(6 years, 6 months ago)
Lords ChamberMy Lords, I do not think I am going to surprise the Minister but I will go through my points on Amendment 175A. The short version is that among the double negatives, paragraph 4 enables the Home Office and others to refuse a subject’s access request in respect of data relating to “effective immigration control”. I will not muse on what “effective” might mean in this context this evening. There are exceptions to the exemption, as the Minister has said, but they do not go to the heart of the problem, which is that if the Home Office uses the exemption, someone challenging a Home Office decision will not be able to check that the Home Office has the correct information about him. For instance, an application may be refused and the correct information established only if the matter goes to appeal.
I discovered during the passage of the Bill that at the start of a case solicitors routinely put in a request to the Home Office to ensure that there is not a crucial error in the information it holds about their client. That must save time and effort—and, indeed, money and anxiety—on both sides. It seems a matter of common sense to be able to do so. I have been puzzled throughout as to why the Government consider this exemption necessary. If it is because there may be an issue of criminality, paragraph 3 provides for this, including “the prevention … of crime”, if the Home Office believes that someone might be about to commit an immigration offence.
I understand from a discussion with the Minister last week, for which I am grateful to her and her officials, that the Government do not want to characterise all applicants to the Home Office for immigration leave as criminals, but I really do not think that that is an answer. As the Minister knows, and the House will know, I would like to see this paragraph out of the Bill altogether or, at a poor second best, not brought into effect until work has been done with practitioners—lawyers and the relevant NGOs—as to its operation, but we all know about the procedural rules and those mean that I have to confine myself to the amendment made by the Government in the Commons.
(6 years, 11 months ago)
Lords ChamberMy Lords, I support Amendment 34 and will speak to Amendments 35, 93, 100, 101 and 102. I retabled these amendments because I think I did not make myself clear in Committee and some of the Ministers’ replies seemed confused. It was pacifying to be soothed in that way but I still have a problem. The noble Lord, Lord Ashton, said:
“All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis”.—[Official Report, 13/11/17; col. 1871.]
My point was that there is confusion between the gathering of evidence, the processing and decision-making. My amendments do nothing to inhibit automated data processing or seek to move us back to handwritten records. Automated data processing is unaffected by my amendments, which focus on decisions based on data, however the data is processed. Data could be gathered, processed and analysed completely automatically with no human involvement—a computer could even generate a recommended decision—but where human rights are engaged, the final decision must be made by a human being.
There was similar confusion in the replies of the noble Baroness, Lady Williams, in regard to law enforcement and intelligence service decisions. She said that,
“the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act”.—[Official Report, 15/11/17; col. 2073.]
Again, there is confusion between the processing, gathering of data and making the decision where human rights are engaged.
I repeat that my amendments allow for data to be processed automatically: they do not allow for a computer to make a decision contrary to someone’s human rights. Decision-makers can be supported by automated processing but the ultimate decisions must be made by a human being. We have to have this vital safeguard for human rights. After all the automated processing has been carried out, a human has to decide whether or not it is a reasonable decision to proceed. In this way we know where the decision lay and where the responsibility lies. No one can ever say, “We messed up your human rights. We interfered with your human rights and it is the computer’s fault”.
I am grateful to Liberty for drafting the amendments I have tabled and I hope that I have explained them fully and rather better than in Committee. I look forward to the Ministers’ replies. I feel strongly about this issue. These words have to be in the Bill so that it is absolutely clear that human rights are protected.
My Lords, I support my noble friend’s amendments. The points that he made apply almost entirely to Amendments 91, 92 and 94, which relate to later parts of the Bill, including particularly the phraseology “solely” and in Amendment 94 “solely” or “partially”.
I am pleased that the noble Baroness, Lady Jones, decided to retable her amendments. What she said can be summed up as, “Human rights, so human decision”. Human beings will ensure transparency and accountability in a way that machines simply do not. The Minister smiled when the noble Baroness said that she was not sure whether she was clear on the last occasion. I rather wish that I could ask her to give us the reassurances and concessions that that smile might have indicated, but I do not know.
These issues are extremely important. I was thinking about them over the weekend and, although it sounds patronising, the Government are entirely correct to ensure that human rights are engaged in these subjects. Given how central human rights are, they cannot be thought of as an occasional peripheral, particularly not as regards law enforcement and security issues. I have come full circle to thinking that the protection of human rights should be spelled out at the start of the Bill, which would take us back to our debate on Monday about an introductory clause covering the protection of a subject where the right is not absolute because of the criteria of necessity and proportionality. I think that that should be made clear in the Bill and it would put what the noble Baroness is seeking to achieve in her amendments in the right context. I support her in this.
