carry-over)

Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)).

That if, at the conclusion of this Session of Parliament, proceedings on the Data Protection and Digital Information (No. 2) Bill have not been completed, they shall be resumed in the next Session.—(Joy Morrissey.)

Question agreed to.

Data Protection and Digital Information (No. 2) Bill (Third sitting)

(Limited Text - Ministerial Extracts only)

Read Full debate
Committee stage
Tuesday 16th May 2023

(1 year, 2 months ago)

Public Bill Committees
Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 16 May 2023 - (16 May 2023)

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Division 1

Ayes: 6

Noes: 9

Amendment proposed: 65, in clause 2, page 4, line 21, at end insert—
--- Later in debate ---

Division 2

Ayes: 6

Noes: 9

Clause 2 ordered to stand part of the Bill.
--- Later in debate ---

Division 3

Ayes: 6

Noes: 9

Amendment proposed: 67, in clause 5, page 7, line 18, at end insert—
--- Later in debate ---

Division 4

Ayes: 6

Noes: 9

Clause 5 ordered to stand part of the Bill.
--- Later in debate ---

Division 5

Ayes: 6

Noes: 9

Clause 6 ordered to stand part of the Bill.
--- Later in debate ---

Division 6

Ayes: 6

Noes: 9

Schedule 2 agreed to.
--- Later in debate ---

Division 7

Ayes: 6

Noes: 9

--- Later in debate ---

Division 8

Ayes: 6

Noes: 9

Amendment proposed: 72, in clause 7, page 12, line 25, at end insert—
--- Later in debate ---

Division 9

Ayes: 6

Noes: 9

Question put, That the clause stand part of the Bill.
--- Later in debate ---

Division 10

Ayes: 9

Noes: 6

Clause 7 ordered to stand part of the Bill.

Data Protection and Digital Information (No. 2) Bill (Fourth sitting)

(Limited Text - Ministerial Extracts only)

Read Full debate
Committee stage
Tuesday 16th May 2023

(1 year, 2 months ago)

Public Bill Committees
Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 16 May 2023 - (16 May 2023)

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Division 11

Ayes: 7

Noes: 10

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I beg to move amendment 77, in clause 11, page 19, line 12, at end insert

“and about the safeguards available to the subject in accordance with this paragraph and any regulations under Article 22D(4);”.

This amendment would require controllers proactively to provide data subjects with information about their rights in relation to automated decision-making.

--- Later in debate ---

Division 12

Ayes: 7

Noes: 10

None Portrait The Chair
- Hansard -

Ms Monaghan, do you wish to move amendment 120 formally?

--- Later in debate ---

Division 13

Ayes: 6

Noes: 10

Amendment proposed: 75, clause 11, page 19, line 36, at end insert—
--- Later in debate ---

Division 14

Ayes: 6

Noes: 10

Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

I beg to move amendment 121, in clause 11, page 19, line 36, at end insert—

“7. When exercising the power to make regulations under this Article, the Secretary of State must have regard to the following statement of principles:

Digital information principles at work

1. People should have access to a fair, inclusive and trustworthy digital environment at work.

2. Algorithmic systems should be designed and used to achieve better outcomes: to make work better, not worse, and not for surveillance. Workers and their representatives should be involved in this process.

3. People should be protected from unsafe, unaccountable and ineffective algorithmic systems at work. Impacts on individuals and groups must be assessed in advance and monitored, with reasonable and proportionate steps taken.

4. Algorithmic systems should not harm workers’ mental or physical health, or integrity.

5. Workers and their representatives should always know when an algorithmic system is being used, how and why it is being used, and what impacts it may have on them or their work.

6. Workers and their representatives should be involved in meaningful consultation before and during use of an algorithmic system that may significantly impact work or people.

7. Workers should have control over their own data and digital information collected about them at work.

8. Workers and their representatives should always have an opportunity for human contact, review and redress when an algorithmic system is used at work where it may significantly impact work or people. This includes a right to a written explanation when a decision is made.

9. Workers and their representatives should be able to use their data and digital technologies for contact and association to improve work quality and conditions.

10. Workers should be supported to build the information, literacy and skills needed to fulfil their capabilities through work transitions.”

This amendment would insert into new Article 22D of the UK GDPR a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.

--- Later in debate ---

Division 15

Ayes: 6

Noes: 10

Amendment proposed: 122, in clause 11, page 22, line 2, at end insert—
--- Later in debate ---

Division 16

Ayes: 6

Noes: 10

Question proposed, That the clause stand part of the Bill.
--- Later in debate ---

Division 17

Ayes: 10

Noes: 6

Clause 11 ordered to stand part of the Bill.
--- Later in debate ---

Division 18

Ayes: 6

Noes: 10

Question put, That the clause stand part of the Bill.

Division 19

Ayes: 10

Noes: 6

Clause 17 ordered to stand part of the Bill.

Data Protection and Digital Information (No. 2) Bill (Fifth sitting)

(Limited Text - Ministerial Extracts only)

Read Full debate
Committee stage
Thursday 18th May 2023

(1 year, 1 month ago)

Public Bill Committees
Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 18 May 2023 - (18 May 2023)

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Division 20

Ayes: 6


Labour: 5
Scottish National Party: 1

Noes: 9


Conservative: 9

Clause 25 ordered to stand part of the Bill.
--- Later in debate ---

Division 21

Ayes: 6


Labour: 5
Scottish National Party: 1

Noes: 9


Conservative: 9

Question proposed, That the clause stand part of the Bill.
--- Later in debate ---

Division 22

Ayes: 9


Conservative: 9

Noes: 6


Labour: 5
Scottish National Party: 1

Clause 28 ordered to stand part of the Bill.
--- Later in debate ---

Division 23

Ayes: 6


Labour: 5
Scottish National Party: 1

Noes: 9


Conservative: 9

Question proposed, That the clause stand part of the Bill.
--- Later in debate ---

Division 24

Ayes: 6


Labour: 5
Scottish National Party: 1

Noes: 9


Conservative: 9

Question put, That the clause stand part of the Bill.

Division 25

Ayes: 9


Conservative: 9

Noes: 6


Labour: 5
Scottish National Party: 1

Clause 31 ordered to stand part of the Bill.

Data Protection and Digital Information (No. 2) Bill (Seventh sitting)

(Limited Text - Ministerial Extracts only)

Read Full debate
Committee stage
Tuesday 23rd May 2023

(1 year, 1 month ago)

Public Bill Committees
Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 23 May 2023 - (23 May 2023)

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Division 26

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 8


Conservative: 8

Amendments made: 53, in clause 79, page 105, line 11, after “transitional” insert “, transitory”.
--- Later in debate ---

Division 27

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 8


Conservative: 8

Amendment made: 33, in clause 85, page 113, line 28, at end insert—

Data Protection and Digital Information (No. 2) Bill (Eighth sitting)

(Limited Text - Ministerial Extracts only)

Read Full debate
Committee stage
Tuesday 23rd May 2023

(1 year, 1 month ago)

Public Bill Committees
Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 23 May 2023 - (23 May 2023)

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Division 28

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 9


Conservative: 9

--- Later in debate ---

Division 29

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 9


Conservative: 9

New Clause 10
--- Later in debate ---

Division 30

Ayes: 4


Labour: 3
Scottish National Party: 1

Noes: 9


Conservative: 9

Data Protection and Digital Information Bill

(Limited Text - Ministerial Extracts only)

Read Full debate

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

John Whittingdale Portrait The Minister for Data and Digital Infrastructure (Sir John Whittingdale)
- View Speech - Hansard - - - Excerpts

I begin by joining the hon. Member for Rhondda (Sir Chris Bryant) in expressing the condolences of the House to his predecessor, Allan Rogers. He served as a Member of Parliament during my first nine years in this place. I remember him as an assiduous constituency Member of Parliament, and I am sure we all share the sentiments expressed by the hon. Gentleman.

It is a pleasure to return to the Dispatch Box to lead the House through Report stage of the Bill. We spent considerable time discussing it in Committee, but the hon. Gentleman was not in his post at that time. I welcome him to his position. He may regret that he missed out on Committee stage, which makes him keen to return to it today.

The Bill is an essential piece of legislation that will update the UK’s data laws, making them among the most effective in the world. We scrutinised it in depth in Committee. The hon. Gentleman is right that the Government have tabled a number of amendments for the House to consider today, and he has done the same. The vast majority are technical, and the number sounds large because a lot are consequential on original amendments. One or two address new aspects, and I will be happy to speak to those as we go through them during this afternoon’s debate. Nevertheless, they represent important additions to the Bill.

The Minister for Disabled People, Health and Work, my hon. Friend the Member for Corby (Tom Pursglove), who is sitting next to me, has drawn the House’s attention to the fact that amending the Bill to allow the Department for Work and Pensions access to financial data will make a significant contribution to identifying fraud. I would have thought that the Opposition would welcome that. It is not a new measure; it was contained in the fraud plan that the Government published back in May 2022. The Government have been examining that measure, and we have always made it clear that we would bring it forward at an appropriate parliamentary time when a vehicle was available. This is a data Bill, and the measure is specific to it. We estimate that it will result in a saving to the taxpayer of around £500 million by the end of 2028-29. I am surprised that the Opposition should question that.

As I said, the Bill has been considered at length in Committee. It is important that we consider it on Report, in order that it achieve the next stage of its progress through Parliament. On that basis, I reject the motion.

Question put.

--- Later in debate ---
13:24

Division 13

Ayes: 209


Labour: 147
Scottish National Party: 34
Liberal Democrat: 12
Democratic Unionist Party: 5
Independent: 5
Conservative: 2
Alliance: 1
Social Democratic & Labour Party: 1
Green Party: 1
Plaid Cymru: 1

Noes: 275


Conservative: 265
Independent: 3

--- Later in debate ---
1.37 pm
John Whittingdale Portrait Sir John Whittingdale
- View Speech - Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

Rosie Winterton Portrait Madam Deputy Speaker (Dame Rosie Winterton)
- Hansard - - - Excerpts

With this it will be convenient to discuss the following:

Government new clause 48—Processing of personal data revealing political opinions.

Government new clause 7—Searches in response to data subjects’ requests.

Government new clause 8—Notices from the Information Commissioner.

Government new clause 9—Court procedure in connection with subject access requests.

Government new clause 10—Approval of a supplementary code.

Government new clause 11—Designation of a supplementary code.

Government new clause 12—List of recognised supplementary codes.

Government new clause 13—Change to conditions for approval or designation.

Government new clause 14—Revision of a recognised supplementary code.

Government new clause 15—Applications for approval and re-approval.

Government new clause 16—Fees for approval, re-approval and continued approval.

Government new clause 17—Request for withdrawal of approval.

Government new clause 18—Removal of designation.

Government new clause 19—Registration of additional services.

Government new clause 20—Supplementary notes.

Government new clause 21—Addition of services to supplementary notes.

Government new clause 22—Duty to remove services from the DVS register.

Government new clause 23—Duty to remove supplementary notes from the DVS register.

Government new clause 24—Duty to remove services from supplementary notes.

Government new clause 25—Index of defined terms for Part 2.

Government new clause 26—Powers relating to verification of identity or status.

Government new clause 27—Interface bodies.

Government new clause 28—The FCA and financial services interfaces.

Government new clause 29—The FCA and financial services interfaces: supplementary.

Government new clause 30—The FCA and financial services interfaces: penalties and levies.

Government new clause 31—Liability and damages.

Government new clause 32—Other data provision.

Government new clause 33—Duty to notify the Commissioner of personal data breach: time periods.

Government new clause 34—Power to require information for social security purposes.

Government new clause 35—Retention of information by providers of internet services in connection with death of child.

Government new clause 36—Retention of biometric data and recordable offences.

Government new clause 37—Retention of pseudonymised biometric data.

Government new clause 38—Retention of biometric data from INTERPOL.

Government new clause 39—National Underground Asset Register.

Government new clause 40—Information in relation to apparatus.

Government new clause 41—Pre-commencement consultation.

Government new clause 42—Transfer of certain functions of Secretary of State.

New clause 1—Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision

“(1) The 2018 Act is amended in accordance with subsection (2).

(2) In the 2018 Act, after section 40 insert—

“40A Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision

(1) This section applies to a set of processing operations consisting of the preparation of a case-file by the police service for submission to the Crown Prosecution Service for a charging decision, the making of a charging decision by the Crown Prosecution Service, and the return of the case-file by the Crown Prosecution Service to the police service after a charging decision has been made.

(2) The police service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in preparing a case-file for submission to the Crown Prosecution Service for a charging decision.

(3) The Crown Prosecution Service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in making a charging decision on a case-file submitted for that purpose by the police service.

(4) If the Crown Prosecution Service decides that a charge will not be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(5) If the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must return the case-file to the police service and take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(6) Where the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service and returns the case-file to the police service under subsection (5), the police service must comply with the first data protection principle and the third data protection principle in relation to any subsequent processing of the data contained in the case-file.

(7) For the purposes of this section—

(a) The police service means—

(i) constabulary maintained by virtue of an enactment, or

(ii) subject to section 126 of the Criminal Justice and Public Order Act 1994 (prison staff not to be regarded as in police service), any other service whose members have the powers or privileges of a constable.

(b) The preparation of, or preparing, a case-file by the police service for submission to the Crown Prosecution Service for a charging decision includes the submission of the file.

(c) A case-file includes all information obtained by the police service for the purpose of preparing a case-file for submission to the Crown Prosecution Service for a charging decision.””

This new clause adjusts Section 40 of the Data Protection Act 2018 to exempt the police service and the Crown Prosecution Service from the first and third data protection principles contained within the 2018 Act so that they can share unredacted data with one another when making a charging decision.

New clause 2—Common standards and timeline for implementation

“(1) Within one month of the passage of this Act, the Secretary of State must by regulations require those appointed as decision-makers to create, publish and update as required open and common standards for access to customer data and business data.

(2) Standards created by virtue of subsection (1) must be interoperable with those created as a consequence of Part 2 of the Retail Banking Market Investigation Order 2017, made by the Competition and Markets Authority.

(3) Regulations under section 66 and 68 must ensure interoperability of customer data and business data with standards created by virtue of subsection (1).

(4) Within one month of the passage of this Act, the Secretary of State must publish a list of the sectors to which regulations under section 66 and section 68 will apply within three years of the passage of the Act, and the date by which those regulations will take effect in each case.”

This new clause, which is intended to be placed in Part 3 (Customer data and business data) of the Bill, would require interoperability across all sectors of the economy in smart data standards, including the Open Banking standards already in effect, and the publication of a timeline for implementation.

New clause 3—Provision about representation of data subjects

“(1) Section 190 of the Data Protection Act 2018 is amended as follows.

(2) In subsection (1), leave out “After the report under section 189(1) is laid before Parliament, the Secretary of State may” and insert “The Secretary of State must, within three months of the passage of the Data Protection and Digital Information Act 2024,”.”

This new clause would require the Secretary of State to exercise powers under s190 DPA2018 to allow organisations to raise data breach complaints on behalf of data subjects generally, in the absence of a particular subject who wishes to bring forward a claim about misuse of their own personal data.

New clause 4—Review of notification of changes of circumstances legislation

“(1) The Secretary of State must commission a review of the operation of the Social Security (Notification of Changes of Circumstances) Regulations 2010.

(2) In conducting the review, the designated reviewer must—

(a) consider the current operation and effectiveness of the legislation;

(b) identify any gaps in its operation and provisions;

(c) consider and publish recommendations as to how the scope of the legislation could be expanded to include non-public sector, voluntary and private sector holders of personal data.

(3) In undertaking the review, the reviewer must consult—

(a) specialists in data sharing;

(b) people and organisations who campaign for the interests of people affected by the legislation;

(c) people and organisations who use the legislation;

(d) any other persons and organisations the review considers appropriate.

(4) The Secretary of State must lay a report of the review before each House of Parliament within six months of this Act coming into force.”

This new clause requires a review of the operation of the “Tell Us Once” programme, which seeks to provide simpler mechanisms for citizens to pass information regarding births and deaths to government, and consideration of whether the progress of “Tell Us Once” could be extended to non-public sector holders of data.

New clause 5—Definition of “biometric data”

“Article 9 of the UK GDPR is amended by the omission, in paragraph 1, of the words “for the purpose of uniquely identifying a natural person”.”

This new clause would amend the UK General Data Protection Regulation to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.

New clause 43—Right to use non-digital verification services

“(1) This section applies when an organisation—

(a) requires an individual to use a verification service, and

(b) uses a digital verification service for that purpose.

(2) The organisation—

(a) must make a non-digital alternative method of verification available to any individual required to use a verification service, and

(b) must provide information about digital and non-digital methods of verification to those individuals before verification is required.”

This new clause, which is intended for insertion into Part 2 of the Bill (Digital verification services), creates the right for data subjects to use non-digital identity verification services as an alternative to digital verification services, thereby preventing digital verification from becoming mandatory in certain settings.

New clause 44—Transfer of functions to the Investigatory Powers Commissioner’s Office

“The functions of the Surveillance Camera Commissioner are transferred to the Investigatory Powers Commissioner.”

New clause 45—Interoperability of data and collection of comparable healthcare statistics across the UK

“(1) The Health and Social Care Act 2012 is amended as follows.

(2) After section 250, insert the following section—

“250A Interoperability of data and collection of comparable healthcare statistics across the UK

(1) The Secretary of State must prepare and publish an information standard specifying binding data interoperability requirements which apply across the whole of the United Kingdom.

(2) An information standard prepared and published under this section—

(a) must include guidance about the implementation of the standard;

(b) may apply to any public body which exercises functions in connection with the provision of health services anywhere in the United Kingdom.

(3) A public body to which an information standard prepared and published under this section applies must have regard to the standard.

(4) The Secretary of State must report to Parliament each year on progress on the implementation of an information standard prepared in accordance with this section.

(5) For the purposes of this section—

“health services” has the same meaning as in section 250 of this Act, except that for “in England” there is substituted “anywhere in the United Kingdom”, and “the health service” in parts of the United Kingdom other than England has the meaning given by the relevant statute of that part of the United Kingdom;

“public body” has the same meaning as in section 250 of this Act.”

(3) In section 254 (Powers to direct NHS England to establish information systems), after subsection (2), insert—

“(2A) The Secretary of State must give a direction under subsection (1) directing NHS England to collect and publish information about healthcare performance and outcomes in all parts of the United Kingdom in a way which enables comparison between different parts of the United Kingdom.

(2B) Before giving a direction by virtue of subsection (2A), the Secretary of State must consult—

(a) the bodies responsible for the collection and publication of official statistics in each part of the United Kingdom,

(b) Scottish Ministers,

(c) Welsh Ministers, and

(d) Northern Ireland departments.

(2C) The Secretary of State may not give a direction by virtue of subsection (2A) unless a copy of the direction has been laid before, and approved by resolution of, both Houses of Parliament.

(2D) Scottish Ministers, Welsh Ministers and Northern Ireland departments must arrange for the information relating to the health services for which they have responsibility described in the direction given by virtue of subsection (2A) to be made available to NHS England in accordance with the direction.

(2E) For the purposes of a direction given by virtue of subsection (2A), the definition of “health and social care body” given in section 259(11) applies as if for “England” there were substituted “the United Kingdom”.””

New clause 46—Assessment of impact of Act on EU adequacy

“(1) Within six months of the passage of this Act, the Secretary of State must carry out an assessment of the impact of the Act on EU adequacy, and lay a report of that assessment before both Houses of Parliament.

(2) The report must assess the impact on—

(a) data risk, and

(b) small and medium-sized businesses.

(3) The report must quantify the impact of the Act in financial terms.”

New clause 47—Review of the impact of the Act on anonymisation and the identifiability of data subjects

“(1) Within six months of the passage of this Act, the Secretary of State must lay before Parliament the report of an assessment of the impact of the measures in the Act on anonymisation and the identifiability of data subjects.

(2) The report must include a comparison between the rights afforded to data subjects under this Act with those afforded to data subjects by the EU General Data Protection Regulation.”

Amendment 278, in clause 5, page 6, line 15, leave out paragraphs (b) and (c).

This amendment and Amendment 279 would remove the power for the Secretary of State to create pre-defined and pre-authorised “recognised legitimate interests”, for data processing. Instead, the current test would continue to apply in which personal data can only be processed in pursuit of a legitimate interest, as balanced with individual rights and freedoms.

Amendment 279, page 6, line 23, leave out subsections (4), (5) and (6).

See explanatory statement to Amendment 278.

Amendment 230, page 7, leave out lines 1 and 2 and insert—

“8. The Secretary of State may not make regulations under paragraph 6 unless a draft of the regulations has been laid before both Houses of Parliament for the 60-day period.

8A. The Secretary of State must consider any representations made during the 60-day period in respect of anything in the draft regulations laid under paragraph 8.

8B. If, after the end of the 60-day period, the Secretary of State wishes to proceed to make the regulations, the Secretary of State must lay before Parliament a draft of the regulations (incorporating any changes the Secretary of State considers appropriate pursuant to paragraph 8A).

8C. Draft regulations laid under paragraph 8B must, before the end of the 40-day period, have been approved by a resolution of each House of Parliament.

8D. In this Article—

“the 40-day period” means the period of 40 days beginning on the day on which the draft regulations mentioned in paragraph 8 are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid);

“the 60-day period” means the period of 60 days beginning on the day on which the draft regulations mentioned in paragraph 8B are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).

8E. When calculating the 40-day period or the 60-day period for the purposes of paragraph 8D, ignore any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.”

This amendment would make regulations made in respect of recognised legitimate interest subject to a super-affirmative Parliamentary procedure.

Amendment 11, page 7, line 12, at end insert—

““internal administrative purposes” , in relation to special category data, means the conditions set out for lawful processing in paragraph 1 of Schedule 1 of the Data Protection Act 2018.”

This amendment clarifies that the processing of special category data in employment must follow established principles for reasonable processing, as defined by paragraph 1 of Schedule 1 of the Data Protection Act 2018.

Government amendment 252.

Amendment 222, page 10, line 8, leave out clause 8.

Amendment 3, in clause 8, page 10, leave out line 31.

This amendment would mean that the resources available to the controller could not be taken into account when determining whether a request is vexatious or excessive.

Amendment 2, page 11, line 34, at end insert—

“(6A) When informing the data subject of the reasons for not taking action on the request in accordance with subsection (6), the controller must provide evidence of why the request has been treated as vexatious or excessive.”

This amendment would require the data controller to provide evidence of why a request has been considered vexatious or excessive if the controller is refusing to take action on the request.

Government amendment 17.

Amendment 223, page 15, line 22, leave out clause 10.

Amendment 224, page 18, line 7, leave out clause 12.

Amendment 236, in clause 12, page 18, line 21, at end insert—

“(c) a data subject is an identified or identifiable individual who is affected by a significant decision, irrespective of the direct presence of their personal data in the decision-making process.”

This amendment would clarify that a “data subject” includes identifiable individuals who are subject to data-based and automated decision-making, whether or not their personal data is directly present in the decision-making process.

Amendment 232, page 19, line 12, leave out “solely” and insert “predominantly”.

This amendment would mean safeguards for data subjects’ rights, freedoms and legitimate interests would have to be in place in cases where a significant decision in relation to a data subject was taken based predominantly, rather than solely, on automated processing.

Amendment 5, page 19, line 12, after “solely” insert “or partly”.

This amendment would mean that the protections provided for by the new Article 22C would apply where a decision is based either solely or partly on automated processing, not only where it is based solely on such processing.

Amendment 233, page 19, line 18, at end insert

“including the reasons for the processing.”

This amendment would require data controllers to provide the data subject with the reasons for the processing of their data in cases where a significant decision in relation to a data subject was taken based on automated processing.

Amendment 225, page 19, line 18, at end insert—

“(aa) require the controller to inform the data subject when a decision described in paragraph 1 has been taken in relation to the data subject;”.

Amendment 221, page 20, line 3, at end insert—

“7. When exercising the power to make regulations under this Article, the Secretary

of State must have regard to the following statement of principles:

Digital information principles at work

1. People should have access to a fair, inclusive and trustworthy digital environment

at work.

2. Algorithmic systems should be designed and used to achieve better outcomes:

to make work better, not worse, and not for surveillance. Workers and their

representatives should be involved in this process.

3. People should be protected from unsafe, unaccountable and ineffective

algorithmic systems at work. Impacts on individuals and groups must be assessed

in advance and monitored, with reasonable and proportionate steps taken.

4. Algorithmic systems should not harm workers’ mental or physical health, or

integrity.

5. Workers and their representatives should always know when an algorithmic

system is being used, how and why it is being used, and what impacts it may

have on them or their work.

6. Workers and their representatives should be involved in meaningful consultation

before and during use of an algorithmic system that may significantly impact

work or people.

7. Workers should have control over their own data and digital information collected

about them at work.

8. Workers and their representatives should always have an opportunity for human

contact, review and redress when an algorithmic system is used at work where

it may significantly impact work or people. This includes a right to a written

explanation when a decision is made.

9. Workers and their representatives should be able to use their data and digital

technologies for contact and association to improve work quality and conditions.

10. Workers should be supported to build the information, literacy and skills needed

to fulfil their capabilities through work transitions.”

This amendment would insert into new Article 22D of the UK GDPR a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.

Amendment 4, in clause 15, page 25, line 4, at end insert

“(including in the cases specified in sub-paragraphs (a) to (c) of paragraph 3 of Article 35)”.

This amendment, together with Amendment 1, would provide a definition of what constitutes “high risk processing” for the purposes of applying Articles 27A, 27B and 27C, which require data controllers to designate, and specify the duties of, a “senior responsible individual” with responsibility for such processing.

Government amendments 18 to 44.

Amendment 12, in page 32, line 7, leave out clause 17.

This amendment keeps the current requirement on police in the Data Protection Act 2018 to justify why they have accessed an individual’s personal data.

Amendment 1, in clause 18, page 32, line 18, leave out paragraph (c) and insert—

“(c) omit paragraph 2,

(ca) in paragraph 3—

(i) for “data protection” substitute “high risk processing”,

(ii) in sub-paragraph (a), for “natural persons” substitute “individuals”,

(iii) in sub-paragraph (a) for “natural person” substitute “individual” in both places where it occurs,

(cb) omit paragraphs 4 and 5,”.

This amendment would leave paragraph 3 of Article 35 of the UK GDPR in place (with amendments reflecting amendments made by the Bill elsewhere in the Article), thereby ensuring that there is a definition of “high risk processing” on the face of the Regulation.

Amendment 226, page 39, line 38, leave out clause 26.

Amendment 227, page 43, line 2, leave out clause 27.

Amendment 228, page 46, line 32, leave out clause 28.

Government amendment 45.

