Data Protection Bill [HL]

Baroness Hamwee Excerpts
Lord Hope of Craighead Portrait Lord Hope of Craighead (CB)
- Hansard - - - Excerpts

My Lords, I want to add a word in support of the points made by the noble Lord, Lord Pannick, particularly with reference to the concerns that some people have expressed about money being moved out of the very closely and properly regulated regime of English trust law to offshore organisations and jurisdictions which are less careful about how people’s money is handled.

I should declare an interest as Chief Justice of the Abu Dhabi Global Market Courts. I am not suggesting that this has anything to do with Abu Dhabi, but it has introduced me to an aspect of trust law with which I was not previously familiar, and it bears closely on the point made by the noble Lord, Lord Pannick. He referred to Jersey as one of the jurisdictions of concern. One aspect of its legislation which has come to my attention through my connection with Abu Dhabi is the Foundations (Jersey) Law 2009. This is a structure set up by statute under Jersey law which is matched with an equivalent statute in Guernsey. It creates a form of trust which is, as it were, a hybrid between a trust and a corporation with a number of aspects that are described very well in Sections 25 and 26 of the Jersey law.

One of the points about the foundation, which appears in Section 25, is that a,

“beneficiary under a foundation … has no interest in the foundation’s assets; and … is not owed by the foundation or by a person appointed under the regulations of the foundation a duty that is or is analogous to a fiduciary duty”.

So the beneficiary under that system is rather different from a beneficiary under our system, where undoubtedly they have an interest in the foundation’s assets. But also to the point is Section 26, which provides that foundations are,

“not obliged to provide information”.

That has its counterpart in the point made about the Data Protection Act in that jurisdiction. It says that except,

“as specifically required by or under this Law or by the charter or regulations of the foundation, a foundation is not required to provide any person … with any information about the foundation”.

It goes on to say in subsection (2) that the,

“information mentioned in paragraph (1) includes, in particular, information about … the administration of the foundation … the manner in which its assets are being administered … its assets; and … the way in which it is carrying out its objects”.

I do not wish in any way to criticise how the foundation laws are run in Guernsey or Jersey, but it is a pattern which, if repeated in less scrupulous jurisdictions, has obvious attractions. People move into a foundation and nobody knows what part of the foundation money they own, because they are not supposed to own any part of it, and the foundation is not obliged to disclose any information at all. There is a risk that those who are keen, for whatever reason—it could even be for matrimonial reasons—to conceal their assets could move them offshore from a trust such as we have in this country, closely regulated and subject to the ordinary rules, to one of these other bodies, which we would not wish to encourage. One has only to look at the Criminal Finances Act 2017 and some of the clauses in the Sanctions and Anti-Money Laundering Bill that is before the House to see that we are taking a completely opposite line to the foundations laws, because we are insisting that we should be provided with information about what organisations of this kind hold and, indeed, who holds what assets. We have not got as far as actually requiring trusts to do that but, certainly, anyone who puts his money into a company, in an attempt to conceal his assets within the company, will be forced eventually to have that information disclosed.

I add these points to suggest that the point that the noble Lord, Lord Pannick, made has a great deal of substance, which one can trace through the foundations law. I stress again that I am not criticising how this is administered in Jersey or Guernsey—that is not really the point. The point is that those who would wish to copy their systems are subject to less close scrutiny. I also emphasise that I am not suggesting that we in this country would want to adopt a foundations law; that would really be quite contrary to how our current legislation is proceeding. So there is an important issue here about protecting ourselves—and those who set up trusts here and administer them properly according to our rules and conventions—against a loss of business, which would be detrimental not only to those who run the businesses but to the whole ethic by which we practise our trust law.

I hope that the Minister and those advising him will look carefully at the Jersey and Guernsey examples, with a view not to criticism but to sensing the risk to which the noble Lord, Lord Pannick, drew our attention.

