Data Protection and Digital Information Bill
(Limited Text - Ministerial Extracts only)
Read Full debateTuesday 19th December 2023
(4 months, 3 weeks ago)
Lords ChamberData Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Watch Debate Amendment Paper: Consideration of Bill Amendments as at 29 November 2023 - large print - (29 Nov 2023)
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
My Lords, in a time of rapid technological change, we need people to trust in how we can use data for greater good. By building understanding and confidence in the rules surrounding how we use data, we can unlock its real potential, not only for businesses but for people going about their everyday lives.
In 2018 Parliament passed the Data Protection Act, which was the UK’s implementation of the EU general data protection regulation. While the EU GDPR protected the privacy rights of individuals, there were unintended consequences. It resulted in high costs and a disproportionate compliance burden for small businesses. These reforms deliver on the Government’s promise to use the opportunity afforded to us by leaving the European Union to create a new and improved UK data rights regime.
The Bill has five parts that deliver on individual elements of these reforms. Part 1 updates and simplifies the UK GDPR and DPA 2018 to ease compliance burdens on businesses and introduce safeguards from new technologies. It also updates the similar regimes that apply to law enforcement agencies and intelligence services. Part 2 enables DSIT’s digital verification services policy, giving people secure options to prove their identity digitally across different sectors of the economy if they choose to do so. Part 3 establishes a framework to set up smart data schemes across the economy. Part 4 reforms the privacy and electronic communications regulations—PECR—to bring stronger protection for consumers against nuisance calls. It also contains reforms to ensure the better use of data in health and adult social care, law enforcement and security. Part 5 will modernise the Information Commissioner’s Office by making sure that it has the capabilities and the powers to tackle organisations that breach data rules, giving the ICO freedom to better allocate its resources and ensuring that it is more accountable to Parliament and to the public.
I stress that the Bill will continue to maintain the highest standards of data protection that people rightly expect. It will also help those who use our data to make our lives healthier, safer and more prosperous. That is because we have convened industry leaders and experts to codesign the Bill with us throughout its creation. This legislation will ensure that our regulation reflects the way in which real people live their lives and run their businesses.
On Report in the other place, we tabled a number of amendments to strengthen the fundamental elements of the Bill and to reflect the Government’s commitment to unleash the power of data across our economy and society. I take this opportunity to thank Members of Parliament and the numerous external stakeholders who have worked with us to ensure that the Bill functions at its absolute best. Taken together, these amendments will benefit the economy by £10.6 billion over 10 years. This is more than double the estimated impact of the Bill when introduced in the spring.
These reforms are expected to lower the compliance burden on businesses. We expect small and micro-businesses to achieve greater overall compliance cost savings than larger business. We expect these compliance cost savings for small and micro-business compliance to be approximately £90 million a year as a result of the domestic data protection policies in the Bill.
The Bill makes it clear that the amount that any organisation needs to do to comply and demonstrate compliance should be directly related to the risk its processing activities pose to individuals. That means that in the future, organisations will have to keep records of their processing activities, undertake risk assessments and designate senior responsible individuals to manage data protection risks only if their processing activities are likely to pose high risks to individuals. We are also removing the need for organisations to do detailed legitimate interest assessments and document the outcomes when their activities are clearly in the public interest—for example, when they are reporting child safeguarding concerns. This will help reduce the amount of privacy paperwork and allow businesses to invest time and resources elsewhere.
Let me make this absolutely clear: enabling more effective use of data and ensuring high data protection standards are not contradictory objectives. Businesses need to understand and to trust in our data protection rules, and that is what these measures are designed to achieve. At the same time, people across the UK need to fundamentally trust that the system works for them too. We know that lots of organisations already have good processes for how they deal with data protection complaints, and it is right that we strengthen this. By making these a requirement, the Bill helps data subjects exercise their rights and directly challenge organisations they believe are misusing their data.
We already have a world-leading independent regulator, the Information Commissioner’s Office. It is only right that we continue to provide the ICO with the tools it needs to keep pace with our dramatically changing tech landscape. The ICO needs to keep our personal data safe while ensuring that it remains accountable, flexible and fit for the modern world. We are modernising the structure and objectives of the Information Commissioner’s Office. Under this legislation, protecting our personal data will remain the ICO’s primary focus, but it will also need to consider how it can empower businesses and organisations to drive growth and innovation across the UK and support public trust and confidence in the use of personal data. We must ensure that our world-leading regulator is equipped to tackle the biggest and most important threats and data breaches, protecting individuals from the highest harm. The Bill means that the ICO can take a more proportionate approach to how it gets involved in individual disputes, not having to do so too early in the process before people have had a chance to resolve things sensibly themselves, while still being the ultimate guardian of data subjects’ rights.