Amendment 235, page 57, line 29, leave out clause 34.

This amendment would leave in place the existing regime, which refers to “manifestly unfounded” or excessive requests to the Information Commissioner, rather than the proposed change to “vexatious” or excessive requests.

Government amendments 46 and 47.

Amendment 237, in clause 48, page 77, line 4, leave out “individual” and insert “person”.

This amendment and Amendments 238 to 240 are intended to enable the digital verification services covered by the Bill to include verification of organisations as well as individuals.

Amendment 238, page 77, line 5, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 239, page 77, line 6, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 240, page 77, line 7, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 241, page 77, line 8, at end insert (on new line)—

“and the facts which may be so ascertained, verified or confirmed may include the fact that an individual has a claimed connection with a legal person.”

This amendment would ensure that the verification services covered by the Bill will include verification that an individual has a claimed connection with a legal person.

Government amendments 48 to 50.

Amendment 280, in clause 49, page 77, line 13, at end insert—

“(2A) The DVS trust framework must include a description of how the provision of digital verification services is expected to uphold the Identity Assurance Principles.

(2B) Schedule (Identity Assurance Principles) describes each Identity Assurance Principle and its effect.”

Amendment 281, page 77, line 13, at end insert—

“(2A) The DVS trust framework must allow valid attributes to be protected by zero-knowledge proof and other decentralised technologies, without restriction upon how and by whom those proofs may be held or processed.”

Government amendments 51 to 66.

Amendment 248, in clause 52, page 79, line 7, at end insert—

“(1A) A determination under subsection (1) may specify an amount which is tiered to the size of the person and its role as specified in the DVS trust framework.”

This amendment would enable fees for application for registration in the DVS register to be determined on the basis of the size and role of the organisation applying to be registered.

Amendment 243, page 79, line 8, after “may”, insert “not”.

This amendment would provide that the fee for application for registration in the DVS register could not exceed the administrative costs of determining the application.

Government amendment 67.

Amendment 244, page 79, line 13, after “may”, insert “not”.

This amendment would provide that the fee for continued registration in the DVS register could not exceed the administrative costs of that registration.

Government amendment 68.

Amendment 245, page 79, line 21, at end insert—

“(10) The fees payable under this section must be reviewed every two years by the National Audit Office.”

This amendment would provide that the fees payable for DVS registration must be reviewed every two years by the NAO.

Government amendments 69 to 77.

Amendment 247, in clause 54, page 80, line 38, after “person”, insert “or by other parties”.

This amendment would enable others, for example independent experts, to make representations about a decision to remove a person from the DVS register, as well as the person themselves.

Amendment 246, page 81, line 7, at end insert—

“(11) The Secretary of State may not exercise the power granted by subsection (1) until the Secretary of State has consulted on proposals for how a decision to remove a person from the DVS register will be reached, including—

(a) how information will be collected from persons impacted by a decision to remove the person from the register, and from others;

(b) how complaints will be managed;

(c) how evidence will be reviewed;

(d) what the burden of proof will be on which a decision will be based.”

This amendment would provide that the power to remove a person from the DVS register could not be exercised until the Secretary of State had consulted on the detail of how a decision to remove would be reached.

Government amendments 78 to 80.

Amendment 249, in clause 62, page 86, line 17, at end insert—

“(3A) A notice under this section must give the recipient of the notice an opportunity to consult the Secretary of State on the content of the notice before providing the information required by the notice.”

This amendment would provide an option for consultation between the Secretary of State and the recipient of an information notice before the information required by the notice has to be provided.

Government amendment 81.

Amendment 242, in clause 63, page 87, line 21, leave out “may” and insert “must”.

This amendment would require the Secretary of State to make arrangements for a person to exercise the Secretary of State’s functions under this Part of the Bill, so that an independent regulator would perform the relevant functions and not the Secretary of State.

Amendment 250, in clause 64, page 87, line 34, at end insert—

“(1A) A report under subsection (1) must include a report on any arrangements made under section 63 for a third party to exercise functions under this Part.”

This amendment would require information about arrangements for a third party to exercise functions under this Part of the Bill to be included in the annual reports on the operation of the Part.

Government amendments 82 to 196.

Amendment 6, in clause 83, page 107, leave out from line 26 to the end of line 34 on page 108.

This amendment would leave out the proposed new regulation 6B of the PEC Regulations, which would enable consent to be given, or an objection to be made, to cookies automatically.

Amendment 217, page 109, line 20, leave out clause 86.

This amendment would leave out the clause which would enable the sending of direct marketing electronic mail on a “soft opt-in” basis.

Amendment 218, page 110, line 1, leave out clause 87.

This amendment would remove the clause which would enable direct marketing for the purposes of democratic engagement. See also Amendment 220.

Government amendments 253 to 255.

Amendment 219, page 111, line 6, leave out clause 88.

This amendment is consequential on Amendment 218.

Government amendments 256 to 265.

Amendment 7, in clause 89, page 114, line 12, at end insert—

“(2A) A provider of a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty under this regulation.”

This amendment would clarify that a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty to notify the Commissioner of unlawful direct marketing.

Amendment 8, page 117, line 3, at end insert—

“(5) In regulation 1—

(a) at the start, insert “(1)”;

(b) after “shall”, insert “save for regulation 26A”;

(c) at end, insert—

“(2) Regulation 26A comes into force six months after the Commissioner has published guidance under regulation 26C (Guidance in relation to regulation 26A).””

This amendment would provide for the new regulation 26A, Duty to notify Commissioner of unlawful direct marketing, not to come into force until six months after the Commissioner has published guidance in relation to that duty.

Government amendment 197.

Amendment 251, in clause 101, page 127, line 3, leave out “and deaths” and insert “, deaths and deed polls”.

This amendment would require deed poll information to be kept to the same standard as records of births and deaths.

Amendment 9, page 127, line 24, at end insert—

“(2A) After section 25, insert—

“25A Review of form in which registers are to be kept

(1) The Secretary of State must commission a review of the provisions of this Act and of related legislation, with a view to the creation of a single digital register of births and deaths.

(2) The review must consider and make recommendations on the effect of the creation of a single digital register on—

(a) fraud,

(b) data collection, and

(c) ease of registration.

(3) The Secretary of State must lay a report of the review before each House of Parliament within six months of this section coming into force.””

This amendment would insert a new section into the Births and Deaths Registration Act 1953 requiring a review of relevant legislation, with consideration of creating a single digital register for registered births and registered deaths and recommendations on the effects of such a change on reducing fraud, improving data collection and streamlining digital registration.

Government amendment 198.

Amendment 229, in clause 112, page 135, line 8, leave out subsections (2) and (3).

Amendment 10, in clause 113, page 136, line 35, leave out

“which allows or confirms the unique identification of that individual”.

This amendment would amend the definition of “biometric data” for the purpose of the oversight of law enforcement biometrics databases so as to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.

Government amendments 199 to 207.

Government new schedule 1—Power to require information for social security purposes.

Government new schedule 2—National Underground Asset Register: monetary penalties.

New schedule 3—Identity Assurance Principles

“Part 1

Definitions

1 These Principles are limited to the processing of Identity Assurance Data (IdA Data) in an Identity Assurance Service (e.g. establishing and verifying identity of a Service User; conducting a transaction that uses a user identity; maintaining audit requirements in relation a transaction associated with the use of a service that needs identity verification etc.). They do not cover, for example, any data used to deliver a service, or to measure its quality.

2 In the context of the application of the Identity Assurance Principles to an Identity Assurance Service, “Identity Assurance Data” (“IdA Data”) means any recorded information that is connected with a “Service User” including—

“Audit Data.” This includes any recorded information that is connected with any log or audit associated with an Identity Assurance Service.

“General Data.” This means any other recorded information which is not personal data, audit data or relationship data, but is still connected with a “Service User”.

“Personal Data.” This takes its meaning from the Data Protection Act 2018 or subsequent legislation (e.g. any recorded information that relates to a “Service User” who is also an identified or identifiable living individual).

“Relationship Data.” This means any recorded information that describes (or infers) a relationship between a “Service User”, “Identity Provider” or “Service Provider” with another “Service User”, “Identity Provider” or “Service Provider” and includes any cookie or program whose purpose is to supply a means through which relationship data are collected.

3 Other terms used in relation to the Principles are defined as follows—

“save-line2Identity Assurance Service.” This includes relevant applications of the technology (e.g. hardware, software, database, documentation) in the possession or control of any “Service User”, “Identity Provider” or “Service Provider” that is used to facilitate identity assurance activities; it also includes any IdA Data processed by that technology or by an Identity Provider or by a Service Provider in the context of the Service; and any IdA Data processed by the underlying infrastructure for the purpose of delivering the IdA service or associated billing, management, audit and fraud prevention.

“Identity Provider.” This means the certified individual or certified organisation that provides an Identity Assurance Service (e.g. establishing an identity, verification of identity); it includes any agent of a certified Identity Provider that processes IdA data in connection with that Identity Assurance Service.

“Participant.” This means any “Identity Provider”, “Service Provider” or “Service User” in an Identity Assurance Service. A “Participant” includes any agent by definition.

“Processing.” In the context of IdA data means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, correlating, aggregating, accessing” the data and includes any other operation performed on IdA data.

“Provider.” Includes both “Identity Provider” and/or “Service Provider”.

“Service Provider.” This means the certified individual or certified organisation that provides a service that uses an Identity Provider in order to verify identity of the Service User; it includes any agent of the Service Provider that processes IdA data from an Identity Assurance Service.

“Service User.” This means the person (i.e. an organisation (incorporated or not)) or an individual (dead or alive) who has established (or is establishing) an identity with an Identity Provider; it includes an agent (e.g. a solicitor, family member) who acts on behalf of a Service User with proper authority (e.g. a public guardian, or a Director of a company, or someone who possesses power of attorney). The person may be living or deceased (the identity may still need to be used once its owner is dead, for example by an executor).

“Third Party.” This means any person (i.e. any organisation or individual) who is not a “Participant” (e.g. the police or a Regulator).

Part 2

The Nine Identity Assurance Principles

Any exemptions from these Principles must be specified via the “Exceptional Circumstances Principle”. (See Principle 9).

1 User Control Principle

Statement of Principle: “I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them.”

1.1 An Identity Provider or Service Provider must ensure any collection, use or disclosure of IdA data in, or from, an Identity Assurance Service is approved by each particular Service User who is connected with the IdA data.

1.2 There should be no compulsion to use the Identity Assurance Service and Service Providers should offer alternative mechanisms to access their services. Failing to do so would undermine the consensual nature of the service.

2 Transparency Principle

Statement of Principle: “Identity assurance can only take place in ways I understand and when I am fully informed.”

2.1 Each Identity Provider or Service Provider must be able to justify to Service Users why their IdA data are processed. Ensuring transparency of activity and effective oversight through auditing and other activities inspires public trust and confidence in how their details are used.

2.2 Each Service User must be offered a clear description about the processing of IdA data in advance of any processing. Identity Providers must be transparent with users about their particular models for service provision.

2.3 The information provided includes a clear explanation of why any specific information has to be provided by the Service User (e.g. in order that a particular level of identity assurance can be obtained) and identifies any obligation on the part of the Service User (e.g. in relation to the User’s role in securing his/her own identity information).

2.4 The Service User will be able to identify which Service Provider they are using at any given time.

2.5 Any subsequent and significant change to the processing arrangements that have been previously described to a Service User requires the prior consent or approval of that Service User before it comes into effect.

2.6 All procedures, including those involved with security, should be made publicly available at the appropriate time, unless such transparency presents a security or privacy risk. For example, the standards of encryption can be identified without jeopardy to the encryption keys being used.

3 Multiplicity Principle

Statement of Principle: “I can use and choose as many different identifiers or identity providers as I want to.”

3.1 A Service User is free to use any number of identifiers that each uniquely identifies the individual or business concerned.

3.2 A Service User can use any of his identities established with an Identity Provider with any Service Provider.

3.3 A Service User shall not be obliged to use any Identity Provider or Service Provider not chosen by that Service User; however, a Service Provider can require the Service User to provide a specific level of Identity Assurance, appropriate to the Service User’s request to a Service Provider.

3.4 A Service User can choose any number of Identity Providers and where possible can choose between Service Providers in order to meet his or her diverse needs. Where a Service User chooses to register with more than one Identity Provider, Identity Providers and Service Providers must not link the Service User’s different accounts or gain information about their use of other Providers.

3.5 A Service User can terminate, suspend or change Identity Provider and where possible can choose between Service Providers at any time.

3.6 A Service Provider does not know the identity of the Identity Provider used by a Service User to verify an identity in relation to a specific service. The Service Provider knows that the Identity Provider can be trusted because the Identity Provider has been certified, as set out in GPG43 – Requirements for Secure Delivery of Online Public Services (RSDOPS).

4 Data Minimisation Principle

Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”

4.1 Identity Assurance should only be used where a need has been established and only to the appropriate minimum level of assurance.

4.2 Identity Assurance data processed by an Identity Provider or a Service Provider to facilitate a request of a Service User must be the minimum necessary in order to fulfil that request in a secure and auditable manner.

4.3 When a Service User stops using a particular Identity Provider, their data should be deleted. Data should be retained only where required for specific targeted fraud, security or other criminal investigation purposes.

5 Data Quality Principle

Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”

5.1 Service Providers should enable Service Users (or authorised persons, such as the holder of a Power of Attorney) to be able to update their own personal data, at a time at their choosing, free of charge and in a simple and easy manner.

5.2 Identity Providers and Service Providers must take account of the appropriate level of identity assurance required before allowing any updating of personal data.

6 Service User Access and Portability Principle

Statement of Principle: “I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.”

6.1 Each Identity Provider or Service Provider must allow, promptly, on request and free of charge, each Service User access to any IdA data that relates to that Service User.

6.2 It shall be unlawful to make it a condition of doing anything in relation to a Service User to request or require that Service User to request IdA data.

6.3 The Service User must be able to require an Identity Provider to transfer his personal data, to a second Identity Provider in a standard electronic format, free of charge and without impediment or delay.

7 Certification Principle

Statement of Principle: “I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements.”

7.1 As a baseline control, all Identity Providers and Service Providers will be certified against a shared standard. This is one important way of building trust and confidence in the service.

7.2 As part of the certification process, Identity Providers and Service Providers are obliged to co-operate with the independent Third Party and accept their impartial determination and to ensure that contractual arrangements—

• reinforce the application of the Identity Assurance Principles

• contain a reference to the independent Third Party as a mechanism for dispute resolution.

7.3 In the context of personal data, certification procedures include the use of Privacy Impact Assessments, Security Risk Assessments, Privacy by Design concepts and, in the context of information security, a commitment to using appropriate technical measures (e.g. encryption) and ever improving security management. Wherever possible, such certification processes and security procedures reliant on technical devices should be made publicly available at the appropriate time.

7.4 All Identity Providers and Service Providers will take all reasonable steps to ensure that a Third Party cannot capture IdA data that confirms (or infers) the existence of relationship between any Participant. No relationships between parties or records should be established without the consent of the Service User.

7.5 Certification can be revoked if there is significant non-compliance with any Identity Assurance Principle.

8 Dispute Resolution Principle

Statement of Principle: “If I have a dispute, I can go to an independent Third Party for a resolution.”

8.1 A Service User who, after a reasonable time, cannot, or is unable, to resolve a complaint or problem directly with an Identity Provider or Service Provider can call upon an independent Third Party to seek resolution of the issue. This could happen for example where there is a disagreement between the Service User and the Identity Provider about the accuracy of data.

8.2 The independent Third Party can resolve the same or similar complaints affecting a group of Service Users.

8.3 The independent Third Party can co-operate with other regulators in order to resolve problems and can raise relevant issues of importance concerning the Identity Assurance Service.

8.4 An adjudication/recommendation of the independent Third Party should be published. The independent Third Party must operate transparently, but detailed case histories should only be published subject to appropriate review and consent.

8.5 There can be more than one independent Third Party.

8.6 The independent Third Party can recommend changes to standards or certification procedures or that an Identity Provider or Service Provider should lose their certification.

9 Exceptional Circumstances Principle

Statement of Principle: “Any exception has to be approved by Parliament and is subject to independent scrutiny.”

9.1 Any exemption from the application of any of the above Principles to IdA data shall only be lawful if it is linked to a statutory framework that legitimises all Identity Assurance Services, or an Identity Assurance Service in the context of a specific service. In the absence of such a legal framework then alternative measures must be taken to ensure, transparency, scrutiny and accountability for any exceptions.

9.2 Any exemption from the application of any of the above Principles that relates to the processing of personal data must also be necessary and justifiable in terms of one of the criteria in Article 8(2) of the European Convention of Human Rights: namely in the interests of national security; public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals, or for the protection of the rights and freedoms of others.

9.3 Any subsequent processing of personal data by any Third Party who has obtained such data in exceptional circumstances (as identified by Article 8(2) above) must be the minimum necessary to achieve that (or another) exceptional circumstance.

9.4 Any exceptional circumstance involving the processing of personal data must be subject to a Privacy Impact Assessment by all relevant “data controllers” (where “data controller” takes its meaning from the Data Protection Act).

9.5 Any exemption from the application of any of the above Principles in relation to IdA data shall remain subject to the Dispute Resolution Principle.”

Amendment 220, in schedule 1, page 141, leave out from line 21 to the end of line 36 on page 144.

This amendment would remove from the new Annex 1 of the UK GDPR provisions which would enable direct marketing for the purposes of democratic engagement. See also Amendment 218.

Government amendments 266 to 277.

Government amendments 208 to 211.

Amendment 15, in schedule 5, page 154, line 2, at end insert—

“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”

This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer.

Amendment 14, page 154, line 25, at end insert—

“5. In relation to special category data, the Information Commissioner must assess whether the data protection test is met for data transfer to a third country or international organisation.”

This amendment requires the Information Commission to assess suitability for international transfer of special category data to a third country or international organisation.

Amendment 13, page 154, line 30, leave out “ongoing” and insert “annual”.

This amendment mandates that a country’s suitability for international transfer of data is monitored on an annual basis.

Amendment 16, in schedule 6, page 162, line 36, at end insert—

“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”

This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer in relation to law enforcement processing.

Government amendment 212.

Amendment 231, in schedule 13, page 202, line 33, at end insert—

“(2A) A person may not be appointed under sub-paragraph (2) unless the Science, Innovation and Technology Committee of the House of Commons has endorsed the proposed appointment.”

This amendment would ensure that non-executive members of the Information Commission may not be appointed unless the Science, Innovation and Technology Committee has endorsed the Secretary of State’s proposed appointee.

Government amendments 213 to 216.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

The current one-size-fits-all, top-down approach to data protection that we inherited from the European Union has led to public confusion, which has impeded the effective use of personal data to drive growth and competition, and to support key innovations. The Bill seizes on a post-Brexit opportunity to build on our existing foundations and create an innovative, flexible and risk-based data protection regime. This bespoke model will unlock the immense possibilities of data use to improve the lives of everyone in the UK, and help make the UK the most innovative society in the world through science and technology.

I want to make it absolutely clear that the Bill will continue to maintain the highest standards of data protection that the British people rightly expect, but it will also help those who use our data to make our lives healthier, safer and more prosperous. That is because we have convened industry leaders and experts to co-design the Bill at every step of the way. We have held numerous roundtables with both industry experts in the field and campaigning groups. The outcome, I believe, is that the legislation will ensure our regulation reflects the way real people live their lives and run their businesses.

Layla Moran Portrait Layla Moran (Oxford West and Abingdon) (LD)
- Hansard - - - Excerpts

I am grateful to the Minister for giving way so early. Oxford West and Abingdon has a huge number of spin-offs and scientific businesses that have expressed concern that any material deviation on standards, particularly European Union data adequacy, would entangle them in more red tape, rather than remove it. He says he has spoken to industry leaders. Have he and his Department assessed the risk of any deviation? Is there any associated cost to businesses from any potential deviation? Who is going to bear that cost?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I share the hon. Lady’s appreciation of the importance of data adequacy with the European Union. It is not the case that we have to replicate every aspect of GDPR to be assessed as adequate by the European Union for the purposes of data exchange. Indeed, a number of other countries have data adequacy, even though they do not have precisely the same framework of data protection legislation.

In drawing up the measures in the Bill, we have been very clear that we do not wish to put data adequacy at risk, and we are confident that nothing in the Bill does so. That is not only my view; it is the view of the expert witnesses who gave evidence in Committee. It is also the view of the Information Commissioner, who has been closely involved in all the measures before us today. I recognise the concern, but I do not believe it has any grounds.

Layla Moran Portrait Layla Moran
- Hansard - - - Excerpts

The Minister says, “We do not wish”. Is that a guarantee from the Dispatch Box that there will be absolutely no deviation that causes a material difference for businesses on EU data adequacy? Can he give that guarantee?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I can guarantee that there is nothing in the Government’s proposals that we believe puts data adequacy at risk. That is not just our view; it is the view of all those we have consulted, including the Information Commissioner. He was previously the information commissioner in New Zealand, which has its own data protection laws but is, nevertheless, recognised as adequate by the EU. He is very familiar with the process required to achieve and keep data adequacy, and it is his view, as well as ours, that the Bill achieves that objective.

We believe the Government amendments will strengthen the fundamental elements of the Bill and reflect the Government’s commitment to unleashing the power of data across our economy and society. I have already thanked all the external stakeholders who have worked with us to ensure that the Bill functions at its best. Taken together, we believe these amendments will benefit the economy by £10.6 billion over the next 10 years. That is more than double the estimated impact of the Bill when it was introduced in the spring.

Dawn Butler Portrait Dawn Butler (Brent Central) (Lab)
- Hansard - - - Excerpts

Will the Minister confirm that no services will rely on digital identity checks?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I will come on to that, because we have tabled a few amendments on digital verification and the accreditation of digital identity.

We are proposing a voluntary framework. We believe that using digital identity has many advantages, and those will become greater as the technology improves, but there is no compulsory or mandatory element to the use of digital identity. I understand why the hon. Lady raises that point, and I am happy to give her that assurance.

Jeremy Wright Portrait Sir Jeremy Wright (Kenilworth and Southam) (Con)
- Hansard - - - Excerpts

Before my right hon. Friend moves on to the specifics of the Government amendments, may I ask him about something they do not yet cover? The Bill does not address the availability of data to researchers so that they can assist in the process of, for example, identifying patterns in online safety. He will know that there was considerable discussion of this during the passage of the Online Safety Act 2023, when a succession of Ministers said that we might return to the subject in this Bill. Will he update the House on how that is going? When might we expect to see amendments to deal with this important area?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

It is true that we do not have Government amendments to that effect, but it is a central part of the Bill that we have already debated in Committee. Making data more available to researchers is, indeed, an objective of the Bill, and I share my right hon. and learned Friend’s view that it will produce great value. If he thinks more needs to be done in specific areas, I would be very happy to talk to him further or to respond in writing.

--- Later in debate ---
Chris Bryant Portrait Sir Chris Bryant
- View Speech - Hansard - - - Excerpts

Broadly speaking, we support this measure. What negotiations and discussions has the Minister had about red notices under Interpol and the abuse of them, for instance by the Russian state? We have concerns about decent people being maltreated by the Russian state through the use of red notices. Are those concerns conflicted by the measure that the Government are introducing?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As the hon. Gentleman knows, I strongly share his view about the need to act against abuse of legal procedures by the Russian state. As he will appreciate, this aspect of the Bill emanated from the Home Office. However, I have no doubt that my colleagues in the Home Office will have heard the perfectly valid point he makes. I hope that they will be able to provide him with further information about it, and I will draw the matter to their attention.

I wish to say just a few more words about the biometric material received from our international partners, as a tool in protecting the public from harm. Sometimes, counter-terrorism police receive biometrics from international partners with identifiable information. Under current laws, they are not allowed to retain these biometrics unless they were taken in the past three years. That can make it harder for our counter-terrorism police to carry out their job effectively. That is why we are making changes to allow the police to take proactive steps to pseudonymise biometric data received from international partners—obviously, that means holding the material without including information that identifies the person—and hold indefinitely under existing provisions in the Counter-Terrorism Act information that identifies the person it relates to. Again, those changes have been requested by counter-terrorism police and will support them to better protect the British public.

The national underground asset register, or NUAR, is a digital map that will improve both the efficiency and safety of underground works, by providing secure access to privately and publicly owned location data about the pipes and cables beneath our feet. This will underpin the Government’s priority to get the economy growing by expediting projects such as new roads, new houses and broadband roll-out—the hon. Gentleman and I also share a considerable interest in that.

The NUAR will bring together valuable data from more than 700 public and private sector organisations about the location of underground utilities assets. This will deliver £490 million per year of economic growth, through increased efficiency, reduced asset strikes and reduced disruptions for citizens and businesses. Once operational, the running of the register will be funded by those who benefit most. The Government’s amendments include powers to, through regulations, levy charges on apparatus owners and request relevant information. The introduction of reasonable charges payable by those who benefit from the service, rather than the taxpayer, will ensure that the NUAR is a sustainable service for the future. Other amendments will ensure that there is the ability to realise the full potential of this data for other high-value uses, while respecting the rights of asset owners.

Carol Monaghan Portrait Carol Monaghan (Glasgow North West) (SNP)
- Hansard - - - Excerpts

Is any consideration given to the fact that that information could be used by bad actors? If people are able to find out where particular cables or pipes are, they also have the ability to find weakness in the system, which could have implications for us all.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I understand the hon. Lady’s point. There would need to be a legitimate purpose for accessing such information and I am happy to supply her with further detail about precisely how that works.

The hon. Lady intervenes at an appropriate point, because I was about to say that the provision will allow the National Underground Asset Register service to operate in England and Wales. We intend to bring forward equivalent provisions as the Bill progresses in the other House, subject to the usual agreements, to allow the service to operate in Northern Ireland, but the Scottish Road Works Commissioner currently maintains its own register. It has helped us in the development of the NUAR, so the hon. Lady may like to talk to the Scottish Road Works Commissioner on that point.

I turn to the use of data for the purposes of democratic engagement, which is an issue of considerable interest to Members of the House. The Bill includes provisions to facilitate the responsible use of personal data by elected representatives, registered political parties and others for the purposes of “democratic engagement”. We have tabled further related amendments for consideration today, including adding a fuller definition of what constitutes “democratic engagement activities” to help the reader understand that term wherever it appears in the legislation.

The amendments provide for former MPs to continue to process personal data following a successful recall petition, to enable them to complete urgent casework or hand over casework to a successor, as they do following the Dissolution of Parliament. For consistency, related amendments are made to the definitions used in provisions relating to direct marketing for the purposes of democratic engagement.