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
My Lords, paragraph 4 of Schedule 2, which this amendment would delete, deals with the provisions of the GDPR—that is, protections—which do not apply to immigration control. Government Amendment 44 alters that by removing some of the protections from the list; in other words, the protections would continue to apply in relation to the rights to rectification and data portability.
So what protections will the data subject forgo? I suggest that they are almost all basic safeguards, including: that the processing of someone’s personal information must be lawful, fair and transparent; that data must be processed accurately and kept up to date; that it be held securely; that the person to whom the data relates is informed of the data being held, for how long it may be held and for what purpose it may be used; and that the person to whom the data relates may inspect it and request its erasure. I am not clear what use the right to rectification, which will be retained, would be without one being able to access the data being held so that one could identify the factual inaccuracies. The Information Commissioner’s Office says that this will mean that,
“the system lacks transparency and is fundamentally unfair”.
The list may appear innocuous because not every paragraph in the articles listed is in play, but what is left are things such as that this right,
“shall not adversely affect the rights and freedoms of others”;
the best part of each of the articles listed will no longer apply. This is not a limited or modest modification of the basic safeguards but a wholesale removal.
What is the purpose of this? The purpose is for,
“the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the … provisions would be likely to prejudice”,
these matters. In other words, this is very far-reaching indeed.
My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.
Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.
The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,
“important objectives of general public interest”.
The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.
The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.
My Lords, the Minister is reading from her brief, but I do not think I made any of the statements it anticipated I would make.
I have been badly advised somewhere. Shall I just get on with what I was going to say?
I made clear in Committee that the exemption is not a blanket provision applying to a whole class of data subjects. It is important to note that Schedule 2 does not create a basis for processing personal data. The exemptions in that schedule operate as a shield allowing data controllers to resist the exercise or application of the data subjects’ rights as set out in chapter III of the GDPR. It is the assertion or application of those rights that triggers the exemptions in Schedule 2. Given this, it is simply not the case that the Home Office, or any other data controller, can invoke the immigration exemption or, for that matter, any other exemption as a default response to subject access requests by a group of persons. Instead, an individual decision must be taken as to whether to apply the exemption in circumstances where a data subject’s rights are engaged.
Moreover, before a right can be restricted, the controller must be satisfied that there would be a likelihood of prejudice to the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. Only if that test is satisfied will the controller be able to apply the restriction on the data subject’s rights. I should also stress that this restriction should be seen as a pause button and not something to be applied in perpetuity to the data subject. If circumstances change so that the test is no longer satisfied in a given case, then the restriction will have to be lifted.
Having said that, I recognise the concerns that were expressed in Committee about the breadth of the exemption, and government Amendments 43 and 44, as the noble Lord, Lord Kennedy, said, respond to those concerns. These amendments remove the right to rectification and the right to data portability from the list of data subjects’ rights that may be restricted. On further examination of the listed GDPR provisions in paragraph 1 of Schedule 2, we have concluded that the risk of any prejudicial impact on our ability to maintain effective immigration control that might arise from the exercise of the rights in articles 16 and 20 of the GDPR is likely to be low.
Having clarified both the purpose of this provision and the way it will operate, and having addressed the concerns about the extent of the exemption, I would ask the noble Baroness, Lady Hamwee, to withdraw her amendment and support the government amendments.
My Lords, I am obviously disappointed by both those speeches. I agree with the noble Lord, Lord Kennedy, that immigration control should be effective and fair, which is precisely what I was driving at. He referred to balance; I quoted article 23(1), which requires necessity and proportionality.
I thank the Minister for her answers and for her response to Liberty. She talked about taking this “case by case”, but is that not how we deal with all our immigration control? We do not apply wholesale visa bans; we are not Trump’s poodle. Data requests are made on a case-by-case, individual basis, but you need to know what data is held in order to make the request.
The Minister referred to a “pause button”. I am afraid that does not, to me, have the air of reality or really offer any assurance in the real world.
Amendment 44 does not respond to our concerns. As I commented, you cannot exercise the right of rectification unless you know what is said about you. I feel we are hardly even talking the same language, although it gives me no pleasure to say that. I think I must seek to test the opinion of the House.
(6 years, 11 months ago)
Lords ChamberMy Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?
At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
(6 years, 11 months ago)
Lords ChamberI may have to add later to what I have said, which I think the Minister will find totally unpalatable. I will try to move on.
The Minister also said:
“You are concerned that if consent is not a genuine option in these situations and there are no specific processing conditions in the Bill to cover this on grounds of substantial public interest. Processing in these circumstances would be unlawful. To make their consent GDPR compliant, an employer or school must provide a reasonable alternative that achieves the same ends, for example, offering ‘manual’ entry by way of a reception desk”.
