The Earl of Lytton (CB)

- Hansard -

Copy Link

- - Excerpts

I realise that, in rising to speak on this particular part of the Bill, I depart slightly from the purpose of the noble Lord, Lord Stevenson—but I thank him for raising the issue all the same.

Of course, we are dealing with the overview of the Bill. The noble Lord, Lord McNally, almost wrote my introduction. What has worried me for some considerable time, notwithstanding the Bill’s provisions that provide for data subject to error correction, is the manifest inclusion of data in the data processing function, which is broadly drawn—namely, the inclusion of information that is knowingly false or recklessly included in that process, and which can affect the life chances of individuals. We know of significant and high-profile circumstances in which false information has been included and has either affected a significant class of people or has seriously damaged the life prospects of individuals.

Given that the collection of data is part of the processing function, it seems to me that very little is being said about responsibility for those sorts of errors—in other words, the things that one could or should have realised were incorrect or where there was a disregard for the norms of checking information before it got into data systems. We heard at Second Reading how difficult it is to excise that information from the system once it has got in there and been round the virtual world of information technology.

Could the noble Lord, Lord Stevenson, or the Minister in replying, say whether there is anything apart from the Bill—I do not see it there at the moment—that enables there to be some sort of sanction, for want of a better word, against knowingly or recklessly including data that is false and which affects the life chances and prospects of individuals because it is capable of being identified with them and can be highly damaging? That is something that we may need to look at further down the line. If I am speaking in error, I shall stand corrected.

The Earl of Erroll (CB)

- Hansard -

Copy Link

- - Excerpts

My Lords, I want to say a couple of words about privacy. A very important basic point has been raised here. I am not going to argue with lawyers about whether this is the right way in which to do it, but the right to privacy is something about which people feel very strongly—and you will also find that the Open Rights Group and other people will be very vociferous and worry about it, as should all of us here. When we go out and do things on the internet, people can form some interesting conclusions just by what we chance to browse on out of interest, if they can record that and find it out. I became very aware of this, because I have been chairing a steering group that has been producing, along with the British Standards Institution, a publicly available specification, PAS 1296, on age verification. It is designed to help business and regulators to comply with Section 3 of the Digital Economy Act, which we passed just the other day, which is about protecting children online. The point is to put age verification at the front of every website that could be a problem. We want it to be anonymous, because it is not illegal for an adult to visit sites like that; if it was recorded for certain people in certain jobs, it could destroy their careers, so it must be anonymous. So a question arises about trying to put in the specification a right to privacy.

One thing that we have to be very careful about is not to interpret laws or regulations or tread on the toes of other standards. Therefore, when this Bill and the GDPR are passed, we must make sure that people processing any of that material ensure that any data is kept completely secure, or anonymised, or is anonymous in the first place. Websites, first of all, should not know the identity of a temporary visitor when they get verified—there are ways of doing that—so that there are rights to privacy. The thing about the right to privacy is that it is a right that you, the individual, should have. The GDPR and this Bill are about how you process data; in other words, it is about what you do with the data when you have it. The legislation builds in lots of safeguards, but there is nothing that says, when you decide what data to keep or whatever it is, that people should have a right to know that it will not be revealed to the general world.

The question is where we should put it in. People used to think that Article 8 of the European Convention on Human Rights covered them, but I realised just now that it covers only your relationship with Governments. What about your relationship with other corporates, other individuals or ordinary websites? It should cover everybody. So there is an issue here that we should think about. How do we protect ourselves as individuals, and is this the right place to do it? I think that this is probably the only place where we can put something in—but I leave that to the very bright lawyers such as the noble Lord, Lord Pannick, to think about.

Lord Kennedy of Southwark (Lab)

- Hansard -

Copy Link

- - Excerpts

My Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.

Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.

Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.

Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.

I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.

I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.

Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?

Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.

Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.

Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.

The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.

I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.

The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.

The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.

Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.

I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.

Lord Hope of Craighead (CB)

- Hansard -

Copy Link

- - Excerpts

My Lords, I want to add a word in support of the points made by the noble Lord, Lord Pannick, particularly with reference to the concerns that some people have expressed about money being moved out of the very closely and properly regulated regime of English trust law to offshore organisations and jurisdictions which are less careful about how people’s money is handled.