Finally, hon. Members may be aware that the Data Protection Act 2018 currently permits registered political parties to process sensitive political opinions data without consent for the purposes of their political activities. The exemption does not however currently apply to elected representatives, candidates, recall petitioners and permitted participants in referendums. The amendment addresses that anomaly and allows those individuals to benefit from the same exemption as registered political parties.

Patrick Grady Portrait Patrick Grady (Glasgow North) (SNP)
- Hansard - - - Excerpts

Is the Minister prepared to look at how the proposals in the Bill and the amendments align with relevant legislation passed in the Scottish Government? A number of framework Bills to govern the operation of potential future referendums on a variety of subjects have been passed, particularly the Referendums (Scotland) Act 2020. It is important that there is alignment with the definitions used in the Bill, such as that for “a permitted participant”. Will he commit to looking at that and, if necessary, make changes to the Bill at a later stage in its progress, in discussion with the Scottish Government?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am happy to look at that, as the hon. Gentleman suggests. I hope the changes we are making to the Bill will provide greater legal certainty for MPs and others who undertake the processing of personal data for the purposes of democratic engagement.

The Bill starts and ends with reducing burdens on businesses and, above all, on small businesses, which account for over 99% of UK firms. In the future, organisations will need to keep records of their processing activities only when those activities are likely to result in a high risk to individuals. Some organisations have queried whether that means they will have to keep records in relation to all their activities if only some of their processing activities are high risk. That is not the Government’s intention. To maximise the benefits to business and other organisations, the amendments make it absolutely clear that organisations have to keep records only in relation to their high-risk processing activities.

The Online Safety Act 2023 took crucial steps to shield our children, and it is also important that we support grieving families who are seeking answers after tragic events where a child has taken their own life, by removing obstacles to accessing social media information that could be relevant to the coroner’s investigations.

Layla Moran Portrait Layla Moran
- Hansard - - - Excerpts

We welcome such measures, but is the Minister aware of the case of Breck Bednar, who was groomed and then murdered? His family is campaigning not just for new clause 35 but for measures that go further. In that case, the coroner would have wanted access to Breck’s online life but, as it currently stands, new clause 35 does not provide what the family needs without a change to widen the scope of the amendment to the Online Safety Act. Will the Minister look at that? I think it will just require a tweak in some of the wording.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I understand the concerns of the hon. Lady. We want to do all that we can to support the bereaved parents of children who have lost their lives. As it stands, the amendment will require Ofcom, following notification from a coroner, to issue information notices to specified providers of online services, requiring them to hold data they may have relating to a deceased child’s use of online services, in circumstances where the coroner suspects the child has taken their own life, which could later be required by a coroner as relevant to an inquest.

We will continue to work with bereaved families and Members of the other place who have raised concerns. During the passage of the Online Safety Act, my noble colleague Lord Parkinson of Whitley Bay made it clear that we are aware of the importance of data preservation to bereaved parents, coroners and others involved in investigations. It is very important that we get this right. I hear what the hon. Lady says and give her an assurance that we will continue to work across Government, with the Ministry of Justice and others, in ensuring that we do so.

The hon. Member for Rhondda made reference to proposed new schedule 1, relating to improving our ability to identify and tackle fraud in the welfare system. I am grateful for the support of the Minister for Disabled People, Health and Work, my hon. Friend the Member for Corby (Tom Pursglove). In 2022-23, the Department for Work and Pensions overpaid £8.3 billion in fraud and error. A major area of loss is the under-declaration of financial assets, which we cannot currently tackle through existing powers. Given the need to address the scale of fraud and error in the welfare system, we need to modernise and strengthen the legal framework, to allow the Department for Work and Pensions to keep pace with change and stand up to future fraud challenges.

As I indicated earlier, the fraud plan, published in 2022, contains a provision outlining the DWP’s intention to bring forward new powers that would boost access to data held by third parties. The amendment will enable the DWP to access data held by third parties at scale where the information signals potential fraud or error. That will allow the DWP to detect fraud and error more proactively and protect taxpayers’ money from falling into the hands of fraudsters.

Stephen Timms Portrait Sir Stephen Timms (East Ham) (Lab)
- Hansard - - - Excerpts

My reading of the proposed new schedule is that it gives the Department the power to look into the bank accounts of people claiming the state pension. Am I right about that?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

The purpose of the proposed new schedule is narrowly focused. It will ensure that where benefit claimants may also have considerable financial assets, that is flagged with the DWP for further examination, but it does not allow people to go through the contents of people’s bank accounts. It is an alarm system where financial institutions that hold accounts of benefit claimants can match those against financial assets, so where it appears fraud might be taking place, they can refer that to the Department.

Chris Bryant Portrait Sir Chris Bryant
- Hansard - - - Excerpts

But it does include the state pension, doesn’t it?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am surprised that the Opposition regard this as something to question. Obviously, they are entitled to seek further information, but I would hope that they share the wish to identify where fraud is taking place and take action against it. This is about claimants of benefits, including universal credit—

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

The state pension will not currently be an area of focus for the use of these powers.

Chris Bryant Portrait Sir Chris Bryant
- Hansard - - - Excerpts

The House of Commons Library makes it absolutely clear that the Bill, if taken forward in the way that the Government are proposing at the moment, does allow the Government to look at people in receipt of state pensions. That is the case, is it not?

--- Later in debate ---
John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I can tell the hon. Gentleman that it is not the case that the DWP intends to focus on the state pension—and that is confirmed by my hon. Friend the Member for Corby. This is specifically about ensuring that means-related benefit claimants are eligible for the benefits for which they are currently claiming. In doing that, the identification and the avoidance of fraud will save the taxpayer a considerable amount of money.

David Davis Portrait Mr David Davis (Haltemprice and Howden) (Con)
- View Speech - Hansard - - - Excerpts

I think everybody in the House understands the importance of getting this right. We all want to stop fraud in the state system. That being said, this is the only time that I am aware of where the state seeks the right to put people under surveillance without prior suspicion, and therefore such a power has to be restricted very carefully indeed. As we are not going to have time to debate this properly today, is my right hon. Friend open to having further discussion on this issue when the Bill goes to the Lords, so that we can seek further restrictions? I do not mean to undermine the effectiveness of the action; I just want to make it more targeted.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I am very grateful to my right hon. Friend for his contribution, and I share his principled concern that the powers of the state should be limited to those that are absolutely necessary. Those who are in receipt of benefits funded by the taxpayer have an obligation to meet the terms of those benefits, and this provision is one way of ensuring that they do so. My hon. Friend the Member for Corby has already said that he would be very happy to discuss this matter with my right hon. Friend further, and I am happy to do the same if that is helpful to him.

Stephen Timms Portrait Sir Stephen Timms
- Hansard - - - Excerpts

Can the Minister give us an example of the circumstances in which the Department would need to look into the bank accounts of people claiming state pensions in order to tackle the fraud problem? Why is the state pension within the scope of this amendment?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

All I can say to the right hon. Gentleman is that the Government have made it clear that there is no intention to focus on claimants of the state pension. That is an undertaking that has been given. I am sure that Ministers from the DWP would be happy to give further evidence to the right hon. Gentleman, who may well wish to look at this further in his Committee.

Finally, I wish to touch on the framework around smart data, which is contained in part 3 of the Bill. The smart data powers will extend the Government’s ability to introduce smart data schemes, building on the success of open banking, which is the UK’s most developed data sharing scheme, with more than 7 million active users. The amendments will support the Government’s ability to meet their commitment, first, to provide open banking with a long-term regulatory framework, and, secondly, to establish an open data scheme for road fuel prices. It will also more generally strengthen the toolkit available to Government to deliver future smart data schemes.

The amendments ensure that the range of data and activities essential to smart data schemes are better captured and more accurately defined. That includes types of financial data and payment activities that are integral to open banking. The amendments, as I say, are complicated and technical and therefore I will not go into further detail.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I will give way to my hon. Friend as I know that he has taken a particular interest, and is very knowledgeable, in this area.

John Penrose Portrait John Penrose
- Hansard - - - Excerpts

The Minister is very kind. I just wanted to pick up on his last point about smart data. He is right to say that the provisions are incredibly important and potentially extremely valuable to the economy. Can he just clarify a couple of points? I want to be clear on Government new clause 27 about interface bodies. Does that apply to the kinds of new data standards that will be required under smart data? If it does, can he please clarify how he will make sure that we do not end up with multiple different standards for each sector of our economy? It is absolutely in everybody’s interests that the standards are interoperable and, to the greatest possible extent, common between sectors so that they can talk to each other?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I do have a note on interface bodies, which I am happy to include for the benefit of my hon. Friend. However, he will be aware that this is a technical and complicated area. If he wants to pursue a further discussion, I would of course be happy to oblige. I can tell him that the amendments will ensure that smart data schemes can replicate and build on the open banking model by allowing the Government to require interface bodies to be set up by members of the scheme. Interface bodies will play a similar role to that of the open banking implementation entity, developing common standards on arrangements for data sharing. Learning from the lessons and successes of the open banking regime, regulations will be able to specify the responsibilities and requirements for interface bodies and ensure appropriate accountability to regulators. I hope that that goes some way to addressing the point that he makes, but I would be happy to discuss it further with him in due course.

I believe these amendments will generally improve the functioning of the Bill and address some specific concerns that I have identified. On that basis, I commend them to the House.

--- Later in debate ---
Roger Gale Portrait Mr Deputy Speaker (Sir Roger Gale)
- Hansard - - - Excerpts

With the leave of the House, I call the Minister to wind up the debate.

John Whittingdale Portrait Sir John Whittingdale
- View Speech - Hansard - - - Excerpts

I thank all hon. Members who have contributed to the debate. I believe that these matters are important, if sometimes very complicated and technical. My hon. Friend the Member for Yeovil (Mr Fysh) was absolutely right to stress how fundamentally important they are, and they will become more so.

I also thank the shadow Minister for identifying the areas where we are in agreement. We had a good Committee stage with his colleague, the hon. Member for Barnsley East (Stephanie Peacock), where we agreed on the overall objectives of the Bill. It is welcome that the shadow Minister has supported us, particularly on the amendment that we moved this afternoon on the powers of the Information Commissioner’s Office, the provisions relating to digital verification services, and smart data. There were, however, some areas on which we will not agree.

Let me begin by addressing the main amendments that the hon. Gentleman has moved. Amendment 1 relates to high-risk processing. It is the case that one of the main aims of the Bill is to remove some of the UK GDPR’s unnecessary compliance burdens. That is why organisations will be required to designate only senior responsible individuals to carry out risk assessments and keep records of processing when their activities pose high risks to individuals. The amendments that the hon. Gentleman is proposing would reintroduce a prescriptive list of high-risk processing activities drawn from article 35 of the UK GDPR. We find that some of the language in article 35 is unclear and confusing, which is partly why we removed it in the first place. We think organisations should have the ability to make a judgment of risk based on the specific nature, scale and context of their own processing activities. We do not need to provide prescriptive examples of high-risk processing in the legislation, because any list could quickly become out of date. Instead, to help data controllers, clause 18 of the Bill requires the ICO to produce a document with examples of what the commissioner considers to be high-risk processing.

Chris Bryant Portrait Sir Chris Bryant
- Hansard - - - Excerpts

But the Minister has already indicated that, basically, he will come forward with exactly the same list as is in the legislation that the Government are amending. All that is happening is that, in the Bill, the Information Commissioner will be doing what the Government or the House could be doing, and this is the one area where the Government disagree with the Information Commissioner.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

As I say, the Government do not believe that it is necessary to have a prescriptive list in the Bill. We feel that it is better that individuals make a judgment based on their assessment of the risk, with the guidance of the Information Commissioner.

Moving to the shadow Minister’s second amendment, the Government agree that controllers should not be able to refuse a request without proper thought or consideration. That is why the existing responsibilities of controllers to facilitate requests from data subjects as the default has not changed and why the new article 12A also ensures that the burden of proof for a request meeting the vexatious or excessive threshold remains with the controller. The Government believe that is sufficient, and stipulating that evidence must be provided each time a request is refused may not be appropriate in all circumstances and would likely bring further burdens for controllers. On that basis, we oppose that amendment.

On amendment 5, the safeguards set out in reformed article 22 of the UK GDPR ensure that individuals are able to seek human intervention when significant decisions about them are taken solely through automated means with no meaningful human involvement.

Partly automated decisions already involve meaningful human involvement, so there is no need to extend the safeguards in article 22 to all forms of automated decision making. In such instances, other data protection requirements continue to apply and offer relevant protections to data subjects, as set out in the broader UK data protection regime. Those protections include lawfulness, fairness, transparency and accountability.

--- Later in debate ---
Stephen Timms Portrait Sir Stephen Timms
- Hansard - - - Excerpts

My understanding was that the level of fraud among state pension claims was indeed extremely small. The Minister said earlier that the Government should take powers only where they are absolutely necessary; I think he is now saying that they are not necessary in the case of people claiming a state pension. Is he confident that that bit of this power—to look into the bank account of anybody claiming a state pension—is absolutely necessary?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

What I am saying is that the Government’s intention is to use the power only when there is clear evidence or suggestion that fraud is taking place on a significant scale. The Government simply want to retain the option to amend that should future evidence emerge; that is why the issue has been left open.

Chris Bryant Portrait Sir Chris Bryant
- Hansard - - - Excerpts

The trouble is that this is not about amending. The Government describe the relevant benefits in part 5 of proposed new schedule 3B, within new schedule 1, which is clear that pensions are included. The Minister has effectively said at the Dispatch Box that the Government do not need to tackle fraud in relation to pensions; perhaps it would be a good idea for us to all sit down and have a meeting to work out a more sensible set of measures to tackle fraud where it is necessary, rather than giving unending powers to the Government.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future. But I am happy to take the hon. Gentleman up on his request on behalf of my hon. Friend the Minister for Disabled People, Health and Work, with whom he has already engaged. I am sure that the right hon. Member for East Ham will want to examine the issue further in the Work and Pensions Committee, which he chairs. It will undoubtedly also be subject to further discussions in the other place. We are certainly open to further discussion.

The right hon. Member for East Ham also raised the question of commencement. I can tell him that the test and learn phase will begin in 2025, with a steady roll-out to full-scale delivery by 2030. I am sure that he will want to examine these matters further.

The amendment tabled by my right hon. Friend the Member for Haltemprice and Howden (Mr Davis) focuses on digital exclusion. The Bill provides for the use of secure and inclusive digital identities across the economy. It does not force businesses or individuals to use them. Individual choice is integral to our approach. As the Bill makes clear, digital verification services can be provided only at the request of the individual. Where people want to use a digital verification service, the Government are committed to ensuring that available products and services are secure and privacy-focused. That is to be achieved through the high standards set out in the trust framework.

The trust framework also outlines how services can improve inclusion, and requires services to publish an annual inclusion monitoring report. There are businesses that operate only in the digital sphere, such as some online banks and energy companies, as I think has been acknowledged. We feel that to oblige them to offer manual document checking would place obligations on businesses that go beyond the Government’s commitment to do only what is necessary to enable the digital market to grow.

On amendment 224 from the Scottish National party, solely automated decision making that produces legal or similarly significant effects on individuals was not entirely prohibited previously under the UK’s data protection legal framework. The rules governing article 22 are confusing and complex, so clause 12 clarifies and simplifies the rules related to solely automated decision making, and will reduce barriers to responsible data use, help to drive innovation, and maintain high standards of data protection. The reforms do not water down any of the protections to data subjects offered under the broader UK data protection regime—that is, UK GDPR and the Data Protection Act 2018.

On the other amendment tabled by the SNP, amendment 229, effective independent oversight of surveillance camera systems is crucial to public trust. The oversight framework is complex and confusing for the police and public because of substantial duplication between the surveillance camera commissioner functions and the code, which covers police and local authorities in England and Wales only, and the ICO and data protection legislation. The Bill addresses that, following public consultation, through abolishing the surveillance camera commissioner and code.

The amendment tabled by the hon. Member for Glasgow North would negate that by retaining the code and transferring the surveillance camera commissioner functions to the investigatory powers commissioner. It would also blur the lines between overt and covert surveillance, which the investigatory powers commissioner oversees. Those two types of surveillance have distinct legislation and oversight, mainly because covert surveillance is generally considered to be significantly more intrusive.

On amendment 222, it is important to be clear that the ability to refuse or charge a reasonable fee for a request already exists, and clause 8 does not place new restrictions on reasonable requests from data subjects. The Government believe that it is proportionate to allow controllers to refuse or charge a reasonable fee for vexatious or excessive requests, and a clearer provision enables controllers to focus time and resources on responding to reasonable requests instead.

Amendments 278 and 279, tabled by my hon. Friend the Member for Yeovil, would remove the new lawful ground of recognised legitimate interests, which the Bill will add to article 6 of UK GDPR. Amendment 230 accepts that there is merit in retaining the recognised legitimate interests list, but would make any additions to it subject to a super-affirmative parliamentary procedure. It is true that the Bill removes the need for non-public-sector organisations to do a detailed legitimate interests assessment in relation to a small number of processing activities. Those include activities relating for example to the safeguarding of children, crime prevention and responding to emergencies. We heard from stakeholders that the need to do an assessment and the fear of getting it wrong could sometimes delay or deter those important processing activities from taking place. Future Governments would not be able to add new activities to the list lightly; clause 5 of the Bill already makes it clear that the Secretary of State must carefully consider the rights and interests of people, and in particular the special protection needed for children, before adding anything new to the list. Any new regulations would also need to be approved via the affirmative resolution procedure.

My hon. Friend the Member for Yeovil has tabled a large number of other amendments, which are complicated in nature. I have written to him in some detail setting out the Government’s response to each of those, but if he wishes to pursue further any of the points contained therein I would be very happy to have further discussions with him.

I would like to comment on the amendments by several of my colleagues that I wish I was in a position to be able to support. In particular, my hon. Friend the Member for Loughborough (Jane Hunt) has been assiduous in pursuing her point both in the Bill Committee and in this debate. The problem she identifies is without question a very real one, and she set out in some detail how it is massively increasing the burden on the police, which clearly we would wish to reduce wherever possible.

I have had meetings with Home Office Ministers, as my hon. Friend has, and they absolutely identify that problem and share her wish. While we welcome her intent, the problem is that we do not think that her amendment as drafted would achieve her aims of removing the burden of redaction. To do so would require the amendment and exception of more principles than those identified in the amendment. Indeed, it would require the amendment of more laws than just the Data Protection Act 2018.

The Government are absolutely committed to reducing the burden on the police, but it is obviously important that, if we do so, we do it right, and that the solution works comprehensively. We are therefore actively working on ways to better address the issue, including through improved process, new technology, guidance and legislation. I am very happy to continue to work with her on achieving the aim that we all share and so too, I know, are colleagues in the Home Office.

With respect to the amendments tabled by my hon. Friend the Member for Weston-super-Mare (John Penrose), as I indicated, we absolutely share his enthusiasm for smart data and ensuring that the powers within the Bill are implemented in a timely manner, with interoperability at their core. While I agree that we can only fully realise the benefits of smart data schemes if they enable interoperability, different sectors will have different levels of existing digital infrastructure and capability. Thus, we could inadvertently hinder the success of future schemes if we mandated the use of one universal set of standards based, for instance, on those used in open banking.

The Government will ensure that interoperability is central to the development of smart data schemes. To support our thinking, we are working with industry and regulators in the Smart Data Council to identify the technical infrastructure that needs to be replicated. With regard to the timeline—or even the timeline for a timeline—that my hon. Friend asked for, I recognise that it is important to build investor, industry and consumer confidence by outlining the Government’s planned timeline.

My hon. Friend is right to highlight the Chancellor’s comments in the autumn statement, where we set out plans to kick-start the smart data big bang, and our ambition for using those powers across seven sectors. At this stage I am afraid I am not able to accept his amendment, but it is our intention to set out those plans in more detail in the coming months. I know the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) and I will be happy to work with him to do so.

The aim of the amendment tabled by the hon. Member for Jarrow (Kate Osborne) was to clarify that, when special category data of employees such as health data is transferred between members of a group of undertakings for internal administrative purposes on grounds of legitimate interests, the conditions and safeguards outlined in schedule 1 of the Data Protection Act should apply to that processing. The Government agree with the sentiment of her amendment, but consider that it is unnecessary. The current legal framework already requires controllers to identify an exemption under article 9 of the UK GDPR if they are processing special category data. Those exemptions are supplemented by the conditions and safeguards outlined in schedule 1. Under those provisions, employers can process special category data where processing is necessary to comply with obligations under employment law. We do not therefore consider the amendment necessary.

Finally, I turn to new clause 45, tabled by my hon. Friend the Member for Aberconwy (Robin Millar). The Government are absolutely committed to improving the availability of comparable UK-wide data. He, too, has been assiduous in promoting that cause, and we are very happy to work with him. We are extremely supportive of the principle underlying his amendment. He is right to point out that people have the right to know the extent of Labour’s failings with the NHS in Wales, as he pointed out, and his new clause sends an important message on our commitment to better data. I can commit to working at pace with him and the UK Statistics Authority to look at ways in which we may be able to implement the intentions of his amendment and bring forward legislative changes following those discussions.

On that basis, I commend the Government amendments to the House.

Question put and agreed to.

New clause 6 accordingly read a Second time, and added to the Bill.

Roger Gale Portrait Mr Deputy Speaker (Sir Roger Gale)
- View Speech - Hansard - - - Excerpts

For the benefit of all Members, we are before the knife, so we will have to go through a sequence of procedures. It would help me, the Clerk and the Minister if we had a degree of silence. This will take a little time, and we need to be able to concentrate.

New Clause 48

Processing of personal data revealing political opinions

“(1) Schedule 1 to the Data Protection Act 2018 (special categories of personal data) is amended in accordance with subsections (2) to (5).

(2) After paragraph 21 insert—

‘Democratic engagement

21A (1) This condition is met where—

(a) the personal data processed is personal data revealing political opinions,

(b) the data subject is aged 14 or over, and

(c) the processing falls within sub-paragraph (2),

subject to the exceptions in sub-paragraphs (3) and (4).

(2) Processing falls within this sub-paragraph if—

(a) the processing—

(i) is carried out by an elected representative or a person acting with the authority of such a representative, and

(ii) is necessary for the purposes of discharging the elected representative’s functions or for the purposes of the elected representative’s democratic engagement activities,

(b) the processing—

(i) is carried out by a registered political party, and

(ii) is necessary for the purposes of the party’s election activities or democratic engagement activities,

(c) the processing—

(i) is carried out by a candidate for election as an elected representative or a person acting with the authority of such a candidate, and

(ii) is necessary for the purposes of the candidate’s campaign for election,

(d) the processing—

(i) is carried out by a permitted participant in relation to a referendum or a person acting with the authority of such a person, and

(ii) is necessary for the purposes of the permitted participant’s campaigning in connection with the referendum, or

(e) the processing—

(i) is carried out by an accredited campaigner in relation to a recall petition or a person acting with the authority of such a person, and

(ii) is necessary for the purposes of the accredited campaigner’s campaigning in connection with the recall petition.

(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4) Processing does not meet the condition in sub-paragraph (1) if—

(a) an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b) the notice gave the controller a reasonable period in which to stop processing such data, and

(c) that period has ended.

(5) For the purposes of sub-paragraph (2)(a) and (b)—

(a) “democratic engagement activities” means activities whose purpose is to support or promote democratic engagement;

(b) “democratic engagement” means engagement by the public, a section of the public or a particular person with, or with an aspect of, an electoral system or other democratic process in the United Kingdom, either generally or in connection with a particular matter, whether by participating in the system or process or engaging with it in another way;

(c) examples of democratic engagement activities include activities whose purpose is—

(i) to promote the registration of individuals as electors;

(ii) to increase the number of electors participating in elections for elected representatives, referendums or processes for recall petitions in which they are entitled to participate;

(iii) to support an elected representative or registered political party in discharging functions, or carrying on other activities, described in sub-paragraph (2)(a) or (b);

(iv) to support a person to become a candidate for election as an elected representative;

(v) to support a campaign or campaigning referred to in sub-paragraph (2)(c), (d) or (e);

(vi) to raise funds to support activities whose purpose is described in sub-paragraphs (i) to (v);

(d) examples of activities that may be democratic engagement activities include—

(i) gathering opinions, whether by carrying out a survey or by other means;

(ii) communicating with electors.

(6) In this paragraph—

“accredited campaigner” has the meaning given in Part 5 of Schedule 3 to the Recall of MPs Act 2015;

“candidate” , in relation to election as an elected representative, has the meaning given by the provision listed in the relevant entry in the second column of the table in sub-paragraph (7);

“elected representative” means a person listed in the first column of the table in sub-paragraph (7) and see also sub-paragraphs (8) to (10);

“election activities” , in relation to a registered political party, means—

(a) campaigning in connection with an election for an elected representative, and

(b) activities whose purpose is to enhance the standing of the party, or of a candidate standing for election in its name, with electors;

“elector” means a person who is entitled to vote in an election for an elected representative or in a referendum;

“permitted participant” has the same meaning as in Part 7 of the Political Parties, Elections and Referendums Act 2000 (referendums) (see section 105 of that Act);

“recall petition” has the same meaning as in the Recall of MPs Act 2015 (see section 1(2) of that Act);

“referendum” means a referendum or other poll held on one or more questions specified in, or in accordance with, an enactment;

“registered political party” means a person or organisation included in a register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000;

“successful” , in relation to a recall petition, has the same meaning as in the Recall of MPs Act 2015 (see section 14 of that Act).

(7) This is the table referred to in the definitions of “candidate” and “elected representative” in sub-paragraph (6)—

Elected representative

Candidate for election as an elected representative

member of the House of Commons

section 118A of the Representation of the People Act 1983

a member of the Senedd

article 84(2) of the National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

a member of the Scottish Parliament

article 80(1) of the Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

a member of the Northern Ireland Assembly

section 118A of the Representation of the People Act 1983, as applied by the Northern Ireland Assembly (Elections) Order 2001 (S.I. 2001/2599)

an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—

(i) in England, a county council, a district council, a London borough council or a parish council;

(ii) in Wales, a county council, a county borough council or a community council;

section 118A of the Representation of the People Act 1983

an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000

section 118A of the Representation of the People Act 1983, as applied by the Local Authorities (Mayoral Elections) (England and Wales) Regulations 2007 (S.I. 2007/1024)

a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009

section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67)

a mayor for the area of a combined county authority established under section 9 of the Levelling-up and Regeneration Act 2023

section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67)

the Mayor of London or an elected member of the London Assembly

section 118A of the Representation of the People Act 1983

an elected member of the Common Council of the City of London

section 118A of the Representation of the People Act 1983

an elected member of the Council of the Isles of Scilly

section 118A of the Representation of the People Act 1983

an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994

section 118A of the Representation of the People Act 1983

an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.))

section 130(3A) of the Electoral Law Act (Northern Ireland) 1962 (c. 14 (N.I.))