The Bill will create a modern ICO that can tackle the modern, more sophisticated challenges of today and support businesses across the UK to make safe, effective use of data to grow and to innovate. It will also unlock the potential of transformative technologies by making sure that organisations know when they can use responsible automated decision-making and that people know when they can request human intervention where these decisions impact their lives.
Alongside this, there are billions of pounds to be seized in the booming global data-driven trade. With the new international transfers regime, we are clarifying our regime for building data bridges to secure the close, free and safe exchange of data with trusted allies. Alongside new data bridges, the Secretary of State will be able to recognise new transfer mechanisms for businesses to protect international transfers. Businesses will still be able to transfer data across borders with the compliant mechanisms they already use, avoiding needless checks and costs.
The Bill will allow people to control more of their data. It will support smart data schemes that empower consumers and small businesses to make better use of their own data, building on the extraordinary success of open banking, where consumers and businesses access innovative services to manage their finances and spending, track their carbon footprint or access credit. Open banking is already estimated to have the potential to bring in £12 billion each year for consumers and £6 billion for small businesses, as well as boosting innovation in our world-leading fintech industry. With this Bill, we can extend the same benefits for consumers and business across the economy.
Another way the Bill ensures that people have control of their own data is by making it easier and more secure for people to prove things about themselves. Digital identities will help those who choose to use them to prove their identity electronically rather than always having to dig out stacks of physical documents such as passports, bills, statements and birth certificates. Digital verification services are already in existence and we want to put them on a secure and trusted footing, giving people more choice and confidence as they navigate everyday tasks, and saving businesses time and money.
The Bill supports the growing demand, domestic and global, for secure and trusted electronic transactions such as qualified electronic signatures. It also makes provision for the preservation of important data for coronial investigations in the event of a child taking their own life. Any death of a child is a tragedy, and the Government have the utmost sympathy for families affected by this tragic issue. I recognise, and I share, the strong feelings on this issue expressed by noble Lords on this matter and during the passage of the Online Safety Act.
The new provision requires Ofcom, following notification from a coroner, to issue data preservation notices requiring relevant tech companies to hold data that they may have relating to a deceased child’s use of online services in circumstances where the coroner suspects that the child has taken their own life. This greatly strengthens Ofcom’s and a coroner’s ability to access data from online services and provides them with the tools they need to carry out their job. It will include, for example, if a child had taken their own life after interacting with self-harm or other harmful content online, or if they suspect that a child may have been subjected to coercion, online bullying or harassment. It would also include cases where a child has done an intentional act that has caused their death but where they may not have intended to die, such as the tragic circumstances where a child dies accidentally when attempting to recreate an online challenge.
The new provisions do not cover children’s deaths caused by homicide, because the police already have extensive investigative powers in this context. These were strengthened last year by the entry into force of the UK-US data access agreement, which enables law enforcement to directly access content of communications held by US-based companies for the purpose of preventing, detecting, investigating and prosecuting serious crimes, such as murder and child sexual abuse and exploitation.
The families who have been courageously campaigning after their children were tragically murdered did not have access to this agreement because it entered into force only last October. To date, 10,000 requests for data have been made under it. However, we understand their concerns, and the Secretary of State, along with Justice Ministers, will work with noble Lords ahead of Committee and carefully listen to their arguments on potential amendments. We absolutely recognise the need to give families the answers they need and to ensure that there is no gap in the law.
Some aspects of the GDPR are very complex, causing uncertainty around how it applies and hampering private and public bodies’ ability to use data as dynamically as they could. The Bill will help scientists make the most of data by ensuring that they can be reused for other related studies. This is achieved by removing burdensome requirements for scientific researchers, so that they can dedicate more time to focus on what they do best. The Bill will also simplify the legal requirements around research and bring legal clarity. This is achieved by transposing definitions of scientific, historical and statistical-purposes research into the operative text.
The Bill will improve the way that the NHS and adult social care organise data to deliver crucial health services in England. It will also improve the efficiency of data protection for law enforcement and national security partners, encouraging better use of personal data to help protect the public. The Bill will save up to 1.5 million hours of police time each year.
The Bill will also allow us to take further steps to safeguard our national security, by addressing risks from hostile agents seeking to access our data or damage our data infrastructure. It will allow the DWP to protect taxpayers’ money from falling into the hands of fraudsters, as part of the DWP’s biggest reform to fraud legislation in 20 years. We know that, over this last year, overpayments to capital fraud and error in universal credit alone were almost £900 million. It is time to modernise and strengthen the DWP’s legislative framework to ensure that it gives those fighting fraud and error the tools that they need and so that it stands up to future challenges.