Consent is rarely valid in an employment context. If an employer believes that certain premises require higher levels of security, and that biometric access controls are a necessary and proportionate solution, it cannot be optional with alternative mechanisms that are less secure, as that undermines the security reasons for needing the higher levels of security in the first place: for example, where an employer secures a specific office or where the staff are working on highly sensitive or confidential matters, or where the employer secures a specific room in an office, such as a server room, where only a small number of people can have access and the access needs to be more secure.
Biometrics are unique to each person. A pass card can easily be lost or passed to someone else. It is not feasible or practical to insist that organisations employ extra staff for each secure office or secure room to act as security guards to manually let people in.
The Minister further stated:
“You also queried whether researchers involved in improving the reliability or ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. Article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing that appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards of clause 18 of the Bill. For the purposes of GDPR, ‘scientific research’ has a broad meaning. When taken together with the obvious possibility of consent-based research, we are confident that the Bill allows for the general type of testing you have described”.
It is good to hear that the Government interpret the research provisions as being broad enough to accommodate the research and development described. However, for organisations to use these provisions with confidence, they need to know whether the ICO and courts will take the same broad view.
There are other amendments which would broaden the understanding of the research definition, which no doubt the Minister will speak to and which the Government could support to leave no room for doubt for organisations. However, it is inaccurate to assume that all R&D will be consent based; in fact, very little of it will be. Given the need for consent to be a genuine choice to be valid, organisations can rarely rely on this as they need a minimum amount of reliable data for R&D that presents a representative sample for whatever they are doing. That is undermined by allowing individuals to opt in and out whenever they choose. In particular, for machine learning and AI, there is a danger of discrimination and bias if R&D has incomplete datasets and data that does not accurately represent the population. There have already been cases of poor facial recognition programmes in other parts of the world that do not recognise certain races because the input data did not contain sufficient samples of that particular ethnicity with which to train the model.
This is even more the case where the biometric data for research and development is for the purpose of improving systems to improve security. Those employing security and fraud prevention measures have constantly to evaluate and improve their systems to stay one step ahead of those with malicious intent. The data required for this needs to be guaranteed and not left to chance by allowing individuals to choose. The research and development to improve the system is an integral aspect of providing the system in the first place.
I hope that the Minister recognises some of those statements that he made in his letter and will be able, at least to some degree, to respond to the points that I have made. There has been some toing and froing, so I think that he is pretty well aware of the points being raised. Even if he cannot accept these amendments, I hope that he can at least indicate that biometrics is the subject of live attention within his department and that work will be ongoing to find a solution to some of the issues that I have raised. I beg to move.
My Lords, I wonder whether I might use this opportunity to ask a very short question regarding the definition of biometric data and, in doing so, support my noble friend. The definition in Clause 188 is the same as in the GDPR and includes reference to “behavioural characteristics”. It states that,
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data”.
Well:
“There’s no art
To find the mind’s construction in the face”.
How do behavioural characteristics work in this context? The Minister may not want to reply to that now, but I would be grateful for an answer at some point.
My Lords, I thank the noble Lord, Lord Clement-Jones, for engaging constructively on this subject since we discussed it in Committee. I know that he is keen for data controllers to have clarity on the circumstances in which the processing of biometric data would be lawful. I recognise that the points he makes are of the moment: my department is aware of these issues and will keep an eye on them, even though we do not want to accept his amendments today.
To reiterate some of the points I made in my letter so generously quoted by the noble Lord, the GDPR regards biometric data as a “special category” of data due to its sensitivity. In order to process such data, a data controller must satisfy a processing condition in Article 9 of the GDPR. The most straightforward route to ensure that processing of such data is lawful is to seek the explicit consent of the data subject. However, the GDPR acknowledges that there might be occasions where consent is not possible. Schedule 1 to the Bill makes provision for a range of issues of substantial public interest: for example, paragraph 8, which permits processing such as the prevention or detection of an unlawful act. My letter to noble Lords following day two in Committee went into more detail on this point.
The noble Lord covered much of what I am going to say about businesses such as banks making use of biometric identification verification mechanisms. Generally speaking, such mechanisms are offered as an alternative to more conventional forms of access, such as use of passwords, and service providers should have no difficulty in seeking the data subject’s free and informed consent, but I take the point that obtaining proper, GDPR-compliant consent is more difficult when, for example, the controller is the data subject’s employer. I have considered this issue carefully following our discussion in Committee, but I remain of the view that there is not yet a compelling case to add new exemptions for controllers who wish to process sensitive biometric data without the consent of data subjects. The Bill and the GDPR make consent pre-eminent wherever possible. If that means employers who wish to install biometric systems have to ensure that they also offer a reasonable alternative to those who do not want their biometric data to be held on file, then so be it.