I should declare an interest as Chief Justice of the Abu Dhabi Global Market Courts. I am not suggesting that this has anything to do with Abu Dhabi, but it has introduced me to an aspect of trust law with which I was not previously familiar, and it bears closely on the point made by the noble Lord, Lord Pannick. He referred to Jersey as one of the jurisdictions of concern. One aspect of its legislation which has come to my attention through my connection with Abu Dhabi is the Foundations (Jersey) Law 2009. This is a structure set up by statute under Jersey law which is matched with an equivalent statute in Guernsey. It creates a form of trust which is, as it were, a hybrid between a trust and a corporation with a number of aspects that are described very well in Sections 25 and 26 of the Jersey law.

One of the points about the foundation, which appears in Section 25, is that a,

“beneficiary under a foundation … has no interest in the foundation’s assets; and … is not owed by the foundation or by a person appointed under the regulations of the foundation a duty that is or is analogous to a fiduciary duty”.

So the beneficiary under that system is rather different from a beneficiary under our system, where undoubtedly they have an interest in the foundation’s assets. But also to the point is Section 26, which provides that foundations are,

“not obliged to provide information”.

That has its counterpart in the point made about the Data Protection Act in that jurisdiction. It says that except,

“as specifically required by or under this Law or by the charter or regulations of the foundation, a foundation is not required to provide any person … with any information about the foundation”.

It goes on to say in subsection (2) that the,

“information mentioned in paragraph (1) includes, in particular, information about … the administration of the foundation … the manner in which its assets are being administered … its assets; and … the way in which it is carrying out its objects”.

I do not wish in any way to criticise how the foundation laws are run in Guernsey or Jersey, but it is a pattern which, if repeated in less scrupulous jurisdictions, has obvious attractions. People move into a foundation and nobody knows what part of the foundation money they own, because they are not supposed to own any part of it, and the foundation is not obliged to disclose any information at all. There is a risk that those who are keen, for whatever reason—it could even be for matrimonial reasons—to conceal their assets could move them offshore from a trust such as we have in this country, closely regulated and subject to the ordinary rules, to one of these other bodies, which we would not wish to encourage. One has only to look at the Criminal Finances Act 2017 and some of the clauses in the Sanctions and Anti-Money Laundering Bill that is before the House to see that we are taking a completely opposite line to the foundations laws, because we are insisting that we should be provided with information about what organisations of this kind hold and, indeed, who holds what assets. We have not got as far as actually requiring trusts to do that but, certainly, anyone who puts his money into a company, in an attempt to conceal his assets within the company, will be forced eventually to have that information disclosed.

I add these points to suggest that the point that the noble Lord, Lord Pannick, made has a great deal of substance, which one can trace through the foundations law. I stress again that I am not criticising how this is administered in Jersey or Guernsey—that is not really the point. The point is that those who would wish to copy their systems are subject to less close scrutiny. I also emphasise that I am not suggesting that we in this country would want to adopt a foundations law; that would really be quite contrary to how our current legislation is proceeding. So there is an important issue here about protecting ourselves—and those who set up trusts here and administer them properly according to our rules and conventions—against a loss of business, which would be detrimental not only to those who run the businesses but to the whole ethic by which we practise our trust law.

I hope that the Minister and those advising him will look carefully at the Jersey and Guernsey examples, with a view not to criticism but to sensing the risk to which the noble Lord, Lord Pannick, drew our attention.

Lord Lucas

- Hansard -

Copy Link

- - Excerpts

My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.

Baroness Jones of Moulsecoomb (GP)

- Hansard -

Copy Link

- - Excerpts

My Lords, the Minister, who is not in his place at the moment, said earlier that he could not understand what I meant by repressive measures, but paragraph 4 of the schedule is exactly what I meant and it is why this amendment would remove it.