Baroness Hamwee Portrait Baroness Hamwee (LD)
- Hansard - -

My Lords, Amendments 80A and 83A are in the names of the noble Baroness, Lady Neville-Rolfe, and the noble Lord, Lord Arbuthnot, and come from the Bar Council. In their unavoidable absence, I have again been asked to speak to the amendments. The Government have amendments also to paragraph 5 of Part 1 of Schedule 2—and no doubt we will be asked to agree them shortly. These amendments deal with other aspects of that paragraph and relate to legal professional privilege. The paragraph, as amended, refers to the disclosure of data but disclosure is only one of the acts of processing. The Bar Council is concerned that we need to deal with processing more widely so as not to disrupt the activities of the court and to protect privilege, which is something we have debated on many occasions and which we all agree is not only important but a fundamental right for persons and organisations.

--- Later in debate ---
Baroness Hamwee Portrait Baroness Hamwee
- Hansard - -

My Lords, if the noble Lord scours the GDPR, he may find that the term “data” is used with a plural verb. I wondered whether to put down amendments to that, but I thought that that was pushing it a bit far.

Lord Lucas Portrait Lord Lucas
- Hansard - - - Excerpts

My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.

--- Later in debate ---
Baroness Hamwee Portrait Baroness Hamwee
- Hansard - -

My Lords, the Committee may realise that there are sometimes occasions when none of us quite prepare for amendments and others where more than one of us does, but, as my noble friend knows, I rarely pass over an opportunity to say how offensive the phrase “hostile environment” is. Data protection should be a force for good in dealing with the way our society is going.

My noble friend has reminded the Committee of the provisions of paragraph 4. Over the last few years the state has extended the mechanisms for immigration control very significantly to letting of property, employment, bank accounts, driving and so on. We may be told that the various departments have memoranda of understanding between themselves with the Home Office to deal with all this, but that is an inadequate way of dealing with them. I do not think I will be the only one in the Chamber to think that. Home Office errors are reported embarrassingly frequently. The exemption covers so many rights: rights held by data subjects to access rectification and erasure, and the right to know who is processing data and why, including when data is obtained from a third party.

Liberty, with its usual energy, has provided us with 13 pages of briefing on this amendment. I do not propose to read them all to the Committee. No doubt the Government have read them and are prepared to respond, but I reserve the right to do so on Report if necessary. It reminds us of the work, if we needed reminding, of Lord Avebury, who said that the equivalent, very similar provision with which he was dealing was,

“in danger of being oppressive, deeply worrying to the immigrant community living among us, and one which is in grave danger of infringing the provisions”—[Official Report, 21/7/1983; cols. 1274-75]—

of the European Convention on Human Rights. The Minister will be relieved that I have not yet succeeded in emulating my late, much-missed noble friend to the extent I would like—I never will, but I will continue to try. His words are even more pertinent now, extending beyond the immigrant community to families and employers, to give two examples.

Like my noble friend, I would be interested to know examples and justifications for how the exemption might be applied. Presumably it would facilitate sharing between public services used by an individual, government departments and the Home Office to check the individual’s entitlement. The Government have said that they want to make the immigration system as “digital, flexible and frictionless” as possible. Initially that seems admirable, until one delves into issues such as this. Liberty asks whether the provision extends to activities such as running a night shelter or a food bank, which might well benefit undocumented migrants. Providing shelter and providing food could be construed as activities which undermine “effective immigration control”—to quote the Bill. Would a school have to provide a person’s address without their knowledge and without their even having committed an immigration offence? Underlying all this, what effect could such a provision have on migrants’ willingness to engage with public services?

Other noble Lords will probably have received a briefing from the Migrants’ Rights Network. It is about a legal challenge which it is starting against the NHS’s data sharing, but it is relevant here. The director of Migrants’ Rights Network said:

“We are gravely concerned that immigration enforcement is creeping into our public services, especially the NHS. And therefore, it is important to challenge this data-sharing agreement which violates patient confidentiality, and discriminates against those who are non-British”.