(n)a police and crime commissioner

article 3 of the Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)



(8) For the purposes of the definition of “elected representative” in sub-paragraph (6), a person who is—

(a) a member of the House of Commons immediately before Parliament is dissolved,

(b) a member of the Senedd immediately before Senedd Cymru is dissolved,

(c) a member of the Scottish Parliament immediately before that Parliament is dissolved, or

(d) a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,

is to be treated as if the person were such a member until the end of the period of 30 days beginning with the day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.

(9) For the purposes of the definition of “elected representative” in sub-paragraph (6), where a member of the House of Commons’s seat becomes vacant as a result of a successful recall petition, that person is to be treated as if they were a member of the House of Commons until the end of the period of 30 days beginning with the day after—

(a) the day on which the resulting by-election is held, or

(b) if earlier, the day on which the next general election in relation to Parliament is held.

(10) For the purposes of the definition of “elected representative” in sub-paragraph (6), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if the person were such a member until the end of the fourth day after the day on which those Wardmotes are held.’

(3) Omit paragraph 22 and the italic heading before it.

(4) In paragraph 23 (elected representatives responding to requests)—

(a) leave out sub-paragraphs (3) to (5), and

(b) at the end insert—

‘(6) In this paragraph, “elected representative” has the same meaning as in paragraph 21A.’

(5) In paragraph 24(3) (definition of ‘elected representative’), for ‘23’ substitute ‘21A’.

(6) In section 205(2) of the 2018 Act (general interpretation: periods of time), in paragraph (i), for ‘paragraph 23(4) and (5)’ substitute ‘paragraph 21A(8) to (10)’.”—(Sir John Whittingdale.)

This new Clause inserts into Schedule 1 to the Data Protection Act 2018 (conditions for processing of special categories of personal data) a condition relating to processing by elected representatives, registered political parties and others of information about an individual’s political opinions for the purposes of democratic engagement activities and campaigning.

Brought up, read the First and Second time, and added to the Bill.

New Clause 7

Searches in response to data subjects’ requests

“(1) In Article 15 of the UK GDPR (right of access by the data subject)—

(a) after paragraph 1 insert—

‘1A. Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.’, and

(b) in paragraph 3, after ‘processing’ insert ‘to which the data subject is entitled under paragraph 1’.

(2) The 2018 Act is amended in accordance with subsections (3) and (4).

(3) In section 45 (law enforcement processing: right of access by the data subject), after subsection (2) insert—

‘(2A) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.’

(4) In section 94 (intelligence services processing: right of access by the data subject), after subsection (2) insert—

‘(2ZA) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.’

(5) The amendments made by this section are to be treated as having come into force on 1 January 2024.”—(Sir John Whittingdale.)

This new clause confirms that, in responding to subject access requests, controllers are only required to undertake reasonable and proportionate searches for personal data and other information.

Brought up, read the First and Second time, and added to the Bill.

New Clause 8

Notices from the Information Commissioner

“(1) The 2018 Act is amended in accordance with subsections (2) and (3).

(2) Omit section 141 (notices from the Commissioner).

(3) After that section insert—

‘141A Notices from the Commissioner

(1) This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.

(2) The notice may be given to the person by—

(a) delivering it by hand to a relevant individual,

(b) leaving it at the person’s proper address,

(c) sending it by post to the person at that address, or

(d) sending it by email to the person’s email address.

(3) A “relevant individual” means—

(a) in the case of a notice to an individual, that individual;

(b) in the case of a notice to a body corporate (other than a partnership), an officer of that body;

(c) in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;

(d) in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.

(4) For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—

(a) in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;

(b) in any other case, the address determined in accordance with subsection (5).

(5) The address is—

(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;

(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;

(c) in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.

(6) A person’s email address is—

(a) an email address published for the time being by that person as an address for contacting that person, or

(b) if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.

(7) A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.

(8) In this section “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.

(9) This section does not limit other lawful means of giving a notice.’

(4) In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for ‘141’ substitute ‘141A’.”—(Sir John Whittingdale.)

This amendment adjusts the procedure by which notices can be given by the Information Commissioner under the Data Protection Act 2018. In particular, it enables the Information Commissioner to give notices by email without obtaining the consent of the recipient to use that mode of delivery.

Brought up, read the First and Second time, and added to the Bill.

New Clause 9

Court procedure in connection with subject access requests

“(1) The Data Protection Act 2018 is amended as follows.

(2) For the italic heading before section 180 substitute—

‘Jurisdiction and court procedure’.

(3) After section 180 insert—

‘180A Procedure in connection with subject access requests

(1) This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—

(a) Article 15 of the UK GDPR (right of access by the data subject);

(b) Article 20 of the UK GDPR (right to data portability);

(c) section 45 of this Act (law enforcement processing: right of access by the data subject);

(d) section 94 of this Act (intelligence services processing: right of access by the data subject).

(2) The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.

(3) But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.

(4) Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.’”—(Sir John Whittingdale.)

This new clause makes provision about courts’ powers to require information to be provided to them, and to a data subject, when determining whether a data subject is entitled to information under certain provisions of the data protection legislation.

Brought up, read the First and Second time, and added to the Bill.

New Clause 10

Approval of a supplementary code

“(1) This section applies to a supplementary code whose content is for the time being determined by a person other than the Secretary of State.

(2) The Secretary of State must approve the supplementary code if—

(a) the code meets the conditions set out in the DVS trust framework (so far as relevant),

(b) an application for approval of the code is made which complies with any requirements imposed by a determination under section (Applications for approval and re-approval), and

(c) the applicant pays any fee required to be paid by a determination under section (Fees for approval, re-approval and continued approval)(1).

(3) The Secretary of State must notify an applicant in writing of the outcome of an application for approval.

(4) The Secretary of State may not otherwise approve a supplementary code.

(5) In this Part, an “approved supplementary code” means a supplementary code for the time being approved under this section.

(6) For when a code ceases (or may cease) to be approved under this section, see sections (Change to conditions for approval or designation), (Revision of a recognised supplementary code) and (Request for withdrawal of approval).”—(Sir John Whittingdale.)

This amendment sets out when a supplementary code of someone other than the Secretary of State must be approved by the Secretary of State.

Brought up, read the First and Second time, and added to the Bill.

New Clause 11

Designation of a supplementary code

“(1) This section applies to a supplementary code whose content is for the time being determined by the Secretary of State.

(2) If the Secretary of State determines that the supplementary code meets the conditions set out in the DVS trust framework (so far as relevant), the Secretary of State may designate the code as one which complies with the conditions.

(3) In this Part, a ‘designated supplementary code’ means a supplementary code for the time being designated under this section.

(4) For when a code ceases (or may cease) to be designated under this section, see sections (Change to conditions for approval or designation), (Revision of a recognised supplementary code) and (Removal of designation).”—(Sir John Whittingdale.)

This enables the Secretary of State to designate a supplementary code of the Secretary of State as one which complies with the conditions set out in the DVS trust framework.

Brought up, read the First and Second time, and added to the Bill.

New Clause 12

List of recognised supplementary codes

“(1) The Secretary of State must—

(a) maintain a list of recognised supplementary codes, and

(b) make the list publicly available.

(2) For the purposes of this Part, each of the following is a ‘recognised supplementary code’—

(a) an approved supplementary code, and

(b) a designated supplementary code.”—(Sir John Whittingdale.)

This amendment places the Secretary of State under a duty to publish, and keep up to date, a list of supplementary codes that are designated or approved.

Brought up, read the First and Second time, and added to the Bill.

New Clause 13

Change to conditions for approval or designation

“(1) This section applies if the Secretary of State revises the DVS trust framework so as to change the conditions which must be met for the approval or designation of a supplementary code.

(2) An approved supplementary code which is affected by the change ceases to be an approved supplementary code at the end of the relevant period unless an application for re-approval of the code is made within that period.

(3) Pending determination of an application for re-approval the supplementary code remains an approved supplementary code.

(4) Before the end of the relevant period the Secretary of State must—

(a) review each designated supplementary code which is affected by the change (if any), and

(b) determine whether it meets the conditions as changed.

(5) If, on a review under subsection (4), the Secretary of State determines that a designated supplementary code does not meet the conditions as changed, the code ceases to be a designated supplementary code at the end of the relevant period.

(6) A supplementary code is affected by a change if the change alters, or adds, a condition which is or would be relevant to the supplementary code when deciding whether to approve it under section (Approval of a supplementary code) or designate it under section (Designation of a supplementary code).

(7) In this section “the relevant period” means the period of 21 days beginning with the day on which the DVS trust framework containing the change referred to in subsection (1) comes into force.

(8) Section (Approval of a supplementary code) applies to re-approval of a supplementary code as it applies to approval of such a code.”—(Sir John Whittingdale.)

This amendment provides that when conditions for approval or designation are changed this requires re-approval of an approved supplementary code and, in the case of a designated supplementary code, a re-assessment of whether the code meets the revised conditions.

Brought up, read the First and Second time, and added to the Bill.

New Clause 14

Revision of a recognised supplementary code

“(1) If an approved supplementary code is revised—

(a) the code before and after the revision are treated as the same code for the purposes of this Part, and

(b) the code ceases to be an approved supplementary code unless subsection (2) or (4) applies.

(2) This subsection applies if the supplementary code, in its revised form, has been approved under section (Approval of a supplementary code).

(3) If subsection (2) applies the approved supplementary code, in its revised form, remains an approved supplementary code.

(4) This subsection applies for so long as—

(a) a decision is pending under section (Approval of a supplementary code) on an application for approval of the supplementary code in its revised form, and

(b) the revisions to the code have not taken effect.

(5) If subsection (4) applies the supplementary code, in its unrevised form, remains an approved supplementary code.

(6) The Secretary of State may revise a designated supplementary code only if the Secretary of State is satisfied that the code, in its revised form, meets the conditions set out in the DVS trust framework (so far as relevant).

(7) If a designated supplementary code is revised, the code before and after the revision are treated as the same code for the purposes of this Part.”—(Sir John Whittingdale.)

This amendment sets out the consequences where there are changes to a recognised supplementary code and, in particular, what needs to be done for the code to remain a recognised supplementary code.

Brought up, read the First and Second time, and added to the Bill.

New Clause 15

Applications for approval and re-approval

“(1) The Secretary of State may determine—

(a) the form of an application for approval or re-approval under section (Approval of a supplementary code),

(b) the information to be contained in or provided with the application,

(c) the documents to be provided with the application,

(d) the manner in which the application is to be submitted, and

(e) who may make the application.

(2) A determination may make different provision for different purposes.

(3) The Secretary of State must publish a determination.

(4) The Secretary of State may revise a determination.

(5) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)

This amendment enables the Secretary of State to determine the process for making a valid application for approval of a supplementary code.

Brought up, read the First and Second time, and added to the Bill.

New Clause 16

Fees for approval, re-approval and continued approval

“(1) The Secretary of State may determine that a person who applies for approval or re-approval of a supplementary code under section (Approval of a supplementary code) must pay a fee to the Secretary of State of an amount specified in the determination.

(2) A determination under subsection (1) may specify an amount which exceeds the administrative costs of determining the application for approval or re-approval.

(3) The Secretary of State may determine that a fee is payable to the Secretary of State, of an amount and at times specified in the determination, in connection with the continued approval of a supplementary code.

(4) A determination under subsection (3)—

(a) may specify an amount which exceeds the administrative costs associated with the continued approval of a supplementary code, and

(b) must specify, or describe, who must pay the fee.

(5) A fee payable under subsection (3) is recoverable summarily (or, in Scotland, recoverable) as a civil debt.

(6) A determination may make different provision for different purposes.

(7) The Secretary of State must publish a determination.

(8) The Secretary of State may revise a determination.

(9) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)

This amendment enables the Secretary of State to determine that a fee is payable for approval/re-approval/continued approval of a supplementary code and the amount of such a fee.

Brought up, read the First and Second time, and added to the Bill.

New Clause 17

Request for withdrawal of approval

“(1) The Secretary of State must withdraw approval of a supplementary code if—

(a) the Secretary of State receives a notice requesting the withdrawal of approval of the supplementary code, and

(b) the notice complies with any requirements imposed by a determination under subsection (3).

(2) Before the day on which the approval is withdrawn, the Secretary of State must inform the person who gave the notice of when it will be withdrawn.

(3) The Secretary of State may determine—

(a) the form of a notice,

(b) the information to be contained in or provided with the notice,

(c) the documents to be provided with the notice,

(d) the manner in which the notice is to be submitted,

(e) who may give the notice.

(4) A determination may make different provision for different purposes.

(5) The Secretary of State must publish a determination.

(6) The Secretary of State may revise a determination.

(7) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)

This amendment enables a supplementary code to be “de-approved”, on request.

Brought up, read the First and Second time, and added to the Bill.

New Clause 18

Removal of designation

“(1) The Secretary of State may determine to remove the designation of a supplementary code.

(2) A determination must—

(a) be published, and

(b) specify when the designation is to be removed, which must be a time after the end of the period of 21 days beginning with the day on which the determination is published.”—(Sir John Whittingdale.)

This amendment enables the Secretary of State to determine that a designated supplementary code should cease to be designated.

Brought up, read the First and Second time, and added to the Bill.

New Clause 19

Registration of additional services

“(1) Subsection (2) applies if—

(a) a person is registered in the DVS register,

(b) the person applies for their entry in the register to be amended to record additional digital verification services that the person provides in accordance with the main code,

(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the main code,

(d) the application complies with any requirements imposed by a determination under section 51, and

(e) the person pays any fee required to be paid by a determination under section 52(1).

(2) The Secretary of State must amend the DVS register to record that the person is also registered in respect of the additional services referred to in subsection (1).

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under 49(10).”—(Sir John Whittingdale.)

This amendment provides for a person to apply to add services to their entry in the DVS register and requires the Secretary of State to amend the register to record that a person is registered in respect of the additional services.

Brought up, read the First and Second time, and added to the Bill.

New Clause 20

Supplementary notes

“(1) Subsection (2) applies if—

(a) a person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with a recognised supplementary code,

(b) the person applies for a note about one or more of the services to which the certificate relates to be included in the entry relating to that person in the DVS register,

(c) the application complies with any requirements imposed by a determination under section 51, and

(d) the person pays any fee required to be paid by a determination under section 52(1).

(2) The Secretary of State must include a note in the entry relating to the person in the DVS register recording that the person provides, in accordance with the recognised supplementary code referred to in subsection (1), the services in respect of which the person made the application referred to in that subsection.

(3) The Secretary of State may not otherwise include a note described in subsection (2) in the DVS register.

(4) For the purposes of subsection (1)(a), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) subsection (5) applies.

(5) This subsection applies if—

(a) the recognised supplementary code to which the certificate relates has been revised since the certificate was issued,

(b) the certificate was issued before the revision to the supplementary code took effect, and

(c) the supplementary code (as revised) provides—

(i) that certificates issued before the time the revision takes effect are required to be ignored, or

(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.

(6) In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.”—(Sir John Whittingdale.)

This amendment provides for a person to apply for a note to be included in the DVS register that they provide digital verification services in accordance with a recognised supplementary code.

Brought up, read the First and Second time, and added to the Bill.

New Clause 21

Addition of services to supplementary notes

“(1) Subsection (2) applies if—

(a) a person has a supplementary note included in the DVS register,

(b) the person applies for the note to be amended to record additional digital verification services that the person provides in accordance with a recognised supplementary code,

(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the recognised supplementary code referred to in paragraph (b),

(d) the application complies with any requirements imposed by a determination under section 51, and

(e) the person pays any fee required to be paid by a determination under section 52(1).

(2) The Secretary of State must amend the note to record that the person also provides the additional services referred to in subsection (1) in accordance with the recognised supplementary code referred to in that subsection.

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) subsection (4) applies.

(4) This subsection applies if—

(a) the recognised supplementary code to which the certificate relates has been revised since the certificate was issued,

(b) the certificate was issued before the revision to the supplementary code took effect, and

(c) the supplementary code (as revised) provides—

(i) that certificates issued before the time the revision takes effect are required to be ignored, or

(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)

This amendment provides for a person to add services to their supplementary note in the DVS register and requires the Secretary of State to amend the note to record that a person is registered in respect of the additional services.

Brought up, read the First and Second time, and added to the Bill.

New Clause 22

Duty to remove services from the DVS register

“(1) Where a person is registered in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a) asks for the register to be amended so that the person is no longer registered in respect of one or more of those services,

(b) ceases to provide one or more of those services, or

(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of those services are provided in accordance with the main code.

(2) The Secretary of State must amend the register to record that the person is no longer registered in respect of (as the case may be)—

(a) the service or services mentioned in a request described in subsection (1)(a),

(b) the service or services which the person has ceased to provide, or

(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 49(10).”—(Sir John Whittingdale.)

This amendment places the Secretary of State under a duty to amend the DVS register, in certain circumstances, to record that a person is no longer registered in respect of certain services.

Brought up, read the First and Second time, and added to the Bill.

New Clause 23

Duty to remove supplementary notes from the DVS register

“(1) The Secretary of State must remove a supplementary note included in the entry in the DVS register relating to a person if—

(a) the person asks for the note to be removed,

(b) the person ceases to provide all of the digital verification services to which the note relates,

(c) the person no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code, or

(d) the person continues to hold a certificate described in paragraph (c) but the supplementary code is not a recognised supplementary code.

(2) For the purposes of subsection (1)(c) and (d), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) subsection (3) applies.

(3) This subsection applies if—

(a) the supplementary code to which the certificate relates has been revised since the certificate was issued,

(b) the certificate was issued before the revision to the supplementary code took effect, and

(c) the supplementary code (as revised) provides—

(i) that certificates issued before the time the revision takes effect are required to be ignored, or

(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)

This amendment sets out the circumstances in which the Secretary of State must remove a supplementary note from the DVS register.

Brought up, read the First and Second time, and added to the Bill.

New Clause 24

Duty to remove services from supplementary notes

“(1) Where a person has a supplementary note included in their entry in the DVS register in respect of digital verification services, subsection (2) applies if the person—

(a) asks for the register to be amended so that the note no longer records one or more of those services,

(b) ceases to provide one or more of the services recorded in the note, or

(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of the services included in the note are provided in accordance with a supplementary code.

(2) The Secretary of State must amend the supplementary note so it no longer records (as the case maA24y be)—

(a) the service or services mentioned in a request described in subsection (1)(a),

(b) the service or services which the person has ceased to provide, or

(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).

(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—

(a) it has expired in accordance with its terms,

(b) it has been withdrawn by the body that issued it, or

(c) subsection (4) applies.

(4) This subsection applies if—

(a) the supplementary code to which the certificate relates has been revised since the certificate was issued,

(b) the certificate was issued before the revision to the supplementary code took effect, and

(c) the supplementary code (as revised) provides—

(i) that certificates issued before the time the revision takes effect are required to be ignored, or

(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)

This amendment places the Secretary of State under a duty to amend a supplementary note on the DVS register relating to a person, in certain circumstances, to remove reference to certain services from the note.

Brought up, read the First and Second time, and added to the Bill.

New Clause 25

Index of defined terms for Part 2

“The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part of this Act.

Term

Provision

accredited conformity assessment body

section 50(7)

approved supplementary code

section (Approval of a supplementary code)(6)

designated supplementary code

section (Designation of a supplementary code)(3)

digital verification services

section 48(2)

the DVS register

section 50(2)

the DVS trust framework

section 49(2)(a)

the main code

section 49(2)(b)

recognised supplementary code

section (List of recognised supplementary codes)(2)

supplementary code

section 49(2)(c)

supplementary note

section (Supplementary notes)(6)”



(Sir John Whittingdale.)

This amendment provides an index of terms which are defined in Part 2.

Brought up, read the First and Second time, and added to the Bill.

New Clause 26

Powers relating to verification of identity or status

“(1) In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty for employing a person subject to immigration control), after subsection (7) insert—

“(8) An order under subsection (3) containing provision described in subsection (7)(a), (b) or (c) may, in particular—

(a) specify a document generated by a DVS-registered person or a DVS-registered person of a specified description;

(b) specify a document which was provided to such a person in order to generate such a document;

(c) specify steps involving the use of services provided by such a person.

(9) In subsection (8), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).

(10) An order under subsection (3) which specifies a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).”

(2) In section 34 of the Immigration Act 2014 (requirements which may be prescribed for the purposes of provisions about occupying premises under a residential tenancy agreement)—

(a) in subsection (1)—

(i) in paragraph (a), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”,

(ii) in paragraph (b), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”, and

(iii) in paragraph (c), at the end insert “, including steps involving the use of services provided by a DVS-registered person or a DVS-registered person of a prescribed description”, and

(b) after that subsection insert—

“(1A) An order prescribing requirements for the purposes of this Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—

(a) prescribe a document generated by a DVS-registered person or a DVS-registered person of a prescribed description;

(b) prescribe a document which was provided to such a person in order to generate such a document.

(1B) In subsections (1) and (1A), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).

(1C) An order prescribing requirements for the purposes of this Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).”

(3) In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders etc), after paragraph 5 insert—

“Prescribed checks and documents

5A (1) Regulations under paragraph 5(6)(b) or (c) may, in particular—

(a) prescribe checks carried out using services provided by a DVS-registered person or a DVS-registered person of a prescribed description;

(b) prescribe documents generated by such a person;

(c) prescribe documents which were provided to such a person in order to generate such documents.

(2) In sub-paragraph (1), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).

(3) Regulations under paragraph 5(6)(b) or (c) which prescribe a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).””—(Sir John Whittingdale.)

This amendment contains amendments of powers to make subordinate legislation so they can be exercised so as to make provision by reference to persons registered in the DVS register established under Part 2 of the Bill.

Brought up, read the First and Second time, and added to the Bill.

New Clause 27

Interface bodies

“(1) This section is about the provision that regulations under section 66 or 68 may (among other things) contain about bodies with one or more of the following tasks—

(a) establishing a facility or service used, or capable of being used, for providing, publishing or otherwise processing customer data or business data or for taking action described in section 66(3) (an “interface”);

(b) setting standards (“interface standards”), or making other arrangements (“interface arrangements”), for use by other persons when establishing, maintaining or managing an interface;

(c) maintaining or managing an interface, interface standards or interface arrangements.

(2) Such bodies are referred to in this Part as “interface bodies”.

(3) The regulations may—

(a) require a data holder, an authorised person or a third party recipient to set up an interface body;

(b) make provision about the type of body to be set up.

(4) In relation to an interface body (whether or not it is required to be set up by regulations under section 66 or 68), the regulations may—

(a) make provision about the body’s composition and governance;

(b) make provision requiring a data holder, an authorised person or a third party recipient to provide, or arrange for, assistance for the body;

(c) impose other requirements relating to the body on a person required to set it up or to provide, or arrange for, assistance for the body;

(d) make provision requiring the body to carry on all or part of a task described in subsection (1);

(e) make provision requiring the body to do other things in connection with its interface, interface standards or interface arrangements;

(f) make provision about how the body carries out its functions (such as, for example, provision about the body’s objectives or matters to be taken into account by the body);

(g) confer powers on the body for the purpose of monitoring use of its interface, interface standards or interface arrangements (“monitoring powers”) (and see section 71 for provision about enforcement of requirements imposed in exercise of those powers);

(h) make provision for the body to arrange for its monitoring powers to be exercised by another person;

(i) make provision about the rights of persons affected by the exercise of the body’s functions under the regulations, including (among other things)—

(i) provision about the review of decisions made in exercise of those functions;

(ii) provision about appeals to a court or tribunal;

(j) make provision about complaints, including provision requiring the body to implement procedures for the handling of complaints;

(k) make provision enabling or requiring the body to publish, or provide to a specified person, specified documents or information relating to its interface, interface standards or interface arrangements;

(l) make provision enabling or requiring the body to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5) The monitoring powers that may be conferred on an interface body include power to require the provision of documents or information (but such powers are subject to the restrictions in section 72 as well as any restrictions included in the regulations).

(6) Examples of facilities or services referred to in subsection (1) include dashboard services, other electronic communications services and application programming interfaces.

(7) In subsection (4)(b) and (c), the references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).”—(Sir John Whittingdale.)

This new clause enables regulations under Part 3 to make provision about bodies providing facilities or services used for providing, publishing or processing customer data or business data, or setting standards or making other arrangements in connection with such facilities or services.

Brought up, read the First and Second time, and added to the Bill.

New Clause 28

The FCA and financial services interfaces

“(1) The Treasury may by regulations make provision enabling or requiring the Financial Conduct Authority (“the FCA”) to make rules—

(a) requiring financial services providers described in the regulations to use a prescribed interface, or prescribed interface standards or interface arrangements, when providing or receiving customer data or business data which is required to be provided by or to the financial services provider by data regulations;

(b) requiring persons described in the regulations to use a prescribed interface, or prescribed interface standards or interface arrangements, when the person, in the course of a business, receives, from a financial services provider, customer data or business data which is required to be provided to the person by data regulations;

(c) imposing interface-related requirements on a description of person falling within subsection (2),

and such rules are referred to in this Part as “FCA interface rules”.

(2) The following persons fall within this subsection—

(a) an interface body linked to the financial services sector on which requirements are imposed by regulations made in reliance on section (Interface bodies);

(b) a person required by regulations made in reliance on section (Interface bodies) to set up an interface body linked to the financial services sector;

(c) a person who uses an interface, interface standards or interface arrangements linked to the financial services sector or who is required to do so by data regulations or rules made by virtue of regulations under subsection (1)(a) or (b).

(3) For the purposes of this section, requirements are interface-related if they relate to—

(a) the composition, governance or activities of an interface body linked to the financial services sector,

(b) an interface, interface standards or interface arrangements linked to the financial services sector, or

(c) the use of such an interface, such interface standards or such interface arrangements.

(4) For the purposes of this section—

(a) an interface body is linked to the financial services sector to the extent that its interface, interface standards or interface arrangements are linked to the financial service sector;

(b) interfaces, interface standards and interface arrangements are linked to the financial services sector to the extent that they are used, or intended to be used, by financial services providers (whether or not they are used, or intended to be used, by other persons).

(5) The Treasury may by regulations make provision enabling or requiring the FCA to impose requirements on a person to whom FCA interface rules apply (referred to in this Part as “FCA additional requirements”) where the FCA considers it appropriate to impose the requirement—

(a) in response to a failure, or likely failure, by the person to comply with an FCA interface rule or FCA additional requirement, or

(b) in order to advance a purpose which the FCA is required to advance when exercising functions conferred by regulations under this section (see section (The FCA and financial services interfaces: supplementary)(3)(a)).