There is legislative precedent for this principle. Section 26 of the Protection of Freedoms Act 2012 requires state schools to seek parental consent before processing biometric data and to provide a reasonable alternative mechanism if consent is not given or is withdrawn. I might refer the noble Lord to any number of speeches given by members of his own party—the noble Baroness, Lady Hamwee, for example—on the importance of those provisions. After all, imposing a legislative requirement for consent was a 2010 Liberal Democrat manifesto commitment. The GDPR merely extends that principle to bodies other than schools. The noble Lord might respond that his amendment’s proposed subsection (1) is intended to permit processing only in a tight set of circumstances where processing of biometric data is undertaken out of necessity. To which I would ask: when is it genuinely necessary to secure premises or authenticate individuals using biometrics, rather than just cheaper or more convenient?
We also have very significant concerns with the noble Lord’s subsections (4) and (5), which seek to drive a coach and horses through fundamental provisions of the GDPR—purpose limitation and storage limitation, in particular. The GDPR does not in fact allow member states to derogate from article 5(1)(e), so subsection (5) would represent a clear breach of European law.
For completeness, I should also mention concerns raised about whether researchers involved in improving the reliability of ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. I reassure noble Lords, as I did in Committee, that article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards in Clause 18 of the Bill. Whatever your opinion of recitals and their ultimate resting place, recital 159 is clear that the term “scientific research” should be interpreted,
“in a broad manner including for example technological development and demonstration”.
This is a fast-moving area where the use of such technology is likely to increase over the next few years, so I take the point of the noble Lord, Lord Clement-Jones, that this is an area that needs to be watched. That is partly why Clause 9(6) provides a delegated power to add further processing conditions in the substantial public interest if new technologies, or applications of existing technologies, emerge. That would allow us to make any changes that are needed in the future, following further consultation with the parties that are likely to be affected by the proposals, both data controllers and, importantly, data subjects whose sensitive personal data is at stake. For those reasons, I hope the noble Lord is persuaded that there are good reasons for not proceeding with his amendment at the moment.
The noble Baroness, Lady Hamwee, asked about behavioural issues. I had hoped that I might get some inspiration, but I fear I have not, so I will get back to her and explain all about behavioural characteristics.
(6 years, 11 months ago)
Lords ChamberMy Lords, this group of amendments in my name, prompted by House officials, covers a number of issues concerning parliamentary privilege. The Bill in its present form contains some exemptions to its application to Parliament, but these are considered rather too narrow in scope. The group relates to four areas which have been raised by officials—that is, counsel and clerks of both Houses—as giving rise to concerns about how the Bill as drafted risks infringing parliamentary privilege. These concerns have been discussed extensively with the Bill team and the Leader’s office at official level, and drawn to the attention of the Senior Deputy Speaker, who is of course chairman of the Committee for Privileges and Conduct of this House. I say at once that these discussions have been most helpful and constructive. I pay tribute to the Bill team for its co-operation throughout.
Happily, the Bill team is now, as I understand it and as I expect the Minister shortly to confirm, satisfied that amendments to the Bill in all four areas of concern are appropriate, so that those will be forthcoming before Third Reading in the new year. I recognise and accept that those amendments may not follow the precise wording suggested in the present proposals but, provided they address the substance of these various specific concerns, we shall obviously be disposed to accept them.
In these circumstances, and given that we shall obviously not divide the House at this stage, it is unnecessary to outline the detailed nature of each of these proposed amendments. It is, I hope, sufficient to indicate that they include, for example, meeting concerns lest the Information Commissioner take enforcement action against Members or the corporate officers of either House—here, the Clerk of the Parliaments—in respect of the processing of personal data in parliamentary proceedings. Such action could lead to very substantial administrative penalties amounting to millions of pounds. There are concerns, too, about the liability of both corporate officers to prosecution for certain specified offences for things done on behalf of the two Houses of Parliament. I hope that that is sufficient, and at this stage I beg to move Amendment 16 and ask that the eight other amendments be accepted.
My Lords, from these Benches I support the noble and learned Lord, who is absolutely the right person to pursue this matter. If I might simply add to what he said, it is important that we bear in mind that in the same way as legal professional privilege is the privilege of the client, these provisions would be for the benefit of the public, the running of good democracy, good scrutiny and holding the Government to account. It is not a personal benefit that is proposed here and I hope—I trust, because this is very important—that the Government can find a way through this. I look forward to hearing from them, as the noble and learned Lord said, early in the new year.