The lawyer acting for Migrants’ Rights Network says in the press release what I have heard from many workers in the field: that the data-sharing arrangement,

“is leaving migrants too scared to access healthcare services they are entitled to, for fear their address and other public information may be passed onto the Home Office. This could have a particularly negative effect on children, pregnant women, people with disabilities and victims of trafficking and abuse”.

It could have a severe effect on public health as well—we will debate all this when we deal with NHS charges in the regret Motion on Thursday.

The data subject will not know that data are transferred to the Home Office for immigration control purposes. The exemption seems to apply to immigrants and those connected with them, and those suspected of having an immigration offence in contemplation, thus turning them into an inferior class of citizen. It allows, or perhaps requires, data controllers, including the Home Office and its various arms, processing information for immigration purposes to ignore the principles on which the use of data is founded under the GDPR and the Bill and protection is applied.

I think that your Lordships might gather that we are very unhappy with this provision. It needs more justification than I think is capable of being provided, although we will of course wait and see.

Baroness Jones of Moulsecoomb Portrait Baroness Jones of Moulsecoomb (GP)
- Hansard - - - Excerpts

My Lords, the Minister, who is not in his place at the moment, said earlier that he could not understand what I meant by repressive measures, but paragraph 4 of the schedule is exactly what I meant and it is why this amendment would remove it.

The inclusion of an immigration control exemption in the Bill is a brazen violation of the data protection and privacy rights of migrants—both documented and undocumented—and of their families and communities in the name of immigration control. In effect, it removes all the Home Office’s data protection obligations as they relate to its activities to control immigration, as well as those of any other agency processing personal data for the same purpose or sharing data with another agency processing it for that purpose.

As the noble Baroness, Lady Hamwee, mentioned, it is not the first time that the Government have tried to limit data protection rights on immigration control grounds. In 1983, Clause 28 of the then Data Protection Bill had an identical aim, setting out broad exemptions to data subjects’ rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,

“a palpable fraud upon the public if … allowed to become law”,

because it allowed data acquired for one purpose to be processed for another; and here is another power grab by this Government.

Clause 28 was rightly removed from the 1983 Bill, but today we see it resurrected with even more breadth and even less definition of its objectives. No attempt whatever has been made to define the new objective: nowhere in the Bill or its Explanatory Notes are the notions of effective immigration control or the activities requiring its maintenance defined. I simply do not understand the colossal cheek this Government have to put something such as this into a Bill and then present it in this House—I can understand it going through the other place but certainly not here. It is virtually impossible to come up with an exhaustive list of all the activities that might be included under this, or of individuals who might be affected. The potential list, as, again, the noble Baroness, Lady Hamwee, pointed out, could go far beyond the immigrants themselves and could apply to almost anybody, including some in your Lordships’ House—at least, I hope that some in your Lordships’ House might be involved in shelters and food banks.

I urge the Government to think again. This is probably one of the really nasty bits that the Government have an option to take out, so I hope that they will listen to us.

--- Later in debate ---
Baroness Williams of Trafford Portrait The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
- Hansard - - - Excerpts

My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.

The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.

It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.

Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,

“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.

This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,

“the maintenance of effective immigration control”.

The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.

To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.

It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.

First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.

Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,

“an important objective of general public interest”.

As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.

I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.

Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.

Baroness Hamwee Portrait Baroness Hamwee
- Hansard - -

My Lords, there is a lot that demands careful reading and careful thought. I have three questions which I can raise now. First, in the examples which the Minister gave it struck us on these Benches that she was talking about things which are, in fact, criminal offences being dealt with under Part 3, which is the law enforcement part of the Bill.

Secondly, how is all this applied in practice? How does the controller know about the purposes? I am finding it quite difficult to envisage how this might work in real life. Thirdly, the Minister referred to the lawfulness of processing. I wonder whether this is not circular because paragraph 4, in disapplying listed provisions—by the way, I think those listed provisions include many which are very important indeed—makes it lawful, so I have a bit of a problem around that. Of course, I and others will carefully read what the Minister said, but I am sure we will want to return to this at the next stage.

Lord Lucas Portrait Lord Lucas
- Hansard - - - Excerpts

My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.