(6) Regulations under subsection (5) may, for example, provide for the FCA to impose requirements by giving a notice or direction.

(7) The restrictions in section 72 apply in connection with FCA interface rules and FCA additional requirements as they apply in connection with regulations under this Part.

(8) In section 72 as so applied—

(a) the references in subsections (1)(b) and (8) to an enforcer include the FCA, and

(b) the references in subsections (3) and (4) to data regulations include FCA interface rules and FCA additional requirements.

(9) In this section—

“financial services provider” means a person providing financial services;

“prescribed” means prescribed in FCA interface rules.”—(Sir John Whittingdale.)

This new clause and new clause NC29 enable the Treasury, by regulations, to confer powers on the Financial Conduct Authority to impose requirements (by means of rules or otherwise) on interface bodies used by the financial services sector and on persons participating in, or using facilities and services provided by, such bodies.

Brought up, read the First and Second time, and added to the Bill.

New Clause 29

The FCA and financial services interfaces: supplementary

“(1) This section is about provision that regulations under section (The FCA and financial services interfaces) may or must (among other things) contain.

(2) The regulations—

(a) may enable or require the FCA to impose interface-related requirements that could be imposed by regulations made in reliance on section (Interface bodies)(4) or (5), but

(b) may not enable or require the FCA to require a person to set up an interface body.

(3) The regulations must—

(a) require the FCA, so far as is reasonably possible, to exercise functions conferred by the regulations in a manner which is compatible with, or which advances, one or more specified purposes;

(b) specify one or more matters to which the FCA must have regard when exercising functions conferred by the regulations;

(c) if they enable or require the FCA to make rules, make provision about the procedure for making rules, including provision requiring such consultation with persons likely to be affected by the rules or representatives of such persons as the FCA considers appropriate.

(4) The regulations may—

(a) require the FCA to carry out an analysis of the costs and benefits that will arise if proposed rules are made or proposed changes are made to rules and make provision about what the analysis must include;

(b) require the FCA to publish rules or changes to rules and to provide copies to specified persons;

(c) make provision about the effect of rules, including provision about circumstances in which rules are void and circumstances in which a person is not to be taken to have contravened a rule;

(d) make provision enabling or requiring the FCA to modify or waive rules as they apply to a particular case;

(e) make provision about the procedure for imposing FCA additional requirements;

(f) make provision enabling or requiring the FCA to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.

(5) The regulations may enable or require the FCA to impose the following types of requirement on a person as FCA additional requirements—

(a) a requirement to review the person’s conduct;

(b) a requirement to take remedial action;

(c) a requirement to make redress for loss or damage suffered by others as a result of the person’s conduct.

(6) The regulations may enable or require the FCA to make rules requiring a person falling within section (The FCA and financial services interfaces)(2)(b) or (c) to pay fees to an interface body for the purpose of meeting expenses incurred, or to be incurred, by such a body in performing duties, or exercising powers, imposed or conferred by regulations under this Part or by rules made by virtue of regulations under section (The FCA and financial services interfaces).

(7) Regulations made in reliance on subsection (6)—

(a) may enable rules to provide for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;

(b) must require rules to provide for the amount of a fee to be—

(i) a prescribed amount or an amount determined in accordance with the rules, or

(ii) an amount not exceeding such an amount;

(c) may enable or require rules to provide for the amount, or maximum amount, of a fee to increase at specified times and by—

(i) a prescribed amount or an amount determined in accordance with the rules, or

(ii) an amount not exceeding such an amount;

(d) if they enable rules to enable a person to determine an amount, must require rules to require the person to publish information about the amount and how it is determined;

(e) may enable or require rules to make provision about—

(i) interest on any unpaid amounts;

(ii) the recovery of unpaid amounts.

(8) In this section—

“interface-related” has the meaning given in section (The FCA and financial services interfaces);

“prescribed” means prescribed in FCA interface rules.

(9) The reference in subsection (5)(c) to making redress includes—

(a) paying interest, and

(b) providing redress in the form of a remedy or relief which could not be awarded in legal proceedings.”—(Sir John Whittingdale.)

See the explanatory statement for new clause NC28.

Brought up, read the First and Second time, and added to the Bill.

New Clause 30

The FCA and financial services interfaces: penalties and levies

“(1) Subsections (2) and (3) are about the provision that regulations made by the Treasury under this Part providing for the FCA to enforce requirements under FCA interface rules may (among other things) contain in relation to financial penalties.

(2) The regulations may require or enable the FCA—

(a) to set the amount or maximum amount of, or of an increase in, a penalty imposed in respect of failure to comply with a requirement imposed by the FCA in exercise of a power conferred by regulations under section (The FCA and financial services interfaces) (whether imposed by means of FCA interface rules or an FCA additional requirement), or

(b) to set the method for determining such an amount.

(3) Regulations made in reliance on subsection (2)—

(a) must require the FCA to produce and publish a statement of its policy with respect to the amount of the penalties;

(b) may require the policy to include specified matters;

(c) may make provision about the procedure for producing the statement;

(d) may require copies of the statement to be provided to specified persons;

(e) may require the FCA to have regard to a statement published in accordance with the regulations.

(4) The Treasury may by regulations—

(a) impose, or provide for the FCA to impose, a levy on data holders, authorised persons or third party recipients for the purpose of meeting all or part of the expenses incurred, or to be incurred, during a period by the FCA, or by a person acting on the FCA’s behalf, in performing duties, or exercising powers, imposed or conferred on the FCA by regulations under section (The FCA and financial services interfaces), and

(b) make provision about how funds raised by means of the levy must or may be used.

(5) Regulations under subsection (4) may only provide for a levy in respect of expenses of the FCA to be imposed on persons that appear to the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the FCA by regulations under section (The FCA and financial services interfaces).

(6) Section 75(3) and (4) apply in relation to regulations under subsection (4) of this section as they apply in relation to regulations under section 75(1).”—(Sir John Whittingdale.)

This new clause enables the Treasury, by regulations, to confer power on the Financial Conduct Authority to set the amount of certain penalties. It also enables the Treasury to impose a levy in respect of expenses incurred by that Authority.

Brought up, read the First and Second time, and added to the Bill.

New Clause 31

Liability in damages

“(1) The Secretary of State or the Treasury may by regulations provide that a person listed in subsection (2) is not liable in damages for anything done or omitted to be done in the exercise of functions conferred by regulations under this Part.

(2) Those persons are—

(a) a public authority;

(b) a member, officer or member of staff of a public authority;

(c) a person who could be held vicariously liable for things done or omitted by a public authority.

(3) Regulations under this section may not—

(a) make provision removing liability for an act or omission which is shown to have been in bad faith, or

(b) make provision so as to prevent an award of damages made in respect of an act or omission on the ground that the act or omission was unlawful as a result of section 6(1) of the Human Rights Act 1998.”— (Sir John Whittingdale.)

This new clause enables regulations under Part 3 to provide that certain persons are not liable in damages when exercising functions under such regulations.

Brought up, read the First and Second time, and added to the Bill.

New Clause 32

Other data provision

“(1) This section is about cases in which subordinate legislation other than regulations under this Part contains provision described in section 66(1) to (3) or 68(1) to (2A) (“other data provision”).

(2) The regulation-making powers under this Part may be exercised so as to make, in connection with the other data provision, any provision that they could be exercised to make as part of, or in connection with, provision made under section 66(1) to (3) or 68(1) to (2A) that is equivalent to the other data provision.

(3) In this Part, references to “data regulations” include regulations made in reliance on subsection (2) to the extent that they make provision described in sections 66 to 70 or (Interface bodies).

(4) In this section, “subordinate legislation” has the same meaning as in the Interpretation Act 1978 (see section 21 of that Act).”—(Sir John Whittingdale.)

This new clause enables the regulation-making powers under Part 3 to be used to supplement existing subordinate legislation which requires customer data or business data to be provided to customers and others.

Brought up, read the First and Second time, and added to the Bill.

New Clause 33

Duty to notify the Commissioner of personal data breach: time periods

“(1) In regulation 5A of the PEC Regulations (personal data breach)—

(a) in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”, and

(b) after paragraph (3) insert—

“(3A) Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”

(2) In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Information Commissioner)—

(a) in paragraph 2—

(i) in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having becoming aware of it”, and

(ii) in the second subparagraph, after “shall” insert “, subject to paragraph 3,”, and

(b) for paragraph 3 substitute—

“3. To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.””—(Sir John Whittingdale.)

This adjusts the period within which the Information Commissioner must be notified of a personal data breach. It also inserts a duty (into the PEC Regulations) to give reasons for not notifying within 72 hours and adjusts the duty (in Commission Regulation (EU) No 611/2013) to provide accompanying information.

Brought up, read the First and Second time, and added to the Bill.

New Clause 34

Power to require information for social security purposes

“In Schedule (Power to require information for social security purposes)—

(a) Part 1 amends the Social Security Administration Act 1992 to make provision about a power for the Secretary of State to obtain information for social security purposes;

(b) Part 2 amends the Social Security Administration (Northern Ireland) Act 1992 to make provision about a power for the Department for Communities to obtain information for such purposes;

(c) Part 3 makes related amendments of the Proceeds of Crime Act 2002.”—(Sir John Whittingdale.)

This new clause introduces a new Schedule NS1 which amends social security legislation to make provision about a new power for the Secretary of State or, in Northern Ireland, the Department for Communities, to obtain information for social security purposes.

Brought up, read the First and Second time, and added to the Bill.

New Clause 35

Retention of information by providers of internet services in connection with death of child

“(1) The Online Safety Act 2023 is amended as follows.

(2) In section 100 (power to require information)—

(a) omit subsection (7);

(b) after subsection (8) insert—

“(8A) The power to give a notice conferred by subsection (1) does not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(3) In section 101 (information in connection with investigation into death of child)—

(a) before subsection (1) insert—

“(A1) Subsection (D1) applies if a senior coroner (in England and Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland) (“the investigating authority”)—

(a) notifies OFCOM that—

(i) they are conducting an investigation, or are due to conduct an investigation, in connection with the death of a child, and

(ii) they suspect that the child may have taken their own life, and

(b) provides OFCOM with the details in subsection (B1).

(B1) The details are—

(a) the name of the child who has died,

(b) the child’s date of birth,

(c) any email addresses used by the child (so far as the investigating authority knows), and

(d) if any regulated service has been brought to the attention of the investigating authority as being of interest in connection with the child’s death, the name of the service.

(C1) Where this subsection applies, OFCOM—

(a) must give a notice to the provider of a service within subsection (E1) requiring the provider to ensure the retention of information relating to the use of the service by the child who has died, and

(b) may give a notice to any other relevant person requiring the person to ensure the retention of information relating to the use of a service within subsection (E1) by that child.

(D1) The references in subsection (C1) to ensuring the retention of information relating to the child’s use of a service include taking all reasonable steps, without delay, to prevent the deletion of such information by the routine operation of systems or processes.

(E1) A service is within this subsection if it is—

(a) a regulated service of a kind described in regulations made by the Secretary of State, or

(b) a regulated service notified to OFCOM by the investigating authority as described in subsection (B1)(d).

(F1) A notice under subsection (C1) may require information described in that subsection to be retained only if it is information—

(a) of a kind which OFCOM have power to require under a notice under subsection (1) (see, in particular, subsection (2)(a) to (d)), or

(b) which a person might need to retain to enable the person to provide information in response to a notice under subsection (1) (if such a notice were given).

(G1) OFCOM must share with the investigating authority any information they receive in response to requirements mentioned in section 102(5A)(d) that are included in a notice under subsection (C1).”

(b) in subsection (3), for “power conferred by subsection (1) includes” substitute “powers conferred by this section include”;

(c) after subsection (5) insert—

“(5A) The powers to give a notice conferred by this section do not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”

(4) In section 102 (information notices)—

(a) in subsection (1), for “101(1)” substitute “101(C1) or (1)”;

(b) in subsection (3)—

(i) after “information notice” insert “under section 100(1) or 101(1)”,

(ii) omit “and” at the end of paragraph (c), and

(iii) after paragraph (c) insert—

“(ca) specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals), and”;

(c) omit subsection (4);

(d) after subsection (5) insert—

“(5A) An information notice under section 101(C1) must—

(a) specify or describe the information to be retained,

(b) specify why OFCOM require the information to be retained,

(c) require the information to be retained for the period of one year beginning with the date of the notice,

(d) require the person to whom the notice is given—

(i) if the child to whom the notice relates used the service in question, to notify OFCOM by a specified date of steps taken to ensure the retention of information;

(ii) if the child did not use the service, or the person does not hold any information of the kind required, to notify OFCOM of that fact by a specified date, and

(e) contain information about the consequences of not complying with the notice.

(5B) If OFCOM give an information notice to a person under section 101(C1), they may, in response to information received from the investigating authority, extend the period for which the person is required to retain information by a maximum period of six months.

(5C) The power conferred by subsection (5B) is exercisable—

(a) by giving the person a notice varying the notice under section 101(C1) and stating the further period for which information must be retained and the reason for the extension;

(b) any number of times.”;

(e) after subsection (9) insert—

“(9A) OFCOM must cancel an information notice under section 101(C1) by notice to the person to whom it was given if advised by the investigating authority that the information in question no longer needs to be retained.”

(f) in subsection (10), after the definition of “information” insert—

““the investigating authority” has the same meaning as in section 101;”.

(5) In section 109 (offences in connection with information notices)—

(a) in subsection (2)(b), for “all reasonable steps” substitute “all of the steps that it was reasonable, and reasonably practicable, to take”;

(b) after subsection (6) insert—

“(6A) A person who is given an information notice under section 101(C1) commits an offence if—

(a) the person deletes or alters, or causes or permits the deletion or alteration of, any information required by the notice to be retained, and

(b) the person’s intention was to prevent the information being available, or (as the case may be) to prevent it being available in unaltered form, for the purposes of any official investigation into the death of the child to whom the notice relates.

(6B) For the purposes of subsection (6A) information has been deleted if it is irrecoverable (however that occurred).”

(6) In section 110 (senior managers’ liability: information offences)—

(a) after subsection (6) insert—

“(6A) An individual named as a senior manager of an entity commits an offence if—

(a) the entity commits an offence under section 109(6A) (deletion etc of information), and

(b) the individual has failed to take all reasonable steps to prevent that offence being committed.”;

(b) in subsection (7), for “or (6)” substitute “, (6) or (6A)”.

(7) In section 113 (penalties for information offences), in subsection (2)—

(a) for “(4) or (5)” substitute “(4), (5) or (6A)”;

(b) for “(5) or (6)” substitute “(5), (6) or (6A)”.

(8) In section 114 (co-operation and disclosure of information: overseas regulators), in subsection (7), omit the definition of “the data protection legislation”.

(9) In section 225 (Parliamentary procedure for regulations), in subsection (10), after paragraph (c) insert—

“(ca) regulations under section 101(E1)(a),”

(10) In section 236(1) (interpretation)—

(a) after the definition of “country” insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);”;

(b) in the definition of “information notice”, for “101(1)” substitute “101(C1) or (1)”.

(11) In section 237 (index of defined terms), after the entry for “CSEA content” insert—

“the data protection legislation

section 236”.”



(Sir John Whittingdale.)

This new clause amends the Online Safety Act 2023 to enable OFCOM to give internet service providers a notice requiring them to retain information in connection with an investigation by a coroner (or, in Scotland, procurator fiscal) into the death of a child suspected to have taken their own life. The new clause also creates related offences.

Brought up, read the First and Second time, and added to the Bill.

New Clause 36

Retention of biometric data and recordable offences

“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (10).

(2) In section 18A(3) (retention of material: general), after “recordable offence” insert “or recordable-equivalent offence”.

(3) Section 18E (supplementary provision) is amended in accordance with subsections (4) to (10).

(4) In subsection (1), after the definition of “recordable offence” insert—

““recordable-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a recordable offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted);”.

(5) In subsection (3), in the words before paragraph (a), after “offence” insert “in England and Wales or Northern Ireland”.

(6) After subsection (5) insert—

“(5A) For the purposes of section 18A, a person is to be treated as having been convicted of an offence in a country or territory outside England and Wales and Northern Ireland if, in respect of such an offence, a court exercising jurisdiction under the law of that country or territory has made a finding equivalent to—

(a) a finding that the person is not guilty by reason of insanity, or

(b) a finding that the person is under a disability and did the act charged against the person in respect of the offence.”

(7) In subsection (6)(a)—

(a) after “convicted” insert “—

(i) ‘”, and

(b) after “offence,” insert “or

(ii) in a country or territory outside England and Wales and Northern Ireland, of a recordable-equivalent offence,”.

(8) In subsection (6)(b)—

(a) omit “of a recordable offence”, and

(b) for “a recordable offence, other than a qualifying offence” substitute “an offence, other than a qualifying offence or qualifying-equivalent offence”.

(9) In subsection (7), for “subsection (6)” substitute “this section”.

(10) After subsection (7) insert—

“(7A) In subsection (6), “qualifying-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a qualifying offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted).”

(11) The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a) on or after the commencement day, or

(b) in the period of 3 years ending immediately before the commencement day.

(12) Subsection (13) of this section applies where—

(a) at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day,

(b) at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, and

(c) at the pre-commencement time, the law enforcement authority could have retained the material under section 18A of the Counter-Terrorism Act 2008, as it has effect taking account of the amendments made by subsections (2) to (10) of this section, if those amendments had been in force.

(13) Where this subsection applies—

(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b) the material may not be used in evidence against the person to whom the material relates—

(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii) in criminal proceedings in any other country or territory.

(14) In this section—

“the commencement day” means the day on which this Act is passed;

“law enforcement authority” has the meaning given by section 18E(1) of the Counter-Terrorism Act 2008;

“section 18 material” has the meaning given by section 18(2) of that Act.

(15) For the purposes of this section, proceedings in relation to an offence are instituted—

(a) in England and Wales, when they are instituted for the purposes of Part 1 of the Prosecution of Offences Act 1985 (see section 15(2) of that Act);

(b) in Northern Ireland, when they are instituted for the purposes of Part 2 of the Justice (Northern Ireland) Act 2002 (see section 44(1) and (2) of that Act);

(c) in Scotland, when they are instituted for the purposes of Part 3 of the Proceeds of Crime Act 2002 (see section 151(1) and (2) of that Act).”—(Sir John Whittingdale.)

This new clause enables a law enforcement authority to retain fingerprints and DNA profiles where a person has been convicted of an offence equivalent to a recordable offence in a jurisdiction outside England and Wales and Northern Ireland.

Brought up, read the First and Second time, and added to the Bill.

New Clause 37

Retention of pseudonymised biometric data

“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (6).

(2) Section 18A (retention of material: general) is amended in accordance with subsections (3) to (5).

(3) In subsection (1), for “subsection (5)” substitute “subsections (4) to (9)”.

(4) In subsection (4)(a), after “relates” insert “(a “pseudonymised form”)”.

(5) After subsection (6) insert—

“(7) Section 18 material which is not a DNA sample may be retained indefinitely by a law enforcement authority if—

(a) the authority obtains or acquires the material directly or indirectly from an overseas law enforcement authority,

(b) the authority obtains or acquires the material in a form which includes information which identifies the person to whom the material relates,

(c) as soon as reasonably practicable after obtaining or acquiring the material, the authority takes the steps necessary for it to hold the material in a pseudonymised form, and

(d) having taken those steps, the law enforcement authority continues to hold the material in a pseudonymised form.

(8) In a case where section 18 material is being retained by a law enforcement authority under subsection (7), if—

(a) the law enforcement authority ceases to hold the material in a pseudonymised form, and

(b) the material relates to a person who has no previous convictions or only one exempt conviction,

the material may be retained by the law enforcement authority until the end of the retention period specified in subsection (9).

(9) The retention period is the period of 3 years beginning with the date on which the law enforcement authority first ceases to hold the material in a pseudonymised form.”

(6) In section 18E(1) (supplementary provision)—

(a) in the definition of “law enforcement authority”, for paragraph (d) substitute—

“(d) an overseas law enforcement authority;”, and

(b) after that definition insert—

““overseas law enforcement authority” means a person formed or existing under the law of a country or territory outside the United Kingdom so far as exercising functions which—

(a) correspond to those of a police force, or

(b) otherwise involve the investigation or prosecution of offences;”.

(7) The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—

(a) on or after the commencement day, or

(b) in the period of 3 years ending immediately before the commencement day.

(8) Subsections (9) to (12) of this section apply where, at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day.

(9) Where the law enforcement authority holds the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) and (d) of the Counter-Terrorism Act 2008 as having—

(a) taken the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material, and

(b) continued to hold the material in a pseudonymised form until the commencement day.

(10) Where the law enforcement authority does not hold the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) of the Counter-Terrorism Act 2008 as taking the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material if it takes those steps on, or as soon as reasonably practicable after, the commencement day.

(11) Subsection (12) of this section applies where, at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material but—

(a) at the pre-commencement time, the law enforcement authority could have retained the material under section 18A(7) to (9) of the Counter-Terrorism Act 2008 (as inserted by this section) if those provisions had been in force, or

(b) on or after the commencement day, the law enforcement authority may retain the material under those provisions by virtue of subsection (9) or (10) of this section.

(12) Where this subsection applies—

(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b) the material may not be used in evidence against the person to whom the material relates—

(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii) in criminal proceedings in any other country or territory.

(13) In this section—

“the commencement day” , “law enforcement authority” and “section 18 material” have the meaning given in section (Retention of biometric data and recordable offences)(14);

“instituted” , in relation to proceedings, has the meaning given in section (Retention of biometric data and recordable offences)(15);

“in a pseudonymised form” has the meaning given by section 18A(4) and (10) of the Counter-Terrorism Act 2008 (as amended or inserted by this section).”—(Sir John Whittingdale.)

This new clause enables a law enforcement authority to retain fingerprints and DNA profiles where, as soon as reasonably practicable after acquiring or obtaining them, the authority takes the steps necessary for it to hold the material in a form which does not include information which identifies the person to whom the material relates.

Brought up, read the First and Second time, and added to the Bill.

New Clause 38

Retention of biometric data from INTERPOL

“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (4).

(2) In section 18(4) (destruction of national security material not subject to existing statutory restrictions), after “18A” insert “, 18AA”.

(3) After section 18A insert—

“18AA Retention of material from INTERPOL

(1) This section applies to section 18 material which is not a DNA sample where the law enforcement authority obtained or acquired the material as part of a request for assistance, or a notification of a threat, sent to the United Kingdom via INTERPOL’s systems.

(2) The law enforcement authority may retain the material until the National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn.

(3) If the law enforcement authority is the National Central Bureau, it may retain the material until it becomes aware that the request or notification has been cancelled or withdrawn.

(4) In this section—

“INTERPOL” means the organisation called the International Criminal Police Organization - INTERPOL;

“the National Central Bureau” means the body appointed for the time being in accordance with INTERPOL’s constitution to serve as the United Kingdom’s National Central Bureau.

(5) The reference in subsection (1) to material obtained or acquired as part of a request or notification includes material obtained or acquired as part of a communication, sent to the United Kingdom via INTERPOL’s systems, correcting, updating or otherwise supplementing the request or notification.

18AB Retention of material from INTERPOL: supplementary

(1) The Secretary of State may by regulations amend section 18AA to make such changes as the Secretary of State considers appropriate in consequence of—

(a) changes to the name of the organisation which, when section 18AA was enacted, was called the International Criminal Police Organization - INTERPOL (“the organisation”),

(b) changes to arrangements made by the organisation which involve fingerprints or DNA profiles being provided to members of the organisation (whether changes to existing arrangements or changes putting in place new arrangements), or

(c) changes to the organisation’s arrangements for liaison between the organisation and its members or between its members.

(2) Regulations under this section are subject to affirmative resolution procedure.”

(4) In section 18BA(5)(a) (retention of further fingerprints), after “18A” insert “, 18AA”.

(5) Section 18AA of the Counter-Terrorism Act 2008 applies in relation to section 18 material obtained or acquired by a law enforcement authority before the commencement day (as well as material obtained or acquired on or after that day), except where the law enforcement authority was informed, or became aware, as described in subsection (2) or (3) of that section before the commencement day.

(6) Subsection (7) of this section applies where—

(a) at the beginning of the commencement day, a law enforcement authority has section 18 material,

(b) at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, but

(c) at the pre-commencement time, the law enforcement authority could have retained the material under section 18AA of that Act (as inserted by this section) if it had been in force.

(7) Where this subsection applies—

(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but

(b) the material may not be used in evidence against the person to whom the material relates—

(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or

(ii) in criminal proceedings in any other country or territory.

(8) In this section—

“the commencement day” , “law enforcement authority” and “section 18 material” have the meaning given in section (Retention of biometric data and recordable offences)(14);

“instituted” , in relation to proceedings, has the meaning given in section (Retention of biometric data and recordable offences)(15).”—(Sir John Whittingdale.)

This new clause enables fingerprints and DNA profiles obtained as part of a request for assistance, or notification of a threat, from INTERPOL and held for national security purposes by a law enforcement authority to be retained until the authority is informed that the request or notification has been withdrawn or cancelled.

Brought up, read the First and Second time, and added to the Bill.

New Clause 39

National Underground Asset Register

“(1) After section 106 of the New Roads and Street Works Act 1991 insert—

“Part 3A

National Underground Asset Register: England and Wales

The register

106A National Underground Asset Register

(1) The Secretary of State must keep a register of information relating to apparatus in streets in England and Wales.

(2) The register is to be known as the National Underground Asset Register (and is referred to in this Act as “NUAR”).

(3) NUAR must be kept in such form and manner as may be prescribed.

(4) The Secretary of State must make arrangements so as to enable any person who is required, by a provision of Part 3, to enter information into NUAR to have access to NUAR for that purpose.

(5) Regulations under subsection (3) are subject to the negative procedure.

106B Access to information kept in NUAR

(1) The Secretary of State may by regulations make provision in connection with making information kept in NUAR available—

(a) under a licence, or

(b) without a licence.

(2) The regulations may (among other things)—

(a) make provision about which information, or descriptions of information, may be made available;

(b) make provision about the descriptions of person to whom information may be made available;

(c) make provision for information to be made available subject to exceptions;

(d) make provision requiring or authorising the Secretary of State to adapt, modify or obscure information before making it available;

(e) make provision authorising all information kept in NUAR to be made available to prescribed descriptions of person under prescribed conditions;

(f) make provision about the purposes for which information may be made available;

(g) make provision about the form and manner in which information may be made available.