The inclusion of an immigration control exemption in the Bill is a brazen violation of the data protection and privacy rights of migrants—both documented and undocumented—and of their families and communities in the name of immigration control. In effect, it removes all the Home Office’s data protection obligations as they relate to its activities to control immigration, as well as those of any other agency processing personal data for the same purpose or sharing data with another agency processing it for that purpose.

As the noble Baroness, Lady Hamwee, mentioned, it is not the first time that the Government have tried to limit data protection rights on immigration control grounds. In 1983, Clause 28 of the then Data Protection Bill had an identical aim, setting out broad exemptions to data subjects’ rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,

“a palpable fraud upon the public if … allowed to become law”,

because it allowed data acquired for one purpose to be processed for another; and here is another power grab by this Government.

Clause 28 was rightly removed from the 1983 Bill, but today we see it resurrected with even more breadth and even less definition of its objectives. No attempt whatever has been made to define the new objective: nowhere in the Bill or its Explanatory Notes are the notions of effective immigration control or the activities requiring its maintenance defined. I simply do not understand the colossal cheek this Government have to put something such as this into a Bill and then present it in this House—I can understand it going through the other place but certainly not here. It is virtually impossible to come up with an exhaustive list of all the activities that might be included under this, or of individuals who might be affected. The potential list, as, again, the noble Baroness, Lady Hamwee, pointed out, could go far beyond the immigrants themselves and could apply to almost anybody, including some in your Lordships’ House—at least, I hope that some in your Lordships’ House might be involved in shelters and food banks.

I urge the Government to think again. This is probably one of the really nasty bits that the Government have an option to take out, so I hope that they will listen to us.

The Minister of State, Home Office (Baroness Williams of Trafford) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.

The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.

It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.

Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,

“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.

This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,

“the maintenance of effective immigration control”.

The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.

To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.

It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.

First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.

Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,

“an important objective of general public interest”.

As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.

I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.

Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.

Lord Lucas

- Hansard -

Copy Link

- - Excerpts

My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.

The Minister of State, Home Office (Baroness Williams of Trafford) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.

Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.

Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.

Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.

Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.

I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.

Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.

It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.

In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.

The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.

To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.

I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.

Lord Kennedy of Southwark

- Hansard -

Copy Link

- - Excerpts

My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.

I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.

Lord Young of Cookham (Con)

- Hansard -

Copy Link

- - Excerpts

The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.

I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.

As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.

The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.

The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.

The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.

Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.

Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.

The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.

In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.

I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.

Lord Young of Cookham

- Hansard -

Copy Link

- - Excerpts

Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.

Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.

The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.

Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,

“in relation to the processing of personal data for a law enforcement purpose”,

and would be conferred by rule of law as well. It repeats other areas that cover,

“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.

I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.

Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.

When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?

Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.

Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.

I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?

Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.

Lord Kennedy of Southwark

- Hansard -

Copy Link

- - Excerpts

My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.

Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.

Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.

Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,

“right to object to automated-decision making”,

within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.

In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.

The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.

A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.

Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.

At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.

Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,

“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.

Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.

Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.

Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.

The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.

I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.

Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.

Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,

“necessary for the entering or performance of a contract between the data subject and a controller”,

as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.

Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.

I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.

Lord Young of Cookham

- Hansard -

Copy Link

- - Excerpts

My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.

The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.

The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.

I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.

There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.

In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.

The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.

Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,

“nature, scope, context, and purposes of the processing”,

are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.

Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.

Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.

Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.

Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.

Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.

Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.

Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.

Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.

Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.

More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.

I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.

Lord Young of Cookham

- Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.

Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.

We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.

Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.

Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.

Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.

Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.

Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.

Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.

Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.

I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.

I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.

Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.

Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.

The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.

It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).

Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:

“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.


I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

Yes, that is the point I made.

One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.

Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.

Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.

Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.

I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.

Baroness O’Neill of Bengarve

- Hansard -

Copy Link

- - Excerpts

My Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.

Lord Arbuthnot of Edrom (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.

It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.

Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.

Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.

The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.

It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.

The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.

As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.

I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.

Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.

Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.

I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.

Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.

Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.

Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.

We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.