Through the Bill we are revolutionising the way we install, maintain, operate and repair pipes and cables buried beneath the ground. I am sure we have all, knowingly or not, been impacted by one of the 60,000 accidental strikes on an underground pipe or cable that happen every year. The national underground asset register—NUAR—is a brand new digital map that gives planners and excavators secure and instant access to the data they need, when they need it. This means not only that the safety and lives of workers will no longer be at risk but that NUAR will underpin the Government’s priority to get the economy growing, expediting projects such as new roads, new houses and broadband rollout.
The Bill gives the people using data to improve our lives the certainty that they need. It maintains high standards for protecting people’s privacy, while seeking to maintain the EU’s adequacy decisions for the UK. The Bill is a hugely important piece of legislation and I thank noble Lords across the House for their involvement in and support for the Bill so far. I look forward to hearing their views today and throughout the rest of the Bill’s passage. I beg to move.
Viscount Camrose (Con)
My Lords, I sincerely thank all of today’s speakers for their powerful and learned contributions to a fascinating and productive debate. I very much welcome the engagement in this legislation that has been shown from across the House and such a clear setting out, at this early stage, of the important issues and caveats.
As I said, the Bill reflects the extensive process of consultation that the Government have undertaken, with almost 3,000 responses to the document Data: A New Direction, and the support it enjoys from both the ICO and industry groups. The debate in which we have engaged is a demonstration of noble Lords’ desire to ensure that our data protection regime evolves and works more effectively, while maintaining the highest standards of data protection for all.
I will respond to as many of the questions and points raised as I can. I hope noble Lords will forgive me if, in the interests of time and clarity, I do not name every noble Lord who spoke to every issue. A number of noble Lords expressed the wish that the Government remain open to any and all conversations. Should I inadvertently fail to address any problem satisfactorily, I affirm that I am very willing to engage with all noble Lords throughout the Bill’s passage, recognising its importance and, as the noble Lord, Lord Bassam, said, the opportunity it presents to do great good.
Many noble Lords raised concerns that the Bill does not go far enough to protect personal data rights. This is certainly not our intent. The fundamental data protection principles set out in the UK GDPR—as my noble friend Lord Kirkhope pointed out, they include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability—remain at the heart of the UK’s data protection regime. Certain kinds of data, such as health data, remain special categories to which extra protections rightly apply. Changes such as requiring a senior responsible individual, rather than a data protection officer, mean that organisations still need to be accountable for how they process personal data but will have more flexibility about how they manage the data protection risks within their organisations.
On other specific points raised on the data protection framework, I agree that the right of access is key to ensuring transparency in data processing. The proposals do not restrict the right of access for reasonable requests for information and keep reasonable requests free of charge. On the creation of the new recognised legitimate interests lawful grounds, evidence from our consultation indicated that some organisations worried about getting the balancing test wrong, while others said that the need to document the outcome of their assessment could slow down important processing activities.
To promote responsible data sharing in relation to a limited number of public interest tasks, the Bill acknowledges the importance of these activities, which include safeguarding, crime prevention and national security, responding to emergencies and democratic engagement, but data controllers should not be required to do a case-by-case balancing test.
On cookies, the Bill will allow the Secretary of State to remove the need for data controllers to seek consent for other purposes in future, when the appropriate technologies to do so are readily available. The aim is to offer the user a clear, meaningful choice that can be made once and respected throughout their use of the internet. However, before any such powers are used, we will consult further to make sure that people are more effectively enabled to use different technology to set their online preferences.
On democratic engagement, extending the exemption allows a limited number of individuals, such as elected representatives and referendum campaigners, to process political opinions data without consent where this is necessary for their political activities. In a healthy democracy, it is not just registered political parties that may need to process political opinions data, and these amendments reflect that reality. This amendment does not remove existing rights. If people do not want their data processed for these purposes, they can ask the controller to stop doing so at any time. Before laying any regulations under this clause, the Government would need to consult the Information Commissioner and other interested parties, as well as gaining parliamentary approval.
I turn now to concerns raised by many about the independence of the regulator, the Information Commissioner. The ICO remains an independent regulator, accountable to Parliament, not the Government, in its delivery of data protection regulation. The Bill ensures it has the powers it needs to remain the guardian of people’s personal data. It can and does produce guidance on what it deems necessary. The Government welcome this and will work closely with it ahead of and throughout the implementation of this legislation.