(3) The regulations may make provision about licences under which information kept in NUAR is made available, including—

(a) provision about the form of a licence;

(b) provision about the terms and conditions of a licence;

(c) provision for information to be made available under a licence for free or for a fee;

(d) provision about the amount of the fees, including provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;

(e) provision about how funds raised by means of fees must or may be used, including provision for funds to be paid to persons who are required, by a provision of Part 3, to enter information into NUAR.

(4) Except as otherwise prescribed and subject to section 106G, processing of information by the Secretary of State in exercise of functions conferred by or under section 106A or this section does not breach—

(a) any obligation of confidence owed by the Secretary of State, or

(b) any other restriction on the processing of information (however imposed).

(5) Regulations under this section are subject to the affirmative procedure.

Requirements for undertakers to pay fees and provide information

106C Fees payable by undertakers in relation to NUAR

(1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under this Part.

(2) The regulations may—

(a) specify the amounts of the fees, or the maximum amounts of the fees, or

(b) provide for the amounts of the fees, or the maximum amounts of the fees, to be determined in accordance with the regulations.

(3) In making the regulations the Secretary of State must seek to secure that, so far as possible and taking one year with another, the income from fees matches the expenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under this Part (including expenses not directly connected with the keeping of NUAR).

(4) Except where the regulations specify the amounts of the fees—

(a) the amounts of the fees must be specified by the Secretary of State in a statement, and

(b) the Secretary of State must—

(i) publish the statement, and

(ii) lay it before Parliament.

(5) Regulations under subsection (1) may make provision about—

(a) when a fee is to be paid;

(b) the manner in which a fee is to be paid;

(c) the payment of discounted fees;

(d) exceptions to requirements to pay fees;

(e) the refund of all or part of a fee which has been paid.

(6) Before making regulations under subsection (1) the Secretary of State must consult—

(a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and

(b) such other persons as the Secretary of State considers appropriate.

(7) Subject to the following provisions of this section regulations under subsection (1) are subject to the affirmative procedure.

(8) Regulations under subsection (1) that only make provision of a kind mentioned in subsection (2) are subject to the negative procedure.

(9) But the first regulations under subsection (1) that make provision of a kind mentioned in subsection (2) are subject to the affirmative procedure.

106D Providing information for purposes of regulations under section 106C

(1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a) assisting the Secretary of State in determining the provision that it is appropriate for regulations under section 106C(1) or a statement under section 106C(4) to make;

(b) assisting the Secretary of State in determining whether it is appropriate to make changes to such provision.

(2) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—

(a) ascertaining whether a fee is payable by a person under regulations under section 106C(1);

(b) working out the amount of a fee payable by a person.

(3) Regulations under subsection (1) or (2) may require an undertaker to notify the Secretary of State of any changes to information previously provided under the regulations.

(4) Regulations under subsection (1) or (2) may make provision about—

(a) when information is to be provided (which may be at prescribed intervals);

(b) the form and manner in which information is to be provided;

(c) exceptions to requirements to provide information.

(5) Regulations under subsection (1) or (2) are subject to the negative procedure.

Monetary penalties

106E Monetary penalties

Schedule 5A makes provision about the imposition of penalties in connection with requirements imposed by regulations under sections 106C(1) and 106D(1) and (2).

Exercise of functions by third party

106F Arrangements for third party to exercise functions

(1) The Secretary of State may make arrangements for a prescribed person to exercise a relevant function of the Secretary of State.

(2) More than one person may be prescribed.

(3) Arrangements under this section may—

(a) provide for the Secretary of State to make payments to the person, and

(b) make provision as to the circumstances in which any such payments are to be repaid to the Secretary of State.

(4) In the case of the exercise of a function by a person authorised by arrangements under this section to exercise that function, any reference in this Part or in regulations under this Part to the Secretary of State in connection with that function is to be read as a reference to that person.

(5) Arrangements under this section do not prevent the Secretary of State from exercising a function to which the arrangements relate.

(6) Except as otherwise prescribed and subject to section 106G, the disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this section or exercise of functions to which such arrangements relate does not breach—

(a) any obligation of confidence owed by the person making the disclosure, or

(b) any other restriction on the disclosure of information (however imposed).

(7) Regulations under this section are subject to the affirmative procedure.

(8) In this section “relevant function” means any function of the Secretary of State conferred by or under this Part (including the function of charging or recovering fees under section 106C) other than—

(a) a power to make regulations, or

(b) a function under section 106C(4) (specifying of fees etc).

Data protection

106G Data protection

(1) A duty or power to process information that is imposed or conferred by or under this Part does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account).

(2) In this section—

“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);

“personal data” has the same meaning as in that Act (see section 3(2) of that Act).

Supplementary provisions

106H Regulations under this Part

(1) In this Part “prescribed” means prescribed by regulations made by the Secretary of State.

(2) Regulations under this Part may make—

(a) different provision for different purposes;

(b) supplementary and incidental provision.

(3) Regulations under this Part are to be made by statutory instrument.

(4) Before making regulations under this Part the Secretary of State must consult the Welsh Ministers.

(5) Where regulations under this Part are subject to “the affirmative procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament.

(6) Where regulations under this Part are subject to “the negative procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.

(7) Any provision that may be made in regulations under this Part subject to the negative procedure may be made in regulations subject to the affirmative procedure.

106I Interpretation

(1) In this Part the following terms have the same meaning as in Part 3—

“apparatus” (see sections 89(3) and 105(1));

“in” (in a context referring to apparatus in a street) (see section 105(1));

“street” (see section 48(1) and (2));

“undertaker” (in relation to apparatus or in a context referring to having apparatus in a street) (see sections 48(5) and 89(4)).

(2) In this Part “processing” has the same meaning as in the Data Protection Act 2018 (see section 3(4) of that Act) and “process” is to be read accordingly.”

(2) In section 167 of the New Roads and Street Works Act 1991 (Crown application)—

(a) after subsection (4) insert—

“(4A) The provisions of Part 3A of this Act (National Underground Asset Register: England and Wales) bind the Crown.”;

(b) in subsection (5), for “(4)” substitute “(4) or (4A)”.

(3) Schedule (National Underground Asset Register: monetary penalties) to this Act inserts Schedule 5A into the New Roads and Street Works Act 1991 (monetary penalties).”—(Sir John Whittingdale.)

This amendment inserts Part 3A into the New Roads and Street Works Act 1991 which requires, and makes provision in connection with, the keeping of a register of information relating to apparatus in streets (to be called the National Underground Asset Register).

Brought up, read the First and Second time, and added to the Bill.

New Clause 40

Information in relation to apparatus

“(1) The New Roads and Street Works Act 1991 is amended in accordance with subsections (2) to (6).

(2) For the italic heading before section 79 (records of location of apparatus) substitute “Duties in relation to recording and sharing of information about apparatus”.

(3) In section 79—

(a) for the heading substitute “Information in relation to apparatus”;

(b) in subsection (1), for paragraph (c) substitute—

“(c) being informed of its location under section 80(2),”;

(c) after subsection (1A) (as inserted by section 46(2) of the Traffic Management Act 2004) insert—

“(1B) An undertaker must, except in such cases as may be prescribed, record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after—

(a) placing the item in the street or altering its position,

(b) inspecting, maintaining, adjusting, repairing, altering or renewing the item,

(c) locating the item in the street in the course of executing any other works, or

(d) receiving any such information in relation to the item under section 80(2).”

(d) omit subsection (3);

(e) in subsection (3A) (as inserted by section 46(4) of the Traffic Management Act 2004)—

(i) for “to (3)” substitute “and (2A)”;

(ii) for “subsection (1)” substitute “this section”;

(f) after subsection (3A) insert—

“(3B) Before the end of the initial upload period an undertaker must enter into NUAR—

(a) all information that is included in the undertaker’s records under subsection (1) on the archive upload date, and

(b) any other information of a prescribed description that is held by the undertaker on that date.

(3C) Where an undertaker records information as required by subsection (1) or (1B), or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR.

(3D) The duty under subsection (3C) does not apply in relation to information recorded or updated before the archive upload date.

(3E) A duty under subsection (3B) or (3C) does not apply in such cases as may be prescribed.

(3F) Information must be entered into NUAR under subsection (3B) or (3C) in such form and manner as may be prescribed.”

(g) in subsection (4)(a), omit “not exceeding level 5 on the standard scale”;

(h) after subsection (6) insert—

“(7) For the purposes of subsection (3B) the Secretary of State must by regulations—

(a) specify a date as “the archive upload date”, and

(b) specify a period beginning with that date as the “initial upload period”.

(8) For the meaning of “NUAR”, see section 106A.”

(4) For section 80 (duty to inform undertakers of location of apparatus) substitute—

“80 Duties to report missing or incorrect information in relation to apparatus

(1) Subsection (2) applies where a person executing works of any description in a street finds an item of apparatus belonging to an undertaker in relation to which prescribed information—

(a) is not entered in NUAR, or

(b) is entered in NUAR but is incorrect.

(2) The person must take such steps as are reasonably practicable to inform the undertaker to whom the item belongs of the missing or incorrect information.

(3) Where a person executing works of any description in a street finds an item of apparatus which does not belong to the person and is unable, after taking such steps as are reasonably practicable, to ascertain to whom the item belongs, the person must—

(a) if the person is an undertaker, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item;

(b) in any other case, inform the street authority of that information.

(4) Subsections (2) and (3) have effect subject to such exceptions as may be prescribed.

(5) A person who fails to comply with subsection (2) or (3) commits an offence.

(6) A person who commits an offence under subsection (5) is liable on summary conviction to a fine not exceeding level 4 on the standard scale.

(7) Before making regulations under this section the Secretary of State must consult—

(a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and

(b) such other persons as the Secretary of State considers appropriate.

(8) For the meaning of “NUAR”, see section 106A.”

(5) Before section 81 (duty to maintain apparatus) insert—

“Other duties and liabilities of undertakers in relation to apparatus”.

(6) In section 104 (regulations), after subsection (1) insert—

“(1A) Before making regulations under section 79 or 80 the Secretary of State must consult the Welsh Ministers.

(1B) Regulations under this Part may make supplementary or incidental provision.”

(7) In consequence of the provision made by subsection (4), omit section 47 of the Traffic Management Act 2004.”—(Sir John Whittingdale.)

This amendment amends the New Roads and Street Works Act 1991 so as to impose new duties on undertakers to keep records of, and share information relating to, apparatus in streets; and makes amendments consequential on those changes.

Brought up, read the First and Second time, and added to the Bill.

New Clause 41

Pre-commencement consultation

“A requirement to consult under a provision inserted into the New Roads and Street Works Act 1991 by section (National Underground Asset Register) or (Information in relation to apparatus) may be satisfied by consultation before, as well as consultation after, the provision inserting that provision comes into force.”—(Sir John Whittingdale.)

This amendment provides that a requirement that the Secretary of State consult under a provision inserted into the New Roads and Street Works Act 1991 by the new clauses inserted by Amendments NC39 and NC40 may be satisfied by consultation undertaken before or after the provision inserting that provision comes into force.

Brought up, read the First and Second time, and added to the Bill.

New Clause 42

Transfer of certain functions to Secretary of State

“(1) The powers to make regulations under section 79(1) and (2) of the New Roads and Street Works Act 1991, so far as exercisable in relation to Wales, are transferred to the Secretary of State.

(2) The power to make regulations under section 79(1A) of that Act (as inserted by section 46(2) A42of the Traffic Management Act 2004), so far as exercisable in relation to Wales, is transferred to the Secretary of State.

(3) The Street Works (Records) (England) Regulations 2002 (S.I. 2002/3217) have effect as if the reference to England in regulation 1(2) were a reference to England and Wales.

(4) The Street Works (Records) (Wales) Regulations 2005 (S.I. 2005/1812) are revoked.”—(Sir John Whittingdale.)

This amendment provides that certain powers to make regulations under section 79 of the New Roads and Street Works Act 1991, so far as exercisable in relation to Wales, are transferred from the Welsh Ministers to the Secretary of State; and makes provision in relation to regulations already made under those powers.

Brought up, read the First and Second time, and added to the Bill.

Clause 5

Lawfulness of processing

Amendment proposed: 11, page 7, line 12, at end insert—

““internal administrative purposes”, in relation to special category data, means the conditions set out for lawful processing in paragraph 1 of Schedule 1 of the Data Protection Act 2018.”—(Kate Osborne.)

This amendment clarifies that the processing of special category data in employment must follow established principles for reasonable processing, as defined by paragraph 1 of Schedule 1 of the Data Protection Act 2018.

Question put, That the amendment be made.

--- Later in debate ---
16:45

Division 14

Ayes: 200


Labour: 143
Scottish National Party: 33
Liberal Democrat: 12
Independent: 6
Plaid Cymru: 2
Green Party: 1
Alba Party: 1
Democratic Unionist Party: 1

Noes: 276


Conservative: 271
Independent: 3

Clause 7
--- Later in debate ---
17:00

Division 15

Ayes: 37


Scottish National Party: 31
Independent: 2
Plaid Cymru: 2
Green Party: 1
Alba Party: 1

Noes: 279


Conservative: 271
Independent: 2
Democratic Unionist Party: 1

Clause 12
--- Later in debate ---
17:12

Division 16

Ayes: 195


Labour: 139
Scottish National Party: 32
Liberal Democrat: 12
Independent: 6
Plaid Cymru: 2
Green Party: 1
Alba Party: 1

Noes: 273


Conservative: 266
Independent: 2
Democratic Unionist Party: 1

Clause 16
--- Later in debate ---
17:25

Division 17

Ayes: 198


Labour: 141
Scottish National Party: 33
Liberal Democrat: 12
Independent: 6
Plaid Cymru: 2
Green Party: 1
Alba Party: 1

Noes: 275


Conservative: 268
Independent: 3
Democratic Unionist Party: 1

Clause 33
--- Later in debate ---
17:37

Division 18

Ayes: 194


Labour: 140
Scottish National Party: 33
Liberal Democrat: 11
Independent: 6
Plaid Cymru: 2
Green Party: 1
Alba Party: 1

Noes: 275


Conservative: 270
Independent: 2
Democratic Unionist Party: 1

Amendments made: 253, page 110, line 4, leave out paragraph (a) and insert—
--- Later in debate ---
17:49

Division 19

Ayes: 274


Conservative: 267
Independent: 2
Democratic Unionist Party: 1

Noes: 52


Scottish National Party: 30
Labour: 7
Liberal Democrat: 7
Independent: 2
Plaid Cymru: 2
Conservative: 1
Green Party: 1
Alba Party: 1

New schedule 1 read a Second time, and added to the Bill.
--- Later in debate ---
John Whittingdale Portrait Sir John Whittingdale
- View Speech - Hansard - - - Excerpts

I beg to move, That the Bill be now read the Third time.

This Bill will deliver tangible benefits to British consumers and businesses alike, which would not have been possible if Britain had still been a member of the European Union. It delivers a more flexible and less burdensome data protection regime that maintains high standards of privacy protection while promoting growth and boosting innovation. It does so with the support of the Information Commissioner, and without jeopardising the UK’s European Union data adequacy.

I would like to thank all Members who contributed during the passage of the Bill, and all those who have helped get it right. I now commend it to the House on its onward passage to the other place.

Roger Gale Portrait Mr Deputy Speaker (Sir Roger Gale)
- Hansard - - - Excerpts

I call the shadow Minister.

--- Later in debate ---
18:05

Division 20

Ayes: 269


Conservative: 264
Independent: 2
Democratic Unionist Party: 1

Noes: 31


Scottish National Party: 24
Independent: 2
Plaid Cymru: 2
Conservative: 1
Green Party: 1

Bill read the Third time and passed.

Data Protection and Digital Information Bill

(Limited Text - Ministerial Extracts only)

Read Full debate

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Moved by
Viscount Camrose Portrait Viscount Camrose
- View Speech - Hansard - - - Excerpts

That the Bill be now read a second time.

Viscount Camrose Portrait The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
- Hansard - - - Excerpts

My Lords, in a time of rapid technological change, we need people to trust in how we can use data for greater good. By building understanding and confidence in the rules surrounding how we use data, we can unlock its real potential, not only for businesses but for people going about their everyday lives.

In 2018 Parliament passed the Data Protection Act, which was the UK’s implementation of the EU general data protection regulation. While the EU GDPR protected the privacy rights of individuals, there were unintended consequences. It resulted in high costs and a disproportionate compliance burden for small businesses. These reforms deliver on the Government’s promise to use the opportunity afforded to us by leaving the European Union to create a new and improved UK data rights regime.

The Bill has five parts that deliver on individual elements of these reforms. Part 1 updates and simplifies the UK GDPR and DPA 2018 to ease compliance burdens on businesses and introduce safeguards from new technologies. It also updates the similar regimes that apply to law enforcement agencies and intelligence services. Part 2 enables DSIT’s digital verification services policy, giving people secure options to prove their identity digitally across different sectors of the economy if they choose to do so. Part 3 establishes a framework to set up smart data schemes across the economy. Part 4 reforms the privacy and electronic communications regulations—PECR—to bring stronger protection for consumers against nuisance calls. It also contains reforms to ensure the better use of data in health and adult social care, law enforcement and security. Part 5 will modernise the Information Commissioner’s Office by making sure that it has the capabilities and the powers to tackle organisations that breach data rules, giving the ICO freedom to better allocate its resources and ensuring that it is more accountable to Parliament and to the public.

I stress that the Bill will continue to maintain the highest standards of data protection that people rightly expect. It will also help those who use our data to make our lives healthier, safer and more prosperous. That is because we have convened industry leaders and experts to codesign the Bill with us throughout its creation. This legislation will ensure that our regulation reflects the way in which real people live their lives and run their businesses.

On Report in the other place, we tabled a number of amendments to strengthen the fundamental elements of the Bill and to reflect the Government’s commitment to unleash the power of data across our economy and society. I take this opportunity to thank Members of Parliament and the numerous external stakeholders who have worked with us to ensure that the Bill functions at its absolute best. Taken together, these amendments will benefit the economy by £10.6 billion over 10 years. This is more than double the estimated impact of the Bill when introduced in the spring.

These reforms are expected to lower the compliance burden on businesses. We expect small and micro-businesses to achieve greater overall compliance cost savings than larger business. We expect these compliance cost savings for small and micro-business compliance to be approximately £90 million a year as a result of the domestic data protection policies in the Bill.

The Bill makes it clear that the amount that any organisation needs to do to comply and demonstrate compliance should be directly related to the risk its processing activities pose to individuals. That means that in the future, organisations will have to keep records of their processing activities, undertake risk assessments and designate senior responsible individuals to manage data protection risks only if their processing activities are likely to pose high risks to individuals. We are also removing the need for organisations to do detailed legitimate interest assessments and document the outcomes when their activities are clearly in the public interest—for example, when they are reporting child safeguarding concerns. This will help reduce the amount of privacy paperwork and allow businesses to invest time and resources elsewhere.

Let me make this absolutely clear: enabling more effective use of data and ensuring high data protection standards are not contradictory objectives. Businesses need to understand and to trust in our data protection rules, and that is what these measures are designed to achieve. At the same time, people across the UK need to fundamentally trust that the system works for them too. We know that lots of organisations already have good processes for how they deal with data protection complaints, and it is right that we strengthen this. By making these a requirement, the Bill helps data subjects exercise their rights and directly challenge organisations they believe are misusing their data.

We already have a world-leading independent regulator, the Information Commissioner’s Office. It is only right that we continue to provide the ICO with the tools it needs to keep pace with our dramatically changing tech landscape. The ICO needs to keep our personal data safe while ensuring that it remains accountable, flexible and fit for the modern world. We are modernising the structure and objectives of the Information Commissioner’s Office. Under this legislation, protecting our personal data will remain the ICO’s primary focus, but it will also need to consider how it can empower businesses and organisations to drive growth and innovation across the UK and support public trust and confidence in the use of personal data. We must ensure that our world-leading regulator is equipped to tackle the biggest and most important threats and data breaches, protecting individuals from the highest harm. The Bill means that the ICO can take a more proportionate approach to how it gets involved in individual disputes, not having to do so too early in the process before people have had a chance to resolve things sensibly themselves, while still being the ultimate guardian of data subjects’ rights.

The Bill will create a modern ICO that can tackle the modern, more sophisticated challenges of today and support businesses across the UK to make safe, effective use of data to grow and to innovate. It will also unlock the potential of transformative technologies by making sure that organisations know when they can use responsible automated decision-making and that people know when they can request human intervention where these decisions impact their lives.

Alongside this, there are billions of pounds to be seized in the booming global data-driven trade. With the new international transfers regime, we are clarifying our regime for building data bridges to secure the close, free and safe exchange of data with trusted allies. Alongside new data bridges, the Secretary of State will be able to recognise new transfer mechanisms for businesses to protect international transfers. Businesses will still be able to transfer data across borders with the compliant mechanisms they already use, avoiding needless checks and costs.

The Bill will allow people to control more of their data. It will support smart data schemes that empower consumers and small businesses to make better use of their own data, building on the extraordinary success of open banking, where consumers and businesses access innovative services to manage their finances and spending, track their carbon footprint or access credit. Open banking is already estimated to have the potential to bring in £12 billion each year for consumers and £6 billion for small businesses, as well as boosting innovation in our world-leading fintech industry. With this Bill, we can extend the same benefits for consumers and business across the economy.

Another way the Bill ensures that people have control of their own data is by making it easier and more secure for people to prove things about themselves. Digital identities will help those who choose to use them to prove their identity electronically rather than always having to dig out stacks of physical documents such as passports, bills, statements and birth certificates. Digital verification services are already in existence and we want to put them on a secure and trusted footing, giving people more choice and confidence as they navigate everyday tasks, and saving businesses time and money.

The Bill supports the growing demand, domestic and global, for secure and trusted electronic transactions such as qualified electronic signatures. It also makes provision for the preservation of important data for coronial investigations in the event of a child taking their own life. Any death of a child is a tragedy, and the Government have the utmost sympathy for families affected by this tragic issue. I recognise, and I share, the strong feelings on this issue expressed by noble Lords on this matter and during the passage of the Online Safety Act.

The new provision requires Ofcom, following notification from a coroner, to issue data preservation notices requiring relevant tech companies to hold data that they may have relating to a deceased child’s use of online services in circumstances where the coroner suspects that the child has taken their own life. This greatly strengthens Ofcom’s and a coroner’s ability to access data from online services and provides them with the tools they need to carry out their job. It will include, for example, if a child had taken their own life after interacting with self-harm or other harmful content online, or if they suspect that a child may have been subjected to coercion, online bullying or harassment. It would also include cases where a child has done an intentional act that has caused their death but where they may not have intended to die, such as the tragic circumstances where a child dies accidentally when attempting to recreate an online challenge.

The new provisions do not cover children’s deaths caused by homicide, because the police already have extensive investigative powers in this context. These were strengthened last year by the entry into force of the UK-US data access agreement, which enables law enforcement to directly access content of communications held by US-based companies for the purpose of preventing, detecting, investigating and prosecuting serious crimes, such as murder and child sexual abuse and exploitation.

The families who have been courageously campaigning after their children were tragically murdered did not have access to this agreement because it entered into force only last October. To date, 10,000 requests for data have been made under it. However, we understand their concerns, and the Secretary of State, along with Justice Ministers, will work with noble Lords ahead of Committee and carefully listen to their arguments on potential amendments. We absolutely recognise the need to give families the answers they need and to ensure that there is no gap in the law.

Some aspects of the GDPR are very complex, causing uncertainty around how it applies and hampering private and public bodies’ ability to use data as dynamically as they could. The Bill will help scientists make the most of data by ensuring that they can be reused for other related studies. This is achieved by removing burdensome requirements for scientific researchers, so that they can dedicate more time to focus on what they do best. The Bill will also simplify the legal requirements around research and bring legal clarity. This is achieved by transposing definitions of scientific, historical and statistical-purposes research into the operative text.

The Bill will improve the way that the NHS and adult social care organise data to deliver crucial health services in England. It will also improve the efficiency of data protection for law enforcement and national security partners, encouraging better use of personal data to help protect the public. The Bill will save up to 1.5 million hours of police time each year.

The Bill will also allow us to take further steps to safeguard our national security, by addressing risks from hostile agents seeking to access our data or damage our data infrastructure. It will allow the DWP to protect taxpayers’ money from falling into the hands of fraudsters, as part of the DWP’s biggest reform to fraud legislation in 20 years. We know that, over this last year, overpayments to capital fraud and error in universal credit alone were almost £900 million. It is time to modernise and strengthen the DWP’s legislative framework to ensure that it gives those fighting fraud and error the tools that they need and so that it stands up to future challenges.

Through the Bill we are revolutionising the way we install, maintain, operate and repair pipes and cables buried beneath the ground. I am sure we have all, knowingly or not, been impacted by one of the 60,000 accidental strikes on an underground pipe or cable that happen every year. The national underground asset register—NUAR—is a brand new digital map that gives planners and excavators secure and instant access to the data they need, when they need it. This means not only that the safety and lives of workers will no longer be at risk but that NUAR will underpin the Government’s priority to get the economy growing, expediting projects such as new roads, new houses and broadband rollout.

The Bill gives the people using data to improve our lives the certainty that they need. It maintains high standards for protecting people’s privacy, while seeking to maintain the EU’s adequacy decisions for the UK. The Bill is a hugely important piece of legislation and I thank noble Lords across the House for their involvement in and support for the Bill so far. I look forward to hearing their views today and throughout the rest of the Bill’s passage. I beg to move.

--- Later in debate ---
Viscount Camrose Portrait Viscount Camrose (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I sincerely thank all of today’s speakers for their powerful and learned contributions to a fascinating and productive debate. I very much welcome the engagement in this legislation that has been shown from across the House and such a clear setting out, at this early stage, of the important issues and caveats.

As I said, the Bill reflects the extensive process of consultation that the Government have undertaken, with almost 3,000 responses to the document Data: A New Direction, and the support it enjoys from both the ICO and industry groups. The debate in which we have engaged is a demonstration of noble Lords’ desire to ensure that our data protection regime evolves and works more effectively, while maintaining the highest standards of data protection for all.

I will respond to as many of the questions and points raised as I can. I hope noble Lords will forgive me if, in the interests of time and clarity, I do not name every noble Lord who spoke to every issue. A number of noble Lords expressed the wish that the Government remain open to any and all conversations. Should I inadvertently fail to address any problem satisfactorily, I affirm that I am very willing to engage with all noble Lords throughout the Bill’s passage, recognising its importance and, as the noble Lord, Lord Bassam, said, the opportunity it presents to do great good.