My Lords, I am grateful to the noble and learned Lord, Lord Brown, for raising these amendments and for the words of the noble Baroness, Lady Hamwee. His amendments address concerns about the interaction of the Bill with parliamentary privilege. I agree wholeheartedly with him that parliamentary privilege should continue to be safeguarded and maintained for future generations, as it has been for centuries past. As I said in Committee, the Government’s view is that the Bill contains adequate protections to ensure that this is the case. However, we recognise the concerns that, in some areas, these protections could be enhanced and clarified, and we will bring forward amendments at Third Reading to address some of the points that the noble and learned Lord has raised in his amendments.
With that in mind, I will now turn briefly to the amendments themselves, starting with Amendments 16, 17 and 185. The Government recognise the concerns raised in these amendments about the way the conditions for processing sensitive personal data apply in respect of parliamentary proceedings, and liability under Clause 193(5). I am happy to reassure noble Lords that the Government intend to bring forward amendments to address these points at Third Reading.
My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.
I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
My Lords, I have put my name to this amendment. I stumbled on the omission of Members of this House during debate in Committee, when I asked what I thought was an innocent question. I was asked to appear on the BBC’s “Question Time” after the list of Peers of which I was one was announced but before I actually arrived here. It was a fairly difficult occasion, which I remembered when I was thinking about this issue at lunchtime today. When I referred, during the discussion, to Members of Parliament, Nicholas Ridley said, “You are a Member of Parliament”. We are all Members of Parliament. We happen to be Members of the House of Lords; those who are normally called MPs are Members of the House of Commons. I regard myself as being in a representative position, even though I am not elected.
I disagree with one comment of the noble and learned Lord, which was about the amount of casework that I do. I am so conscious of the problems of getting it wrong, particularly in the area of immigration, that I try not to do that work. However, it is notable how the number of requests to Peers to intervene in individual cases has grown over the last few years. I suppose that reflects the fact that MPs are taking on more and more of what a few years ago one might have called social work. There are not the same demarcation lines as perhaps there used to be.
The casework, among other things, informs our general response to policy issues and specific proposals put before us, so we cannot exclude ourselves from all this. Ten days or so ago, in response to a request to pursue a particular case, I made the point that the individual should approach her own MP. The answer came back, through an intermediary, “She’s an asylum seeker. She doesn’t have an MP. We’re looking for anyone who can help”.
In Committee, questions on this issue were asked round the House. I recall that the noble Lord, Lord Lucas, took up the point after I had asked a question. I am very grateful to the noble and learned Lord for pursuing this matter. I hope that the Minister will accept his suggestion that this should be considered further between now and Third Reading, and that it should be dealt with at this end. I hope that the Minister will this evening assure us that it will remain on the agenda and that we can return to it at the next stage of the Bill in this House.
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
I confess to being disappointed by the Minister’s response to this. I dealt with the fact that things have changed over the 15 years since the 2002 order. Of course there will continue to be circumstances in which it is possible to get, without inhibiting problems, the express consent of the person concerned. However, it will not always be possible, and to that extent it will inhibit the future ability of Members to discharge a function they have been discharging. Of course I will not divide the House at this stage; nevertheless, I urge the Government to reread the arguments and submissions that the noble Baroness and I have advanced today and see whether they cannot bring themselves to recognise that there is a substantial point here. Although there is a natural reluctance to treat us as elected Members, they should for this limited purpose do so; that is justified in the narrow circumstances in which this point arises.
Before the noble and learned Lord finishes, if the House permits me, I will raise something with the Minister. A number of individual cases are brought to us through other organisations, which may have the consent of the individuals. We would want to pursue a matter in the way the noble Lord, Lord Stevenson, just mentioned—I was not at Question Time today but I can imagine the kind of situation. It would add considerably to the difficulty of doing that if the consent obtained by the organisation was thought not to extend to a Peer taking up the matter. I do not know how we would deal with that. It would be a considerable barrier to our doing what I regard as our job.
I am grateful to the noble Baroness, who puts forward a dimension to the problem that she is much more alive to than I am. However, there it is. I urge the Minister to reread these speeches and, in the meantime, I have no option but to beg leave to withdraw the amendment.
(7 years ago)
Lords ChamberMy Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.
My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.
My Lords, I speak also to the other amendments in this group. All these amendments are suggested by the Bar Council and stand in my name and those of the noble Lord, Lord Arbuthnot of Edrom, and the noble Baroness, Lady Neville-Rolfe. All concern legal professional privilege, a subject which the Committee and the House have frequently debated. I know I do not need to stress its importance or remind noble Lords—but obviously, I am just about to—that the confidentiality and privilege are those of the client, not the lawyer.
The Bar Council comments that the powers of the commissioner to have access to the information and systems of data controllers should be limited where the data controller is a legal professional or anyone subject to the requirements of client confidentiality and legal professional privilege. It reminded us that there are exceptions in the 1998 Act which deal with this. Legal professional privilege cannot be waived by the lawyer but is subject to contractual or other legal restrictions. In the clauses in question, legal professional privilege seems to be overridden in circumstances where the commissioner considers that she needs to look at the data to perform her functions. Clause 128(1) refers to use or disclosure,
“only so far as necessary for carrying out those functions”—
that is, the commissioner’s functions. I suggest that this is inappropriate given the provisions elsewhere in the Bill which we now seek to amend.