New powers will also help to ensure that the Information Commissioner is able to access the evidence he needs to inform investigations and has the time needed to discover and respond to representations. This will result in more informed investigations and better outcomes. The commissioner will be able to require individuals to attend interviews only if he suspects that an organisation has failed to comply with or has committed an offence under data protection legislation. This power is based on existing comparable powers for the Financial Conduct Authority and the Competition and Markets Authority. A person is not required to answer a question if it would breach legal professional privilege or reveal evidence of an offence.
As the noble Lord, Lord Clement-Jones, pointed out, EU adequacy was mentioned by almost everybody, and concerns were raised that the Bill would impact our adequacy agreement with the EU. The Government believe that our reforms are compatible with maintaining our data adequacy decisions from the EU. While the Bill removes the more prescriptive elements of the GDPR, the UK will maintain its high standards of data protection and continue to have one of the closest regimes to the EU in the world after our reform. The test for EU adequacy set out by the Court of Justice of the European Union in the cases relating to UK adequacy decisions requires essential equivalence to the level of protection under the GDPR. It does not require a third country to have exactly the same rules as the EU in order to be considered inadequate. Indeed, 14 countries have EU adequacy, including Japan, New Zealand and Canada. All of these nations pursue independent and often more divergent approaches to data protection.
Regarding our national security practices, in 2020 and 2021, the European Commission carried out a thorough assessment of the UK’s legislation and regulatory framework for personal data, including access by public authorities for national security purposes. It assessed that the UK provides an adequate level of data protection. We maintain an ongoing dialogue with the EU and have a positive, constructive relationship. We will continue to engage regularly with the EU to ensure our reforms are understood.
A great many noble Lords rightly commented on AI regulation, or the lack of it, in the Bill. Existing data protection legislation—the UK GDPR and the Data Protection Act 2018—regulate the development of AI systems and other technologies to the extent that there is personal data involved. This means that the ICO will continue to play an important role in applying the AI principles as they relate to matters of privacy and data protection. The Government’s view is that it would not be effective to regulate the use of AI in this context solely through the lens of data protection.
Article 22 of the UK GDPR is currently the primary piece of UK law setting out the requirements related to automated decision-making, and this Bill sets out the rights that data subjects have to be informed about significant decisions that are taken about them through solely automated means, to seek human review of those decisions and to have them corrected. This type of activity is, of course, increasingly AI-driven, and so it is important to align these reforms with the UK’s wider approach to AI governance that has been published in the White Paper developed by the Office for Artificial Intelligence. This includes ensuring terms such as “meaningful human involvement” remain up to date and relevant, and the Bill includes regulation-making powers to that effect. The White Paper on the regulation of AI commits to a principles-based approach that supports innovation, and we are considering how the framework will apply to the various actors in the AI development and deployment life cycle, with a particular focus on foundation models. We are analysing the views we heard during the White Paper consultation. We will publish a response imminently, and we do not want to get ahead of that process at this point.
I turn to the protection of children. Once again, I thank noble Lords across the House for their powerful comments on the importance of protecting children’s data, including in particular the noble Baroness, Lady Kidron. On the very serious issue of data preservation orders, the Government continue to make it clear—both in public, at the Dispatch Box, and in private discussions—that we are firmly on the side of the bereaved parents. We consider that we have acted in good faith, and we all want the same outcomes for these families struck by tragedy. We are focused on ensuring that no parent is put through the same ordeal as these families in the future.
I recognise the need to give families the answers they require and to ensure there is no gap in the law. Giving families the answers they need remains the Government’s motivation for the amendment in the other place; it is the reason we will ensure that the amendment is comprehensive and is viewed as such by the families. I reassure the House that the Government have heard and understand the concerns raised on this issue, and that is why the Secretary of State, along with Justice Ministers, will work with noble Lords ahead of Committee and carefully listen to their arguments on potential amendments.
I also hear the concerns of the right reverend Prelate the Bishop of St Albans, the noble Lord, Lord Vaux, and the noble Baroness, Lady Young, on surveillance, police powers and police access to data. Abolishing the Surveillance Camera Commissioner will not reduce data protection. The role overlaps with other oversight bodies, which is inefficient and confusing for police and the public. The Bill addresses the duplication, which means that the ICO will continue to regulate data processing across all sectors, including policing. The aim is to improve effective independent oversight, which is key to public confidence. Simplification through consolidation improves consistency and guidance on oversight, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication.