Many noble Lords raised concerns that the Bill does not go far enough to protect personal data rights. This is certainly not our intent. The fundamental data protection principles set out in the UK GDPR—as my noble friend Lord Kirkhope pointed out, they include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability—remain at the heart of the UK’s data protection regime. Certain kinds of data, such as health data, remain special categories to which extra protections rightly apply. Changes such as requiring a senior responsible individual, rather than a data protection officer, mean that organisations still need to be accountable for how they process personal data but will have more flexibility about how they manage the data protection risks within their organisations.

On other specific points raised on the data protection framework, I agree that the right of access is key to ensuring transparency in data processing. The proposals do not restrict the right of access for reasonable requests for information and keep reasonable requests free of charge. On the creation of the new recognised legitimate interests lawful grounds, evidence from our consultation indicated that some organisations worried about getting the balancing test wrong, while others said that the need to document the outcome of their assessment could slow down important processing activities.

To promote responsible data sharing in relation to a limited number of public interest tasks, the Bill acknowledges the importance of these activities, which include safeguarding, crime prevention and national security, responding to emergencies and democratic engagement, but data controllers should not be required to do a case-by-case balancing test.

On cookies, the Bill will allow the Secretary of State to remove the need for data controllers to seek consent for other purposes in future, when the appropriate technologies to do so are readily available. The aim is to offer the user a clear, meaningful choice that can be made once and respected throughout their use of the internet. However, before any such powers are used, we will consult further to make sure that people are more effectively enabled to use different technology to set their online preferences.

On democratic engagement, extending the exemption allows a limited number of individuals, such as elected representatives and referendum campaigners, to process political opinions data without consent where this is necessary for their political activities. In a healthy democracy, it is not just registered political parties that may need to process political opinions data, and these amendments reflect that reality. This amendment does not remove existing rights. If people do not want their data processed for these purposes, they can ask the controller to stop doing so at any time. Before laying any regulations under this clause, the Government would need to consult the Information Commissioner and other interested parties, as well as gaining parliamentary approval.

I turn now to concerns raised by many about the independence of the regulator, the Information Commissioner. The ICO remains an independent regulator, accountable to Parliament, not the Government, in its delivery of data protection regulation. The Bill ensures it has the powers it needs to remain the guardian of people’s personal data. It can and does produce guidance on what it deems necessary. The Government welcome this and will work closely with it ahead of and throughout the implementation of this legislation.

New powers will also help to ensure that the Information Commissioner is able to access the evidence he needs to inform investigations and has the time needed to discover and respond to representations. This will result in more informed investigations and better outcomes. The commissioner will be able to require individuals to attend interviews only if he suspects that an organisation has failed to comply with or has committed an offence under data protection legislation. This power is based on existing comparable powers for the Financial Conduct Authority and the Competition and Markets Authority. A person is not required to answer a question if it would breach legal professional privilege or reveal evidence of an offence.

As the noble Lord, Lord Clement-Jones, pointed out, EU adequacy was mentioned by almost everybody, and concerns were raised that the Bill would impact our adequacy agreement with the EU. The Government believe that our reforms are compatible with maintaining our data adequacy decisions from the EU. While the Bill removes the more prescriptive elements of the GDPR, the UK will maintain its high standards of data protection and continue to have one of the closest regimes to the EU in the world after our reform. The test for EU adequacy set out by the Court of Justice of the European Union in the cases relating to UK adequacy decisions requires essential equivalence to the level of protection under the GDPR. It does not require a third country to have exactly the same rules as the EU in order to be considered inadequate. Indeed, 14 countries have EU adequacy, including Japan, New Zealand and Canada. All of these nations pursue independent and often more divergent approaches to data protection.

Regarding our national security practices, in 2020 and 2021, the European Commission carried out a thorough assessment of the UK’s legislation and regulatory framework for personal data, including access by public authorities for national security purposes. It assessed that the UK provides an adequate level of data protection. We maintain an ongoing dialogue with the EU and have a positive, constructive relationship. We will continue to engage regularly with the EU to ensure our reforms are understood.

A great many noble Lords rightly commented on AI regulation, or the lack of it, in the Bill. Existing data protection legislation—the UK GDPR and the Data Protection Act 2018—regulate the development of AI systems and other technologies to the extent that there is personal data involved. This means that the ICO will continue to play an important role in applying the AI principles as they relate to matters of privacy and data protection. The Government’s view is that it would not be effective to regulate the use of AI in this context solely through the lens of data protection.

Article 22 of the UK GDPR is currently the primary piece of UK law setting out the requirements related to automated decision-making, and this Bill sets out the rights that data subjects have to be informed about significant decisions that are taken about them through solely automated means, to seek human review of those decisions and to have them corrected. This type of activity is, of course, increasingly AI-driven, and so it is important to align these reforms with the UK’s wider approach to AI governance that has been published in the White Paper developed by the Office for Artificial Intelligence. This includes ensuring terms such as “meaningful human involvement” remain up to date and relevant, and the Bill includes regulation-making powers to that effect. The White Paper on the regulation of AI commits to a principles-based approach that supports innovation, and we are considering how the framework will apply to the various actors in the AI development and deployment life cycle, with a particular focus on foundation models. We are analysing the views we heard during the White Paper consultation. We will publish a response imminently, and we do not want to get ahead of that process at this point.

I turn to the protection of children. Once again, I thank noble Lords across the House for their powerful comments on the importance of protecting children’s data, including in particular the noble Baroness, Lady Kidron. On the very serious issue of data preservation orders, the Government continue to make it clear—both in public, at the Dispatch Box, and in private discussions—that we are firmly on the side of the bereaved parents. We consider that we have acted in good faith, and we all want the same outcomes for these families struck by tragedy. We are focused on ensuring that no parent is put through the same ordeal as these families in the future.

I recognise the need to give families the answers they require and to ensure there is no gap in the law. Giving families the answers they need remains the Government’s motivation for the amendment in the other place; it is the reason we will ensure that the amendment is comprehensive and is viewed as such by the families. I reassure the House that the Government have heard and understand the concerns raised on this issue, and that is why the Secretary of State, along with Justice Ministers, will work with noble Lords ahead of Committee and carefully listen to their arguments on potential amendments.

I also hear the concerns of the right reverend Prelate the Bishop of St Albans, the noble Lord, Lord Vaux, and the noble Baroness, Lady Young, on surveillance, police powers and police access to data. Abolishing the Surveillance Camera Commissioner will not reduce data protection. The role overlaps with other oversight bodies, which is inefficient and confusing for police and the public. The Bill addresses the duplication, which means that the ICO will continue to regulate data processing across all sectors, including policing. The aim is to improve effective independent oversight, which is key to public confidence. Simplification through consolidation improves consistency and guidance on oversight, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication.

The Government also have a responsibility to safeguard national security. The reports into events such as the Manchester Arena and Fishmongers’ Hall terrorist incidents have clearly noted that better joined-up working between the intelligence services and law enforcement supports that responsibility. This is why the Bill creates the power for designation notices to be issued, enabling joint controllerships between the intelligence services and law enforcement. The Secretary of State must consider the processing contained in the notice to be required for the purpose of safeguarding national security to grant it. This mirrors the high threshold for interference with the right to privacy under Article 8 of the Human Rights Act, which requires that such interference be in accordance with the law and necessary in a democratic society.

Concerns were raised by, among others, the noble Baronesses, Lady Young and Lady Bennett, and the noble Lords, Lord Sikka and Lord Bassam, on the proportionality of the measure helping the Government to tackle both fraud and error. Despite taking positive steps to reduce these losses, the DWP remains reliant on powers derived from legislation that is in part over 20 years old. The DWP published the fraud plan in May 2022. It set out clearly a number of new powers that it would seek to secure when parliamentary time allowed. Tackling fraud and error in the DWP is a priority for the Government but parliamentary time is tight. In the time available, the DWP has prioritised our key third-party data-gathering measure which will help to tackle one of the largest causes of fraud and error in the welfare system. We remain committed to delivering all the legislation outlined in the DWP’s fraud plan when parliamentary time allows.

To develop and test these new proposals, the DWP has been working closely with the industry, which recognises the importance of modernising and strengthening these powers to enable us to better detect fraud and error in the benefit system. This includes collaboration on the practical design, implementation and delivery of this measure, including establishing a working group with banks and the financial industry. The DWP has also regularly engaged with UK finance as well as individual banks, building societies and fintechs during the development of this measure, and continues to do so. It is of course important that where personal data is involved there are appropriate checks and balances. Organisations have a right to appeal against the requirement to comply with a data notice issued by the DWP.

Through our appeal process, the Government would first seek to resolve all disputes by DWP internal review. If this failed, the appeal would be referred to the First-tier Tax Tribunal, as currently is used in similar circumstances by HMRC. The third-party data-gathering powers that the DWP is taking are only broad to the extent that this ensures that they can be future-proofed. This is because the nature of fraud has changed significantly in recent years and continues to change significantly. The current powers that the DWP has are not sufficient to tackle the new kinds of fraud that we are now seeing in the welfare system. We are including all benefits to ensure that benefits such as state pension retain low rates of fraud. The DWP will of course want to focus this measure on addressing areas with a significant fraud or error challenge. The DWP has set out in its fraud plan how it plans to focus the new powers, which in the first instance will be on fraud in universal credit.

I thank noble Lords, particularly the noble Lord, Lord Vaux, for the attention paid to the department’s impact assessment, which sets out the details of this measure and all the others in the Bill. As he notes, it is substantive and thorough and was found to be such by the Regulatory Policy Committee, which gave it a green rating.

I hope that I have responded to most of the points raised by noble Lords today. I look forward to continuing to discuss these and other items raised.

Lord Sikka Portrait Lord Sikka (Lab)
- Hansard - - - Excerpts

I would like some clarification. The Minister in the other place said:

“I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future”.—[Official Report, Commons, 29/11/23; col. 912.]


Can the noble Viscount explain why the Government still want to focus on recipients of state pension given that there is virtually no fraud? That is about 12.6 million people, so why?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Although proportionately fraud in the state pension is very low, it is still there. That will not be the initial focus, but the purpose is to future-proof the legislation rather than to have to keep coming back to your Lordships’ House.

Let me once again thank all noble Lords for their contributions and engagement. I look forward to further and more detailed debates on these matters and more besides in Committee. I recognise that there are strong views and it is a wide-ranging Bill, so there will be a lot of meat in our sandwich.

I congratulate the noble Lord, Lord de Clifford, on his perfectly judged maiden speech. I thoroughly enjoyed his description of his background and his valuable contributions on the Bill, and I welcome him to this House.

Finally, on a lighter note, I take this opportunity to wish all noble Lords—both those who have spoken in this debate and others—a very happy Christmas and a productive new year, during which I very much look forward to working with them on the Bill.

Bill read a second time.
Moved by
Viscount Camrose Portrait Viscount Camrose
- Hansard - - - Excerpts

That the bill be committed to a Grand Committee, and that it be an instruction to the Grand Committee that they consider the bill in the following order:

Clauses 1 to 5, Schedule 1, Clause 6, Schedule 2, Clauses 7 to 14, Schedule 3, Clauses 15 to 24, Schedule 4, Clause 25, Schedules 5 to 7, Clauses 26 to 46, Schedule 8, Clauses 47 to 51, Schedule 9, Clauses 52 to 117, Schedule 10, Clauses 118 to 128, Schedule 11, Clauses 129 to 137, Schedule 12, Clause 138, Schedule 13, Clauses 139 to 142, Schedule 14, Clause 143, Schedule 15, Clauses 144 to 157, Title.

Motion agreed.

Data Protection and Digital Information Bill

(Limited Text - Ministerial Extracts only)

Read Full debate

This text is a record of ministerial contributions to a debate held as part of the Data Protection and Digital Information Bill 2022-23 passage through Parliament.

In 1993, the House of Lords Pepper vs. Hart decision provided that statements made by Government Ministers may be taken as illustrative of legislative intent as to the interpretation of law.

This extract highlights statements made by Government Ministers along with contextual remarks by other members. The full debate can be read here

This information is provided by Parallel Parliament and does not comprise part of the offical record

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

As I was saying, it is important for the framework on data protection that we take a precautionary approach. I hope that the Minister will this afternoon be able to provide a plain English explanation of the changes, as well as giving us an assurance that those changes to definitions do not result in watering down the current legislation.

We broadly support Amendments 1 and 5 and the clause stand part notice, in the sense that they provide additional probing of the Government’s intentions in this area. We can see that the noble Lord, Lord Clement-Jones, is trying with Amendment 1 to bring some much-needed clarity to the anonymisation issue and, with Amendment 5, to secure that data remains personal data in any event. I suspect that the Minister will tell us this afternoon that that is already the case, but a significant number of commentators have questioned this, since the definition of “personal data” is seemingly moving away from the EU GDPR standard towards a definition that is more subjective from the perspective of the controller, processor or recipient. We must be confident that the new definition does not narrow the circumstances in which the information is protected as personal data. That will be an important standard for this Committee to understand.

Amendment 288, tabled by the noble Lord, Lord Clement- Jones, seeks a review and an impact assessment of the anonymisation and identifiability of data subjects. Examining that in the light of the EU GDPR seems to us to be a useful and novel way of making a judgment over which regime better suits and serves data subjects.

We will listen with interest to the Minister’s response. We want to be more than reassured that the previous high standards and fundamental principles of data protection will not be undermined and compromised.

Viscount Camrose Portrait The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
- Hansard - - - Excerpts

I thank all noble Lords who have spoken in this brief, interrupted but none the less interesting opening debate. I will speak to the amendments tabled by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones; I note that I plan to that form of words quite a lot in the next eight sessions on this Bill. I thank them for tabling these amendments so that we can debate what are, in the Government’s view, the significant benefits of Clause 1.

In response to the points from the noble Lord, Lord Clement-Jones, on the appetite for the reforms in the Bill, we take very seriously the criticisms of the parties that he mentioned—the civil society groups—but it is important to note that, when the Government consulted on these reforms, we received almost 3,000 responses. At that time, we proposed to clarify when data would be regarded as anonymous and proposed legislating to confirm that the test for whether anonymous data can be reidentified is relative to the means available to the controller to reidentify the data. The majority of respondents agreed that greater clarity in legislation would indeed be beneficial.

As noble Lords will know, the UK’s data protection legislation applies only to personal data, which is data relating to an identified or identifiable living individual. It does not apply to non-personal, anonymous data. This is important because, if organisations can be sure that the data they are handling is anonymous, they may be able to more confidently put it to good use in important activities such as research and product development. The current data protection legislation is already clear that a person can be identified in a number of ways by reference to details such as names, identification numbers, location data and online identifiers, or via information about a person’s physical, genetic, mental, economic or cultural characteristics. The Bill does not change the existing legislation in this respect.

With regard to genetic information, which was raised by my noble friend Lord Kamall and the noble Lord, Lord Davies, any information that includes enough genetic markers to be unique to an individual is personal data and special category genetic data, even if names and other identifiers have been removed. This means that it is subject to the additional protections set out in Article 9 of the UK GDPR. The Bill does not change this position.

However, the existing legislation is unclear about the specific factors that a data controller must consider when assessing whether any of this information relates to an identifiable living person. This uncertainty is leading to inconsistent application of anonymisation and to anonymous data being treated as personal data out of an abundance of caution. This, in turn, reduces the opportunities for anonymous data to be used effectively for projects in the public interest. It is this difficulty that Clause 1 seeks to address by providing a comprehensive statutory test on identifiability. The test will require data controllers and processors to consider the likelihood of people within or outside their organisations reidentifying individuals using reasonable means. It is drawn from recital 26 of the EU GDPR and should therefore not be completely unfamiliar to most organisations.

I turn now to the specific amendments that have been tabled in relation to this clause. Amendment 1 in the name of the noble Lord, Lord Clement-Jones, would reiterate the position currently set out in the UK GDPR and its recitals: where individuals can be identified without the use of additional information because data controllers fail to put in place appropriate organisational measures, such as technical or contractual safeguards prohibiting reidentification, they would be considered directly identifiable. Technical and organisational measures put in place by organisations are factors that should be considered alongside others under new Section 3A of the Data Protection Act when assessing whether an individual is identifiable from the data being processed. Clause 1 sets out the threshold at which data—and, therefore, personal data—is identifiable and clarifies when data is anonymous.

On the technical capabilities of a respective data controller, these are already relevant factors under current law and ICO guidance in determining whether data is personal. This means that the test of identifiability is already a relative one today in respect of the data controller, the data concerned and the purpose of the processing. However, the intention of the data controller is not a relevant factor under current law, and nor does Clause 1 make it a factor. Clause 1 merely clarifies the position under existing law and follows very closely the wording of recital 26. Let me state this clearly: nothing in Clause 1 introduces the subjective intention of the data controller as a relevant factor in determining identifiability, and the position will remain the same as under the current law and as set out in ICO guidance.

In response to the points made by the noble Lord, Lord Clement-Jones, and others on pseudonymised personal data, noble Lords may be aware that the definition of personal data in Article 4(1) of the UK GDPR, when read in conjunction with the definition of pseudonymisation in Article 4(5), makes it clear that pseudonymised data is personal data, not anonymous data, and is thus covered by the UK’s data protection regime. I hope noble Lords are reassured by that. I also hope that, for the time being, the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment and not press the related Amendment 5, which seeks to make it clear that pseudonymised data is personal data.

Amendment 4 would require the Secretary of State to assess the difference in meaning and scope between the current statutory definition of personal data and the new statutory definition that the Bill will introduce two months after its passing. Similarly, Amendment 288 seeks to review the impact of Clause 1 six months after the enactment of the Bill. The Government feel that neither of these amendments is necessary as the clause is drawn from recital 26 of the EU GDPR and case law and, as I have already set out, is not seeking to substantially change the definition of personal data. Rather, it is seeking to provide clarity in legislation.

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

I follow the argument, but what we are suggesting in our amendment is some sort of impact assessment for the scheme, including how it currently operates and how the Government wish it to operate under the new legislation. Have the Government undertaken a desktop exercise or any sort of review of how the two pieces of legislation might operate? Has any assessment of that been made? If they have done so, what have they found?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Obviously, the Bill has been in preparation for some time. I completely understand the point, which is about how we can be so confident in these claims. I suggest that I work with the Bill team to get an answer to that question and write to Members of the Committee, because it is a perfectly fair question to ask what makes us so sure.

In the future tense, I can assure noble Lords that the Department for Science, Innovation and Technology will monitor and evaluate the impact of this Bill as a whole in the years to come, in line with cross-government evaluation guidance and through continued engagement with stakeholders.

The Government feel that the first limb of Amendment 5 is not necessary given that, as has been noted, pseudonymised data is already considered personal data under this Bill. In relation to the second limb of the amendment, if the data being processed is actually personal data, the ICO already has powers to require organisations to address non-compliance. These include requiring it to apply appropriate protections to personal data that it is processing, and are backed up by robust enforcement mechanisms.

That said, it would not be appropriate for the processing of data that was correctly assessed as anonymous at the time of processing to retrospectively be treated as processing of personal data and subject to data protection laws, simply because it became personal data at a later point in the processing due to a change in circumstances. That would make it extremely difficult for any organisation to treat any dataset as anonymous and would undermine the aim of the clause, significantly reducing the potential to use anonymous data for important research and development activities.

--- Later in debate ---
Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

My Lords, we on the Labour Benches have become co-signatories to the amendments tabled by the noble Baroness, Lady Kidron, and supported by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Harding. The noble Baroness set out very clearly and expertly the overarching purpose of retaining the level of protection currently afforded by the Data Protection Act 2018. Amendments 2 and 3 specifically stipulate that, where data controllers know, or should reasonably know, that a user is a child, they should be given the data protection codified in that Act. Amendment 9 takes it a stage further and includes children’s data in the definition of sensitive personal data, and gives it the benefit of being treated to a heightened level of protection—quite rightly, too. Finally, Amendment 290—the favourite of the noble Lord, Lord Clement-Jones—attempts to hold Ministers to the commitment made by Paul Scully in the Commons to maintain existing standards of data protection carried over from that 2018 Act.

Why is all this necessary? I suspect that the Minister will argue that it is not needed because Clause 5 already provides for the Secretary of State to consider the impact of any changes to the rights and freedoms of individuals and, in particular, of children, who require special protection.

We disagree with that argument. In the interests of brevity and the spirit of the recent Procedure Committee report, which says that we should not repeat each other’s arguments, I do not intend to speak at length, but we have a principal concern: to try to understand why the Government want to depart from the standards of protection set out in the age-appropriate design code—the international gold standard—which they so enthusiastically signed up to just five or six years ago. Given the rising levels of parental concern over harmful online content and well-known cases highlighting the harms that can flow from unregulated material, why do the Government consider it safe to water down the regulatory standards at this precise moment in time? The noble Baroness, Lady Kidron, valuably highlighted the impact of the current regulatory framework on companies’ behaviour. That is exactly what legislation is designed to do: to change how we look at things and how we work. Why change that? As she has argued very persuasively, it is and has been hugely transformative. Why throw away that benefit now?

My attention was drawn to one example of what can happen by a briefing note from the 5Rights Foundation. As it argued, children are uniquely vulnerable to harm and risk online. I thought its set of statistics was really interesting. By the age of 13, 72 million data points have already been collected about children. They are often not used in children’s best interests; for example, the data is often used to feed recommender systems and algorithms designed to keep attention at all costs and have been found to push harmful content at children.

When this happens repeatedly over time, it can have catastrophic consequences, as we know. The coroner in the Molly Russell inquest found that she had been recommended a stream of depressive content by algorithms, leading the coroner to rule that she

“died from an act of self-harm whilst suffering from depression and the negative effects of online content”.

We do not want more Molly Russell cases. Progress has already been made in this field; we should consider dispensing with it at our peril. Can the Minister explain today the thinking and logic behind the changes that the Government have brought forward? Can he estimate the impact that the new lighter-touch regime, as we see it, will have on child protection? Have the Government consulted extensively with those in the sector who are properly concerned about child protection issues, and what sort of responses have the Government received?

Finally, why have the Government decided to take a risk with the sound framework that was already in place and built on during the course of the Online Safety Act? We need to hear very clearly from the Minister how they intend to engage with groups that are concerned about these child protection issues, given the apparent loosening of the current framework. The noble Baroness, Lady Harding, said that this is hard-fought ground; we intend to continue making it so because these protections are of great value to our society.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I am grateful to the noble Baroness, Lady Kidron, for her Amendments 2, 3, 9 and 290 and to all noble Lords who have spoken, as ever, so clearly on these points.

All these amendments seek to add protections for children to various provisions in the Bill. I absolutely recognise the intent behind them; indeed, let me take this opportunity to say that the Government take child safety deeply seriously and agree with the noble Baroness that all organisations must take great care, both when making decisions about the use of children’s data and throughout the duration of their processing activities. That said, I respectfully submit that these amendments are not necessary for three main reasons; I will talk in more general terms before I come to the specifics of the amendments.

First, the Bill maintains a high standard of data protection for everybody in the UK, including—of course—children. The Government are not removing any of the existing data protection principles in relation to lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, data security or accountability; nor are they removing the provisions in the UK GDPR that require organisations to build privacy into the design and development of new processing activities.

The existing legislation acknowledges that children require specific protection for their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and of their rights in relation to the processing of personal data. Organisations will need to make sure that they continue to comply with the data protection principles on children’s data and follow the ICO’s guidance on children and the UK GDPR, following the changes we make in the Bill. Organisations that provide internet services likely to be accessed by children will need to continue to comply with their transparency and fairness obligations and the ICO’s age-appropriate design code. The Government welcome the AADC, as Minister Scully said, and remain fully committed to the high standards of protection that it sets out for children.

Secondly, some of the provisions in the Bill have been designed specifically with the rights and safety of children in mind. For example, one reason that the Government introduced the new lawful ground of recognised legitimate interest in Clause 5, which we will debate later, was that some consultation respondents said that the current legislation can deter organisations, particularly in the voluntary sector, from sharing information that might help to prevent crime or protect children from harm. The same goes for the list of exemptions to the purpose limitation principle introduced by Clause 6.

There could be many instances where personal data collected for one purpose may have to be reused to protect children from crime or safeguarding risks. The Bill will provide greater clarity around this and has been welcomed by stakeholders, including in the voluntary sector.

--- Later in debate ---
Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

While some provisions in the Bill do not specifically mention children or children’s rights, data controllers will still need to carefully consider the impact of their processing activities on children. For example, the new obligations on risk assessments, record keeping and the designation of senior responsible individuals will apply whenever an organisation’s processing activities are likely to result in high risks to people, including children.

Thirdly, the changes we are making in the Bill must be viewed in a wider context. Taken together, the UK GDPR, the Data Protection Act 2018 and the Online Safety Act 2023 provide a comprehensive legal framework for keeping children safe online. Although the data protection legislation and the age-appropriate design code make it clear how personal data can be processed, the Online Safety Act makes clear that companies must take steps to make their platforms safe by design. It requires social media companies to protect children from illegal, harmful and age-inappropriate content, to ensure they are more transparent about the risks and dangers posed to children on their sites, and to provide parents and children with clear and accessible ways to report problems online when they do arise.

After those general remarks, I turn to the specific amendments. The noble Baroness’s Amendments 2 and 3 would amend Clause 1 of the Bill, which relates to the test for assessing whether data is personal or anonymous. Her explanatory statement suggests that these amendments are aimed at placing a duty on organisations to determine whether the data they are processing relates to children, thereby creating a system of age verification. However, requiring data controllers to carry out widespread age verification of data subjects could create its own data protection and privacy risks, as it would require them to retain additional personal information such as dates of birth.

The test we have set out for reidentification is intended to apply to adults and children alike. If any person is likely to be identified from the data using reasonable means, the data protection legislation will apply. Introducing one test for adults and one for children is unlikely to be workable in practice and fundamentally undermines the clarity that this clause seeks to bring to organisations. Whether a person is identifiable will depend on a number of objective factors, such as the resources and technology available to organisations, regardless of whether they are an adult or a child. Creating wholly separate tests for adults and children, as set out in the amendment, would add unnecessary complexity to the clause and potentially lead to confusion.

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

As I understand it, the basis on which we currently operate is that children get a heightened level of protection. Is the Minister saying that that is now unnecessary and is captured by the way in which the legislation has been reframed?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I am saying, specifically on Clause 1, that separating the identifiability of children and the identifiability of adults would be detrimental to both but particularly, in this instance, to children.

Amendment 9 would ensure that children’s data is included in the definition of special category data and is subject to the heightened protections afforded to this category of data by Article 9 of the UK GDPR. This could have unintended consequences, because the legal position would be that processing of children’s data would be banned unless specifically permitted. This could create the need for considerable additional legislation to exempt routine and important processing from the ban; for example, banning a Girl Guides group from keeping a list of members unless specifically exempted would be disproportionate. However, more sensitive data such as records relating to children’s health or safeguarding concerns would already be subject to heightened protections in the UK GDPR, as soon as the latter type of data is processed.