Amendments 161A, 161B, 161C and 161D deal with confidential legal materials which it is proposed should be inserted and covered. These are defined in the last of these four amendments as “materials brought into being”, as distinct from documents which are communicated between an adviser and a client, and thus would be wider, and include materials brought into being,
“for the purpose of establishing, exercising or defending legal rights”,
which is wider than the Bill provides.
The Bill does not contain directions as to the purpose of the guidance on protection of privileged material. Amendment 161C would give a direction to the commissioner as to the purpose. Amendments 162A, 162B, 163ZA and 163ZB would again extend the protection. Clauses 138 and 141 are limited to documents that relate to data protection legislation. These amendments would widen the protection to all documents protected by legal professional privilege.
Clause 138(5) does not cover the right of self-incrimination of other persons, such as the client of a legal representative or a family member of a client, who would not be entitled to rely on privilege. Amendment 162C would widen the class of persons to others. Since the client may well be seeking advice or representation in relation to a matter which might incriminate him, the Bar Council asks us to point out that this is particularly important.
Amendment 163B reflects provisions in Clause 138, on information notices, and in Clause 141, on assessment notices, and extends the restrictions to enforcement notices. The clauses I have mentioned provide that a person is not required to give the commissioner privileged material—I beg your Lordships’ pardon; a bracket has been opened and I am seeking where it closes—in response to such a notice. As I say, this would extend that restriction to enforcement notices.
Finally, on Amendment 164B, professionals may be restricted in providing information to the commissioner in respect of their processing, because of privilege or an obligation of confidentiality, compliance with the Bar code of conduct, or rules or orders of the court. The Bar Council wishes the Committee to be aware that a barrister,
“may wish to disclose information in mitigation or explanation for a breach of the GDPR provisions, but be unable to do so because disclosure would place”,
counsel,
“in breach of professional conduct rules or other confidentiality obligations, or in breach of data protection obligations because it is not possible to obtain consent for”,
the processing.
Compliance with the profession’s rules might have the result of exposing a barrister to a higher penalty to be imposed by the commissioner as a result of that inability, which does not seem fair. The amendment would provide that circumstances of this kind may be taken into account by the commissioner when assessing the penalty by adding a paragraph to the mitigating circumstances in the list. As the Bar Council points out, none of these points would prevent the commissioner effectively carrying out her duties. Even if she were,
“prevented from seeing privileged and confidential material, this … would be a justified and necessary consequence of … proper weight being given to the citizen’s fundamental right to consult a lawyer and to maintain the confidentiality”.
However, if unamended, there could be a conflict between the legal regulators and the commissioner. I beg to move.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.
It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
(7 years ago)
Lords ChamberMy Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.
Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.
Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.
Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.
I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.
I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.
Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?
Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
(7 years ago)
Lords ChamberMy Lords, these amendments, in my name and those of the noble Baroness, Lady Neville-Rolfe, and the noble Lord, Lord Arbuthnot, may not be the most difficult or most significant that we will come to, but they are important and they deal with an issue brought to us by the Bar Council. I am aware that members of the Bar Council met officials and I believe that some of the matters throughout the Bill that they discussed were left with officials to consider—and, no doubt, with the Bar Council as well. I am not aware that this matter has been settled. The amendment would remove the paragraph from Part 3 of this schedule and put it in Part 2 and would extend the exemption recognising practicalities. Briefly, the issue is the term “legal claims”.
The Bar Council makes the point that this phrase does not adequately describe all the work that lawyers and all parts of the profession undertake on behalf of their clients. There is a risk, therefore, that legal professionals will not be able to process special categories of personal data when undertaking legal advice relating to prosecutions, defences to prosecutions and criminal appeals, family and child protection proceedings and so on, or—noble Lords may think that this should not come within this category—legal advice relating to tax or a proposed transaction. The Bar Council is rightly concerned, of course, to ensure that legal professionals can process such data when undertaking activity which is squarely within the scope of its normal work but beyond what might be described by the narrow term, “legal claims”. The amendment includes wording which is about to be put to the Committee in the form of government amendments which have already been debated and brings the matter of the legal activity listed in the new clause and the government amendments into Part 2 of Schedule 1. I beg to move.
My Lords, if the House will indulge me, having heard someone who described herself earlier as a foot soldier in her army of volunteers, I can now identify her as a beaver in the battalion of dam building. It seems that by broadening all that falls under the term, “legal claims”, and, of course, on the advice of the Bar Council, some common sense is being alluded to here and therefore we have no hesitation in joining our forces to those we have heard so ably expressed.