Lord Brown of Eaton-under-Heywood (CB)

- Hansard -

Copy Link

- - Excerpts

My Lords, this group of amendments in my name, prompted by House officials, covers a number of issues concerning parliamentary privilege. The Bill in its present form contains some exemptions to its application to Parliament, but these are considered rather too narrow in scope. The group relates to four areas which have been raised by officials—that is, counsel and clerks of both Houses—as giving rise to concerns about how the Bill as drafted risks infringing parliamentary privilege. These concerns have been discussed extensively with the Bill team and the Leader’s office at official level, and drawn to the attention of the Senior Deputy Speaker, who is of course chairman of the Committee for Privileges and Conduct of this House. I say at once that these discussions have been most helpful and constructive. I pay tribute to the Bill team for its co-operation throughout.

Happily, the Bill team is now, as I understand it and as I expect the Minister shortly to confirm, satisfied that amendments to the Bill in all four areas of concern are appropriate, so that those will be forthcoming before Third Reading in the new year. I recognise and accept that those amendments may not follow the precise wording suggested in the present proposals but, provided they address the substance of these various specific concerns, we shall obviously be disposed to accept them.

In these circumstances, and given that we shall obviously not divide the House at this stage, it is unnecessary to outline the detailed nature of each of these proposed amendments. It is, I hope, sufficient to indicate that they include, for example, meeting concerns lest the Information Commissioner take enforcement action against Members or the corporate officers of either House—here, the Clerk of the Parliaments—in respect of the processing of personal data in parliamentary proceedings. Such action could lead to very substantial administrative penalties amounting to millions of pounds. There are concerns, too, about the liability of both corporate officers to prosecution for certain specified offences for things done on behalf of the two Houses of Parliament. I hope that that is sufficient, and at this stage I beg to move Amendment 16 and ask that the eight other amendments be accepted.

Baroness Chisholm of Owlpen

- Hansard -

Copy Link

- - Excerpts

My Lords, I am grateful to the noble and learned Lord, Lord Brown, for raising these amendments and for the words of the noble Baroness, Lady Hamwee. His amendments address concerns about the interaction of the Bill with parliamentary privilege. I agree wholeheartedly with him that parliamentary privilege should continue to be safeguarded and maintained for future generations, as it has been for centuries past. As I said in Committee, the Government’s view is that the Bill contains adequate protections to ensure that this is the case. However, we recognise the concerns that, in some areas, these protections could be enhanced and clarified, and we will bring forward amendments at Third Reading to address some of the points that the noble and learned Lord has raised in his amendments.

With that in mind, I will now turn briefly to the amendments themselves, starting with Amendments 16, 17 and 185. The Government recognise the concerns raised in these amendments about the way the conditions for processing sensitive personal data apply in respect of parliamentary proceedings, and liability under Clause 193(5). I am happy to reassure noble Lords that the Government intend to bring forward amendments to address these points at Third Reading.

Lord Kennedy of Southwark

- Hansard -

Copy Link

- - Excerpts

My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.

I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.

Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.

Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.

Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.

As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.

I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.

At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.

Lord Brown of Eaton-under-Heywood

- Hansard -

Copy Link

- - Excerpts

I confess to being disappointed by the Minister’s response to this. I dealt with the fact that things have changed over the 15 years since the 2002 order. Of course there will continue to be circumstances in which it is possible to get, without inhibiting problems, the express consent of the person concerned. However, it will not always be possible, and to that extent it will inhibit the future ability of Members to discharge a function they have been discharging. Of course I will not divide the House at this stage; nevertheless, I urge the Government to reread the arguments and submissions that the noble Baroness and I have advanced today and see whether they cannot bring themselves to recognise that there is a substantial point here. Although there is a natural reluctance to treat us as elected Members, they should for this limited purpose do so; that is justified in the narrow circumstances in which this point arises.

Lord Brown of Eaton-under-Heywood

- Hansard -

Copy Link

- - Excerpts

I am grateful to the noble Baroness, who puts forward a dimension to the problem that she is much more alive to than I am. However, there it is. I urge the Minister to reread these speeches and, in the meantime, I have no option but to beg leave to withdraw the amendment.