I am grateful to the noble Baroness, Lady Kidron, for raising these issues and for the chance to set out why the Government feel that children’s protection is at least maintained, if not enhanced. I hope my answers have, for the time being, persuaded her of the Government’s view that the Bill does not reduce standards of protection for children’s data. On that basis, I ask her also not to move her Amendment 290 on the grounds that a further overarching statement on this is unnecessary and may cause confusion when interpreting the legislation. For all the reasons stated above, I hope that she will now reconsider whether her amendments in this group are necessary and agree not to press them.

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

Can I press the Minister more on Amendment 290 from the noble Baroness, Lady Kidron? All it does is seek to maintain the existing standards of data protection for children, as carried over from the 2018 Act. If that is all it does, what is the problem with that proposed new clause? In its current formulation, does it not put the intention of the legislation in a place of certainty? I do not quite get why it would be damaging.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I believe it restates what the Government feel is clearly implied or stated throughout the Bill: that children’s safety is paramount. Therefore, putting it there is either duplicative or confusing; it reduces the clarity of the Bill. In no way is this to say that children are not protected—far from it. The Government feel it would diminish the clarity and overall cohesiveness of the Bill to include it.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, not to put too fine a point on it, the Minister is saying that nothing in the Bill diminishes children’s rights, whether in Clause 1, Clause 6 or the legitimate interest in Clause 5. He is saying that absolutely nothing in the Bill diminishes children’s rights in any way. Is that his position?

Baroness Harding of Winscombe Portrait Baroness Harding of Winscombe (Con)
- Hansard - - - Excerpts

Can I add to that question? Is my noble friend the Minister also saying that there is no risk of companies misinterpreting the Bill’s intentions and assuming that this might be some form of diminution of the protections for children?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

In answer to both questions, what I am saying is that, first, any risk of misinterpreting the Bill with respect to children’s safety is diminished, rather than increased, by the Bill. Overall, it is the Government’s belief and intention that the Bill in no way diminishes the safety or privacy of children online. Needless to say, if over the course of our deliberations the Committee identifies areas of the Bill where that is not the case, we will absolutely be open to listening on that, but let me state this clearly: the intent is to at least maintain, if not enhance, the safety and privacy of children and their data.

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

My Lords, that creates another question, does it not? If that is the case, why amend the original wording from the 2018 Act?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Sorry, the 2018 Act? Or is the noble Lord referring to the amendments?

Lord Bassam of Brighton Portrait Lord Bassam of Brighton (Lab)
- Hansard - - - Excerpts

Why change the wording that provides the protection that is there currently?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I assume the noble Lord is referring to Amendment 290.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Okay. The Government feel that, in terms of the efficient and effective drafting of the Bill, that paragraph diminishes the clarity by being duplicative rather than adding to it by making a declaration. For the same reason, we have chosen not to make a series of declarations about other intentions of the Bill overall in the belief that the Bill’s intent and outcome are protected without such a statement.

Baroness Kidron Portrait Baroness Kidron (CB)
- Hansard - - - Excerpts

My Lords, before our break, the noble Baroness, Lady Harding, said that this is hard-fought ground; I hope the Minister understands from the number of questions he has just received during his response that it will continue to be hard-fought ground.

I really regret having to say this at such an early stage on the Bill, but I think that some of what the Minister said was quite disingenuous. We will get to it in other parts of the Bill, but the thing that we have all agreed to disagree on at this point is the statement that the Bill maintains data privacy for everyone in the UK. That is a point of contention between noble Lords and the Minister. I absolutely accept and understand that we will come to a collective view on it in Committee. However, the Minister appeared to suggest—I ask him to correct me if I have got this wrong—that the changes on legitimate interest and purpose limitation are child safety measures because some people are saying that they are deterred from sharing data for child protection reasons. I have to tell him that they are not couched or formed like that; they are general-purpose shifts. There is absolutely no question but that the Government could have made specific changes for child protection, put them in the Bill and made them absolutely clear. I find that very worrying.

I also find it worrying, I am afraid—this is perhaps where we are heading and the thing that many organisations are worried about—that bundling the AADC in with the Online Safety Act and saying, “I’ve got it over here so you don’t need it over there” is not the same as maintaining the protections for children from a high level of data. It is not the same set of things. I specifically said that this was not an age-verification measure and would not require it; whatever response there was on that was therefore unnecessary because I made that quite clear in my remarks. The Committee can understand that, in order to set a high bar of data protection, you must either identify a child or give it to everyone. Those are your choices. You do not have to verify.

I will withdraw the amendment, but I must say that the Government may not have it both ways. The Bill cannot be different or necessary and at the same time do nothing. The piece that I want to leave with the Committee is that it is the underlying provisions that allow the ICO to take action on the age-appropriate design code. It does not matter what is in the code; if the underlying provisions change, so does the code. During Committee, I expect that there will be a report on the changes that have happened all around the world as a result of the code, and we will be able to measure whether the new Bill would be able to create those same changes. With that, I beg leave to withdraw my amendment.

--- Later in debate ---
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- Hansard - - - Excerpts

My Lords, I am grateful to all noble Lords who have spoken on this group. Amendment 6 to Clause 2, tabled by the noble Lord, Lord Clement-Jones, rightly tests the boundaries on the use of personal data for scientific research and, as he says, begins to ask, “What is the real purpose of this clause? Is it the clarification of existing good practice or is it something new? Do we fully understand what that new proposition is?”

As he said, there is particular public concern about the use of personal health data where it seems that some private companies are stretching the interpretation of “the public good”, for which authorisation for the use of this data was initially freely given, to something much wider. Although the clause seeks to provide some reassurance on this, we question whether it goes far enough and whether there are sufficient protections against the misuse of personal health data in the way the clause is worded.

This raises the question of whether it is only public health research that needs to be in the public interest, which is the way the clause is worded at the moment, because it could equally apply to research using personal data from other public services, such as measuring educational outcomes or accessing social housing. There is a range of uses for personal data. In an earlier debate, we heard about the plethora of data already held on people, much of which individuals do not understand or know about and which could be used for research or to make judgments about them. So we need to be sensitive about the way this might be used. It would be helpful to hear from the Minister why public health research has been singled out for special attention when, arguably, it should be a wider right across the board.

Noble Lords have asked questions about the wider concerns around Clause 2, which could enable private companies to use personal data to develop new products for commercial benefit without needing to inform the data subjects. As noble Lords have said, this is not what people would normally expect to be described as “scientific research”. The noble Baroness, Lady Kidron, was quite right that it has the potential to be unethical, so we need some standards and some clear understanding of what we mean by “scientific research”.

That is particularly important for Amendments 7 and 132 to 134 in the name of the noble Lord, Lord Clement-Jones, which underline the need for data subjects to be empowered and given the opportunity to object to their data being used for a new purpose. Arguably, without these extra guarantees—particularly because there is a lack of trust about how a lot of this information is being used—data subjects will be increasingly reluctant to hand over personal data on a voluntary basis in the first place. It may well be that this is an area where the Information Commissioner needs to provide additional advice and guidance to ensure that we can reap the benefits of good-quality scientific research that is in the public interest and in which the citizens involved can have absolute trust. Noble Lords around the Room have stressed that point.

Finally, we have added our names to the amendments tabled by the noble Baroness, Lady Kidron, on the use of children’s data for scientific research. As she rightly points out, the 2018 Act gave children a higher standard of protection on the uses for which their data is collected and processed. It is vital that this Bill, for all its intents to simplify and water down preceding rights, does not accidentally put at risk the higher protection agreed for children. In the earlier debate, the Minister said that he believed it will not do so. I am not sure that “believe” is a strong enough word here; we need guarantees that go beyond that. I think that this is an issue we will come back to again and again in terms of what is in the Bill and what guarantees exist for that protection.

In particular, there is a concern that relaxing the legal basis on which personal data can be processed for scientific research, including privately funded research carried out by commercial entities, could open the door for children’s data to be exploited for commercial purposes. We will consider the use of children’s data collected in schools in our debate on a separate group but we clearly need to ensure that the handling of pupils’ data by the Department for Education and the use of educational apps by private companies do not lead to a generation of exploited children who are vulnerable to direct marketing and manipulative messaging. The noble Baroness’s amendments are really important in this regard.

I also think that the noble Baroness’s Amendment 145 is a useful initiative to establish a code of practice on children’s data and scientific research. It would give us an opportunity to balance the best advantages of children’s research, which is clearly in the public and personal interest, with the maintenance of the highest level of protection from exploitation.

I hope that the Minister can see the sense in these amendments. In particular, I hope that he will take forward the noble Baroness’s proposals and agree to work with us on the code of practice principles and to put something like that in the Bill. I look forward to his response.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for this series of amendments.

I will first address Amendment 6, which seeks to amend Clause 2. As the noble Lord said, the definitions created by Clause 2, including “scientific research purposes”, are based on the current wording in recital 159 to the UK GDPR. We are changing not the scope of these definitions but their legal status. This amendment would require individual researchers to assess whether their research should be considered to be in the public interest, which could create uncertainty in the sector and discourage research. This would be more restrictive than the current position and would undermine the Government’s objectives to facilitate scientific research and empower researchers.

We have maintained a flexible scope as to what is covered by “scientific research” while ensuring that the definition is still sufficiently narrow in that it can cover only what would reasonably be seen as scientific research. This is because the legislation needs to be able to adapt to the emergence of new areas of innovative research. Therefore, the Government feel that it is more appropriate for the regulator to add more nuance and context to the definition. This includes the types of processing that are considered—

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

I am sorry to interrupt but it may give the Box a chance to give the Minister a note on this. Is the Minister saying that recital 159 includes the word “commercial”?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I am afraid I do not have an eidetic memory of recital 159, but I would be happy to—

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

That is precisely why I ask this question in the middle of the Minister’s speech to give the Box a chance to respond, I hope.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Researchers must also comply with the required safeguards to protect individuals’ privacy. All organisations conducting scientific research, including those with commercial interests, must also meet all the safeguards for research laid out in the UK GDPR and comply with the legislation’s core principles, such as fairness and transparency. Clause 26 sets out several safeguards that research organisations must comply with when processing personal data for research purposes. The ICO will update its non-statutory guidance to reflect many of the changes introduced by this Bill.

Scientific research currently holds a privileged place in the data protection framework because, by its nature, it is already viewed as generally being in the public interest. As has been observed, the Bill already applies a public interest test to processing for the purpose of public health studies in order to provide greater assurance for research that is particularly sensitive. Again, this reflects recital 159.

In response to the noble Baroness, Lady Jones, on why public health research is being singled out, as she stated, this part of the legislation just adds an additional safeguard to studies into public health ensuring that they must be in the public interest. This does not limit the scope for other research unrelated to public health. Studies in the area of public health will usually be in the public interest. For the rare, exceptional times that a study is not, this requirement provides an additional safeguard to help prevent misuse of the various exemptions and privileges for researchers in the UK GDPR. “Public interest” is not defined in the legislation, so the controller needs to make a case-by-case assessment based on its purposes.

On the point made by the noble Lord, Lord Clement-Jones, about recitals and ICO guidance, although we of course respect and welcome ICO guidance, it does not have legislative effect and does not provide the certainty that legislation does. That is why we have done so via this Bill.

Amendment 7 to Clause 3 would undermine the broader consent concept for scientific research. Clause 3 places the existing concept of “broad consent” currently found in recital 33 to the UK GDPR on a statutory footing with the intention of improving awareness and confidence for researchers. This clause applies only to scientific research processing that is reliant on consent. It already contains various safeguards. For example, broad consent can be used only where it is not possible to identify at the outset the full purposes for which personal data might be processed. Additionally, to give individuals greater agency, where possible individuals will have the option to consent to only part of the processing and can withdraw their consent at any time.

Clause 3 clarifies an existing concept of broad consent which outlines how the conditions for consent will be met in certain circumstances when processing for scientific research purposes. This will enable consent to be obtained for an area of scientific research when researchers cannot at the outset identify fully the purposes for which they are collecting the data. For example, the initial aim may be the study of cancer, but it later becomes the study of a particular cancer type.

Furthermore, as part of the reforms around the reuse of personal data, we have further clarified that when personal data is originally collected on the basis of consent, a controller would need to get fresh consent to reuse that data for a new purpose unless a public interest exemption applied and it is unreasonable to expect the controller to obtain that consent. A controller cannot generally reuse personal data originally collected on the basis of consent for research purposes.

Turning to Amendments 132 and 133 to Clause 26, the general rule described in Article 13(3) of the UK GDPR is that controllers must inform data subjects about a change of purposes, which provides an opportunity to withdraw consent or object to the proposed processing where relevant. There are existing exceptions to the right to object, such as Article 21(6) of the UK GDPR, where processing is necessary for research in the public interest, and in Schedule 2 to the Data Protection Act 2018, when applying the right would prevent or seriously impair the research. Removing these exemptions could undermine life-saving research and compromise long-term studies so that they are not able to continue.

Regarding Amendment 134, new Article 84B of the UK GDPR already sets out the requirement that personal data should be anonymised for research, archiving and statistical—RAS—purposes unless doing so would mean the research could not be carried through. Anonymisation is not always possible as personal data can be at the heart of valuable research, archiving and statistical activities, for example, in genetic research for the monitoring of new treatments of diseases. That is why new Article 84C of the UK GDPR also sets out protective measures for personal data that is used for RAS purposes, such as ensuring respect for the principle of data minimisation through pseudonymisation.

The stand part notice in this group seeks to remove Clause 6 and, consequentially, Schedule 2. In the Government’s consultation on data reform, Data: A New Direction, we heard that the current provisions in the UK GDPR on personal data reuse are difficult for controllers and individuals to navigate. This has led to uncertainty about when controllers can reuse personal data, causing delays for researchers and obstructing innovation. Clause 6 and Schedule 2 address the existing uncertainty around reusing personal data by setting out clearly the conditions in which the reuse of personal data for a new purpose is permitted. Clause 6 and Schedule 2 must therefore remain to give controllers legal certainty and individuals greater transparency.

Amendment 22 seeks to remove the power to add to or vary the conditions set out in Schedule 2. These conditions currently constitute a list of specific public interest purposes, such as safeguarding vulnerable individuals, for which an organisation is permitted to reuse data without needing consent or to identify a specific law elsewhere in legislation. Since this list is strictly limited and exhaustive, a power is needed to ensure that it is kept up to date with future developments in how personal data is used for important public interest purposes.

Baroness Kidron Portrait Baroness Kidron (CB)
- Hansard - - - Excerpts

I am interested that the safeguarding requirement is already in the Bill, so, in terms of children, which I believe the Minister is going to come to, the onward processing is not a question of safeguarding. Is that correct? As the Minister has just indicated, that is already a provision.

--- Later in debate ---
Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Just before we broke, I was on the verge of attempting to answer the question from the noble Baroness, Lady Kidron; I hope my coming words will do that, but she can intervene again if she needs to.

I turn to the amendments that concern the use of children’s data in research and reuse. Amendment 8 would also amend Clause 3; the noble Baroness suggests that the measure should not apply to children’s data, but this would potentially prevent children, or their parents or guardians, from agreeing to participate in broad areas of pioneering research that could have a positive impact on children, such as on the causes of childhood diseases.

On the point about safeguarding, the provisions on recognised legitimate interests and further processing are required for safeguarding children for compliance with, respectively, the lawfulness and purpose limitation principles. The purpose limitation provision in this clause is meant for situations where the original processing purpose was not safeguarding and the controller then realises that there is a need to further process it for safeguarding.

Research organisations are already required to comply with the data protection principles, including on fairness and transparency, so that research participants can make informed decisions about how their data is used; and, where consent is the lawful basis for processing, children, or their parents or guardians, are free to choose not to provide their consent, or, if they do consent, they can withdraw it at any time. In addition, the further safeguards that are set out in Clause 26, which I mentioned earlier, will protect all personal data, whether it relates to children or adults.

Amendment 21 would require data controllers to have specific regard to the fact that children’s data requires a higher standard of protection for children when deciding whether reuse of their data is compatible with the original purpose for which it was collected. This is unnecessary because the situations in which personal data could be reused are limited to public interest purposes designed largely to protect the public and children, in so far as they are relevant to them. Controllers must also consider the possible consequences for data subjects and the relationship between the controller and the data subject. This includes taking into account that the data subject is a child, in addition to the need to generally consider the interests of children.

Amendment 23 seeks to limit use of the purpose limitation exemptions in Schedule 2 in relation to children’s data. This amendment is unnecessary because these provisions permit further processing only in a narrow range of circumstances and can be expanded only to serve important purposes of public interest. Furthermore, it may inadvertently be harmful to children. Current objectives include safeguarding children or vulnerable people, preventing crime or responding to emergencies. In seeking to limit the use of these provisions, there is a risk that the noble Baroness’s amendments might make data controllers more hesitant to reuse or disclose data for public interest purposes and undermine provisions in place to protect children. These amendments could also obstruct important research that could have a demonstrable positive impact on children, such as research into children’s diseases.

Amendment 145 would require the ICO to publish a statutory code on the use of children’s data in scientific research and technology development. Although the Government recognise the value that ICO codes can play in promoting good practice and improving compliance, we do not consider that it would be appropriate to add these provisions to the Bill without further detailed consultation with the ICO and the organisations likely to be affected by the new codes. Clause 33 of the Bill already includes a measure that would allow the Secretary of State to request the ICO to publish a code on any matter that it sees fit, so this is an issue that we could return to in the future if the evidence supports it.

Baroness Kidron Portrait Baroness Kidron (CB)
- Hansard - - - Excerpts

I will read Hansard very carefully, because I am not sure that I absolutely followed the Minister, but we will undoubtedly come back to this. I will ask two questions. Earlier, before we had a break, in response to some of the early amendments in the name of the noble Lord, Lord Clement-Jones, the Minister suggested that several things were being taken out of the recital to give them solidity in the Bill; so I am using this opportunity to suggest that recital 38, which is the special consideration of children’s data, might usefully be treated in a similar way and that we could then have a schedule that is the age-appropriate design code in the Bill. Perhaps I can leave that with the Minister, and perhaps he can undertake to have some further consultation with the ICO on Amendment 145 specifically.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

With respect to recital 38, that sounds like a really interesting idea. Yes, let us both have a look and see what the consultation involves and what the timing might look like. I confess to the Committee that I do not know what recital 38 says, off the top of my head. For the reasons I have set out, I am not able to accept these amendments. I hope that noble Lords will therefore not press them.

Returning to the questions by the noble Lord, Lord Clement-Jones, on the contents of recital 159, the current UK GDPR and EU GDPR are silent on the specific definition of scientific research. It does not preclude commercial organisations performing scientific research; indeed, the ICO’s own guidance on research and its interpretation of recital 159 already mention commercial activities. Scientific research can be done by commercial organisations—for example, much of the research done into vaccines, and the research into AI referenced by the noble Baroness, Lady Harding. The recital itself does not mention it but, as the ICO’s guidance is clear on this already, the Government feel that it is appropriate to put this on a statutory footing.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, that was intriguing. I thank the Minister for his response. It sounds as though, again, guidance would have been absolutely fine, but what is there not to like about the ICO bringing clarity? It was quite interesting that the Minister used the phrase “uncertainty in the sector” on numerous occasions and that is becoming a bit of a mantra as the Bill goes on. We cannot create uncertainty in the sector, so the poor old ICO has been labouring in the vineyard for the last few years to no purpose at all. Clearly there has been uncertainty in the sector of a major description, and all its guidance and all the work that it has put in over the years have been wholly fruitless, really. It is only this Government that have grabbed the agenda with this splendid 300-page data protection Bill that will clarify this for business. I do not know how much they will have to pay to get new compliance officers or whatever it happens to be, but the one thing that the Bill will absolutely not create is greater clarity.

I am a huge fan of making sure that we understand what the recitals have to say, and it is very interesting that the Minister is saying that the recital is silent but the ICO’s guidance is pretty clear on this. I am hugely attracted by the idea of including recital 38 in the Bill. It is another lightbulb moment from the noble Baroness, Lady Kidron, who has these moments, rather like with the age-appropriate design code, which was a huge one.

We are back to the concern, whether in the ICO guidance, the Bill or wherever, that scientific research needs to be in the public interest to qualify and not have all the consents that are normally required for the use of personal data. The Minister said, “Well, of course we think that scientific research is in the public interest; that is its very definition”. So why does only public health research need that public interest test and not the other aspects? Is it because, for instance, the opt-out was a bit of a disaster and 3 million people opted out of allowing their health data to be shared or accessed by GPs? Yes, it probably is.

Do the Government want a similar kind of disaster to happen, in which people get really excited about Meta or other commercial organisations getting hold of their data, a public outcry ensues and they therefore have to introduce a public interest test on that? What is sauce for the goose is sauce for the gander. I do not think that personal data should be treated in a particularly different way in terms of its public interest, just because it is in healthcare. I very much hope that the Minister will consider that.

--- Later in debate ---
Baroness Jones of Whitchurch Portrait Baroness Jones of Whitchurch (Lab)
- Hansard - - - Excerpts

My Lords, I am also pleased to support these amendments in the name of the noble Baroness, Lady Kidron, to which I have added my name. I am hugely enthusiastic about them, too, and think that this has been a lightbulb moment from the noble Baroness. I very much thank her for doing all of this background work because she has identified the current weakness in the data protection landscape: it is currently predicated on an arrangement between an individual and the organisation that holds their data.

That is an inherently unbalanced power construct. As the noble Baroness said, as tech companies become larger and more powerful, it is not surprising that many individuals feel overwhelmed by the task of questioning or challenging those that are processing their personal information. It assumes a degree of knowledge about their rights and a degree of digital literacy, which we know many people do not possess.

In the very good debate that we had on digital exclusion a few weeks ago, it was highlighted that around 2.4 million people are unable to complete a single basic task to get online, such as opening an internet browser, and that more than 5 million employed adults cannot complete essential digital work tasks. These individuals cannot be expected to access their digital data on their own; they need the safety of a larger group to do so. We need to protect the interests of an entire group that would otherwise be locked out of the system.

The noble Baroness referred to the example of Uber drivers who were helped by their trade union to access their data, sharing patterns of exploitation and subsequently strengthening their employment package, but this does not have to be about just union membership; it could be about the interests of a group of public sector service users who want to make sure that they are not being discriminated against, a community group that wants its bid for a local grant to be treated fairly, and so on. We can all imagine examples of where this would work in a group’s interest. As the noble Baroness said, these proposals would allow any group of people to assign their rights—rights that are more powerful together than apart.

There could be other benefits; if data controllers are concerned about the number of individual requests that they are receiving for data information—and a lot of this Bill is supposed to address that extra work—group requests, on behalf of a data community, could provide economies of scale and make the whole system more efficient.

Like the noble Baroness, I can see great advantages from this proposal; it could lay the foundation for other forms of data innovation and help to build trust with many citizens who currently see digitalisation as something to fear—this could allay those fears. Like the noble Lord, Lord Clement-Jones, I hope the Minister can provide some reassurance that the Government welcome this proposal, take it seriously and will be prepared to work with the noble Baroness and others to make it a reality, because there is the essence of a very good initiative here.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I thank the noble Baroness, Lady Kidron, for raising this interesting and compelling set of ideas. I turn first to Amendments 10 and 35 relating to data communities. The Government recognise that individuals need to have the appropriate tools and mechanisms to easily exercise their rights under the data protection legislation. It is worth pointing out that current legislation does not prevent data subjects authorising third parties to exercise certain rights. Article 80 of the UK GDPR also explicitly gives data subjects the right to appoint not-for-profit bodies to exercise certain rights, including their right to bring a complaint to the ICO, to appeal against a decision of the ICO or to bring legal proceedings against a controller or processor and the right to receive compensation.

The concept of data communities exercising certain data subject rights is closely linked with the wider concept of data intermediaries. The Government recognise the existing and potential benefits of data intermediaries and are committed to supporting them. However, given that data intermediaries are new, we need to be careful not to distort the sector at such an early stage of development. As in many areas of the economy, officials are in regular contact with businesses, and the data intermediary sector is no different. One such engagement is the DBT’s Smart Data Council, which includes a number of intermediary businesses that advise the Government on the direction of smart data policy. The Government would welcome further and continued engagement with intermediary businesses to inform how data policy is developed.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

I am sorry, but the Minister used a pretty pejorative word: “distort” the sector. What does he have in mind?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I did not mean to be pejorative; I merely point out that before embarking on quite a far-reaching policy—as noble Lords have pointed out—we would not want to jump the gun prior to consultation and researching the area properly. I certainly do not wish to paint a negative portrait.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

Is this one of those “in due course” moments?

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

It is a moment at which I cannot set a firm date for a firm set of actions, but on the other hand I am not attempting to punt it into the long grass either. The Government do not want to introduce a prescriptive framework without assessing potential risks, strengthening the evidence base and assessing the appropriate regulatory response. For these reasons, I hope that for the time being the noble Baroness will not press these amendments.

The noble Baroness has also proposed Amendments 147 and 148 relating to the role of the Information Commissioner’s Office. Given my response just now to the wider proposals, these amendments are no longer necessary and would complicate the statute book. We note that Clause 35 already includes a measure that will allow the Secretary of State to request the Information Commissioner’s Office to publish a code on any matter that she or he sees fit, so this is an issue we could return to in future if such a code were deemed necessary.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, I am sorry to keep interrupting the Minister. Can he give us a bit of a picture of what he has in mind? He said that he did not want to distort things at the moment, that there were intermediaries out there and so on. That is all very well, but is he assuming that a market will be developed or is developing? What overview of this does he have? In a sense, we have a very clear proposition here, which the Government should respond to. I am assuming that this is not a question just of letting a thousand flowers bloom. What is the government policy towards this? If you look at the Hall-Pesenti review and read pretty much every government response—including to our AI Select Committee, where we talked about data trusts and picked up the Hall-Pesenti review recommendations —you see that the Government have been pretty much positive over time when they have talked about data trusts. The trouble is that they have not done anything.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

Overall, as I say and as many have said in this brief debate, this is a potentially far-reaching and powerful idea with an enormous number of benefits. But the fact that it is far-reaching implies that we need to look at it further. I am afraid that I am not briefed on long-standing—

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

May I suggest that the Minister writes? On the one hand, he is saying that we will be distorting something—that something is happening out there—but, on the other hand, he is saying that he is not briefed on what is out there or what the intentions are. A letter unpacking all that would be enormously helpful.

Viscount Camrose Portrait Viscount Camrose (Con)
- Hansard - - - Excerpts

I am very happy to write on this. I will just say that I am not briefed on previous government policy towards it, dating back many years before my time in the role.