My Lords, I am grateful to the noble Baroness for making her debut in the Committee stage and to the noble Lord for his comments. By way of background, because I find it quite complicated, it is worth reminding ourselves that article 9 of the GDPR provides processing conditions for special categories of data. In particular, the processing necessary for,
“the establishment, exercise or defence of legal claims”,
is permitted by article 9(2)(f). It is directly applicable and does not allow any discretion to derogate from it in any way. Article 10 of the GDPR, which relates to criminal convictions and offences data, takes a different approach. It requires member states to set out in their law conditions relating to the processing of said criminal convictions and offences data in order to enable many organisations to process it. Paragraph 26 of Schedule 1 therefore seeks to maintain the status quo by replicating in relation to criminal convictions data the processing condition for the special categories of personal data contained in article 9(2)(f).
Government Amendment 65, referred to by the noble Baroness, responds to a request we have had from stakeholders to anglicise the language currently used in that paragraph. The Government strongly agree about the importance of ensuring that data protection law does not accidentally undermine the proper conduct of legal proceedings, which is why we have made this provision. We submit that Amendments 63A and 64A are unnecessary. They are predicated on the false premise that government Amendment 65 in some way changes the scope of paragraph 26. It does not, it simply anglicises it. However, even if different wording were to be used in Amendment 63A to that used in Amendment 65, we are certain that the Commission would take a dim view of member states attempting to use article 9(2)(g), the substantial public interest processing condition, to expand article 9(2)(f) in the way that Amendment 63A proposes. In the light of that explanation, I would be grateful if in this case the noble Baroness would withdraw her amendment.
My Lords, I am still processing the compliment that has been paid to me. If I were standing for election, the noble Lord might find himself being quoted.
The Minister says that the amendment is unnecessary but then goes on to say that it is wrong. The main point is not the five or so lines of wording as what is required or precluded by the articles of the GDPR that he has quoted. I will not attempt to respond today because I could not do his arguments justice, but I suspect that others will try to do so. As I say, his officials have met with representatives of the Bar Council. I am sure that he will be happy for that dialogue to continue, and if necessary for it to extend to some of us who might come along and listen to what the officials are saying and give it a rubber stamp in an effort to progress the argument. There is a real concern about where this exemption should lie and how it should apply, so I will beg leave to withdraw the amendment, not because I am convinced but because there is still more discussion to be had.
My Lords, I speak to Amendment 75 in particular, but the whole issue of automated decision-making is extremely worrying.
As we have gone through this Bill, I have been desperately hoping that some of the most repressive bits are a negotiating tactic on the Government’s part, and that before Report they will say, “We’ll take out this really nasty bit if you let us leave in this not really quite so nasty bit”. I feel that this issue is one of the really nasty bits.
I thank Liberty, which has worked incredibly hard on this Bill and drawn out the really nasty bits. Under the Data Protection Act 1998, individuals have a qualified right not to be subject to purely automated decision-making and, to the extent that automated decision-making is permitted, they have a right to access information relating to such decisions made about them. The GDPR clarifies and extends these rights to the point that automated decisions that engage a person’s human rights are not permissible.
This could include being subjected to unfair discrimination. The noble Lord, Lord Clement-Jones, used the phrase, “unintended discrimination”—for example, detecting sexuality or diagnosing depression. The rapidly growing field of machine learning and algorithmic decision-making presents some new and very serious risks to our right to a private life and to freedom of expression and assembly. Such automated decision-making is deeply worrying when done by law enforcement agencies or the intelligence services because the decisions could have adverse legal effects. Such processing should inform rather than determine officers’ decisions.
We must have the vital safeguard for human rights of the requirement of human involvement. After the automated decision-making result has come out, there has to be a human who says whether or not it is reasonable.
My Lords, I too want to say a word about Amendment 75. The Human Rights Act trumps everything. To put it another way, the fundamental rights it deals with are incorporated into UK law, and they trump everything.
Like the noble Baroness, I believe that it is quite right that those who are responsible—humans—stop and think whether fundamental human rights are engaged. The right not to be subject to unfair discrimination has been referred to. Both the Bill and the GDPR recognised that as an issue in the provisions on profiling, but we need this overarching provision. Like other noble Lords, I find it so unsettling to be faced with what are clearly algorithmic decisions.
When I was on holiday I went to a restaurant in France called L’Algorithme, which was very worrying but I was allowed to choose my own meal. If this work continues in the industry, perhaps I will not be allowed to do so next year. I wondered about the practicalities of this, and whether through this amendment we are seeking something difficult to implement—but I do not think so. Law enforcement agencies under a later part of the Bill may not make significant decisions adversely affecting a data subject. Judgments of this sort must be practicable. That was a concern in my mind, and I thought that I would articulate my dismissal of that concern.