The Government also have a responsibility to safeguard national security. The reports into events such as the Manchester Arena and Fishmongers’ Hall terrorist incidents have clearly noted that better joined-up working between the intelligence services and law enforcement supports that responsibility. This is why the Bill creates the power for designation notices to be issued, enabling joint controllerships between the intelligence services and law enforcement. The Secretary of State must consider the processing contained in the notice to be required for the purpose of safeguarding national security to grant it. This mirrors the high threshold for interference with the right to privacy under Article 8 of the Human Rights Act, which requires that such interference be in accordance with the law and necessary in a democratic society.
Concerns were raised by, among others, the noble Baronesses, Lady Young and Lady Bennett, and the noble Lords, Lord Sikka and Lord Bassam, on the proportionality of the measure helping the Government to tackle both fraud and error. Despite taking positive steps to reduce these losses, the DWP remains reliant on powers derived from legislation that is in part over 20 years old. The DWP published the fraud plan in May 2022. It set out clearly a number of new powers that it would seek to secure when parliamentary time allowed. Tackling fraud and error in the DWP is a priority for the Government but parliamentary time is tight. In the time available, the DWP has prioritised our key third-party data-gathering measure which will help to tackle one of the largest causes of fraud and error in the welfare system. We remain committed to delivering all the legislation outlined in the DWP’s fraud plan when parliamentary time allows.
To develop and test these new proposals, the DWP has been working closely with the industry, which recognises the importance of modernising and strengthening these powers to enable us to better detect fraud and error in the benefit system. This includes collaboration on the practical design, implementation and delivery of this measure, including establishing a working group with banks and the financial industry. The DWP has also regularly engaged with UK finance as well as individual banks, building societies and fintechs during the development of this measure, and continues to do so. It is of course important that where personal data is involved there are appropriate checks and balances. Organisations have a right to appeal against the requirement to comply with a data notice issued by the DWP.
Through our appeal process, the Government would first seek to resolve all disputes by DWP internal review. If this failed, the appeal would be referred to the First-tier Tax Tribunal, as currently is used in similar circumstances by HMRC. The third-party data-gathering powers that the DWP is taking are only broad to the extent that this ensures that they can be future-proofed. This is because the nature of fraud has changed significantly in recent years and continues to change significantly. The current powers that the DWP has are not sufficient to tackle the new kinds of fraud that we are now seeing in the welfare system. We are including all benefits to ensure that benefits such as state pension retain low rates of fraud. The DWP will of course want to focus this measure on addressing areas with a significant fraud or error challenge. The DWP has set out in its fraud plan how it plans to focus the new powers, which in the first instance will be on fraud in universal credit.
I thank noble Lords, particularly the noble Lord, Lord Vaux, for the attention paid to the department’s impact assessment, which sets out the details of this measure and all the others in the Bill. As he notes, it is substantive and thorough and was found to be such by the Regulatory Policy Committee, which gave it a green rating.
I hope that I have responded to most of the points raised by noble Lords today. I look forward to continuing to discuss these and other items raised.
Lord Sikka (Lab)
I would like some clarification. The Minister in the other place said:
“I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future”.—[Official Report, Commons, 29/11/23; col. 912.]
Can the noble Viscount explain why the Government still want to focus on recipients of state pension given that there is virtually no fraud? That is about 12.6 million people, so why?
Viscount Camrose (Con)
Although proportionately fraud in the state pension is very low, it is still there. That will not be the initial focus, but the purpose is to future-proof the legislation rather than to have to keep coming back to your Lordships’ House.
Let me once again thank all noble Lords for their contributions and engagement. I look forward to further and more detailed debates on these matters and more besides in Committee. I recognise that there are strong views and it is a wide-ranging Bill, so there will be a lot of meat in our sandwich.
I congratulate the noble Lord, Lord de Clifford, on his perfectly judged maiden speech. I thoroughly enjoyed his description of his background and his valuable contributions on the Bill, and I welcome him to this House.
Finally, on a lighter note, I take this opportunity to wish all noble Lords—both those who have spoken in this debate and others—a very happy Christmas and a productive new year, during which I very much look forward to working with them on the Bill.
Viscount Camrose
That the bill be committed to a Grand Committee, and that it be an instruction to the Grand Committee that they consider the bill in the following order:
Clauses 1 to 5, Schedule 1, Clause 6, Schedule 2, Clauses 7 to 14, Schedule 3, Clauses 15 to 24, Schedule 4, Clause 25, Schedules 5 to 7, Clauses 26 to 46, Schedule 8, Clauses 47 to 51, Schedule 9, Clauses 52 to 117, Schedule 10, Clauses 118 to 128, Schedule 11, Clauses 129 to 137, Schedule 12, Clause 138, Schedule 13, Clauses 139 to 142, Schedule 14, Clause 143, Schedule 15, Clauses 144 to 157, Title.