Baroness Jones of Moulsecoomb (GP)

- Hansard -

Copy Link

- - Excerpts

My Lords, I support Amendment 34 and will speak to Amendments 35, 93, 100, 101 and 102. I retabled these amendments because I think I did not make myself clear in Committee and some of the Ministers’ replies seemed confused. It was pacifying to be soothed in that way but I still have a problem. The noble Lord, Lord Ashton, said:

“All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis”.—[Official Report, 13/11/17; col. 1871.]


My point was that there is confusion between the gathering of evidence, the processing and decision-making. My amendments do nothing to inhibit automated data processing or seek to move us back to handwritten records. Automated data processing is unaffected by my amendments, which focus on decisions based on data, however the data is processed. Data could be gathered, processed and analysed completely automatically with no human involvement—a computer could even generate a recommended decision—but where human rights are engaged, the final decision must be made by a human being.

There was similar confusion in the replies of the noble Baroness, Lady Williams, in regard to law enforcement and intelligence service decisions. She said that,

“the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act”.—[Official Report, 15/11/17; col. 2073.]

Again, there is confusion between the processing, gathering of data and making the decision where human rights are engaged.

I repeat that my amendments allow for data to be processed automatically: they do not allow for a computer to make a decision contrary to someone’s human rights. Decision-makers can be supported by automated processing but the ultimate decisions must be made by a human being. We have to have this vital safeguard for human rights. After all the automated processing has been carried out, a human has to decide whether or not it is a reasonable decision to proceed. In this way we know where the decision lay and where the responsibility lies. No one can ever say, “We messed up your human rights. We interfered with your human rights and it is the computer’s fault”.

I am grateful to Liberty for drafting the amendments I have tabled and I hope that I have explained them fully and rather better than in Committee. I look forward to the Ministers’ replies. I feel strongly about this issue. These words have to be in the Bill so that it is absolutely clear that human rights are protected.

Lord Stevenson of Balmacara

- Hansard -

Copy Link

- - Excerpts

My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.

We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,

“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.

That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.

The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.

Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.

The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,

“important objectives of general public interest”.

The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.

The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.

Baroness Williams of Trafford

- Hansard -

Copy Link

- - Excerpts

I have been badly advised somewhere. Shall I just get on with what I was going to say?

I made clear in Committee that the exemption is not a blanket provision applying to a whole class of data subjects. It is important to note that Schedule 2 does not create a basis for processing personal data. The exemptions in that schedule operate as a shield allowing data controllers to resist the exercise or application of the data subjects’ rights as set out in chapter III of the GDPR. It is the assertion or application of those rights that triggers the exemptions in Schedule 2. Given this, it is simply not the case that the Home Office, or any other data controller, can invoke the immigration exemption or, for that matter, any other exemption as a default response to subject access requests by a group of persons. Instead, an individual decision must be taken as to whether to apply the exemption in circumstances where a data subject’s rights are engaged.

Moreover, before a right can be restricted, the controller must be satisfied that there would be a likelihood of prejudice to the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. Only if that test is satisfied will the controller be able to apply the restriction on the data subject’s rights. I should also stress that this restriction should be seen as a pause button and not something to be applied in perpetuity to the data subject. If circumstances change so that the test is no longer satisfied in a given case, then the restriction will have to be lifted.

Having said that, I recognise the concerns that were expressed in Committee about the breadth of the exemption, and government Amendments 43 and 44, as the noble Lord, Lord Kennedy, said, respond to those concerns. These amendments remove the right to rectification and the right to data portability from the list of data subjects’ rights that may be restricted. On further examination of the listed GDPR provisions in paragraph 1 of Schedule 2, we have concluded that the risk of any prejudicial impact on our ability to maintain effective immigration control that might arise from the exercise of the rights in articles 16 and 20 of the GDPR is likely to be low.

Having clarified both the purpose of this provision and the way it will operate, and having addressed the concerns about the extent of the exemption, I would ask the noble Baroness, Lady Hamwee, to withdraw her amendment and support the government amendments.

Lord Clement-Jones (LD)

- Hansard -

Copy Link

- - Excerpts

My Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?

At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.

Lord Ashton of Hyde

- Hansard -

Copy Link

- - Excerpts

My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.