My Lords, my name is attached to two of these amendments. This is a very difficult subject in that we are all getting used to algorithmic decisions; not many people call them that, but they are what in effect decide major issues in their life and entice them into areas where they did not previously choose to be. Their profile, based on a number of inter-related algorithms, suggests that they may be interested in a particular commercial product or lifestyle move. It is quite difficult for those of my generation to grasp that, and difficult also for the legislative process to grasp it. So some of these amendments go back to first principles. The noble Baroness, Lady Hamwee, said that the issue of human rights trumps everything. Of course, we all agree with that, but human rights do not work unless you have methods of enforcing them.
In other walks of life, there are precedents. You may not be able to identify exactly who took a decision that, for example, women in a workforce should be paid significantly less than men for what were broadly equivalent jobs; it had probably gone on for decades. There was no clear paper trail to establish that discrimination took place but, nevertheless, the outcome was discriminatory. With algorithms, it is clear that some of the outcomes may be discriminatory, but you would not be able to put your finger on why they were discriminatory, let alone who or what decided that that discrimination should take place. Nevertheless, if the outcome is discriminatory, you need a way of redressing it. That is why the amendments to which I have added my name effectively say that the data subject should be made aware of the use to which their data is being made and that they would have the right of appeal to the Information Commissioner and of redress, as you would in a human-based decision-making process that was obscure in its origin but clear in relation to its outcome. That may be a slightly simplistic way in which to approach the issue, but it is a logical one that needs to be reflected in the Bill, and I hope that the Government take the amendments seriously.
I will. I had some inspiration from elsewhere on that very subject—but it was then withdrawn, so I will take up the offer to write on that. However, I take the noble Lord’s point.
We do not think that Amendment 75 would work. It seeks to prevent any decision being taken on the basis of automated decision-making where the decision would “engage” the rights of the data subject under the Human Rights Act. Arguably, such a provision would wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making at the very least engaged the data subject’s right to have their private life respected under Article 8 of the European Convention on Human Rights, even if it was entirely lawful. All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis. The purpose of the Bill is to ensure that we reflect processing in the digital age—and that includes automated processing. This will often be a legitimate form of processing, but it is right that the Bill should recognise the additional sensitivities that surround it. There must be sufficient checks and balances and the Bill achieves this in Clauses 13 and 48 by ensuring appropriate notification requirements and the right to have a decision reassessed by non-automated means.
As the Minister may be about to move on from that, I think he is saying that the phrase, “engages an individual’s rights” is problematic. Are the Government satisfied that the provisions the Minister has just mentioned adequately protect those rights—I am searching for the right verb—and that automated decision-making is not in danger of infringing the rights that are, as he says, always engaged?
Automated processing could do that. However, with the appropriate safeguards we have put in the Bill, we do not think that it will.
Amendment 77 seeks to define a significant decision as including a decision that has legal or similar effects for the data subject or a group sharing one of the nine protected characteristics under the Equality Act 2010 to which the data subject belongs.
We agree that all forms of discrimination, including discriminatory profiling via the use of algorithms and automated processing, are fundamentally wrong. However, we note that the Equality Act already provides a safeguard for individuals against being profiled on the basis of a particular protected characteristic they possess. Furthermore, recital 71 of the GDPR states that data controllers must ensure that they use appropriate mathematical or statistical procedures to ensure that factors which result in inaccuracies are minimised, and to prevent discriminatory effects on individuals,
“on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation”.
We therefore do not feel that further provision is needed at this stage.
Amendment 77A, in the name of the noble Lord, Lord Stevenson, seeks to require a data controller who makes a significant decision based on automated processing to provide meaningful information about the logical and legal consequences of the processing. Amendment 119, as I understand it, talks to a similar goal, with the added complication of driving a wedge between the requirements of the GDPR and applied GDPR. Articles 13 and 14 of the GDPR, replicated in the applied GDPR, already require data controllers to provide data subjects with this same information at the point the data is collected, and whenever it is processed for a new purpose. We are not convinced that there is much to be gained from requiring data controllers to repeat such an exercise, other than regulatory burden. In fact, the GDPR requires the information earlier, which allows the data subject to take action earlier.
Similarly, Amendment 77B seeks to ensure that data subjects who are the subject of automated decision-making retain the right to make a complaint to the commissioner and to access judicial remedies. Again, this provision is not required in the Bill, as data subjects retain the right to make a complaint to the commissioner or access judicial remedies for any infringement of data protection law.
Amendment 78 would confer powers on the Secretary of State to review the operational effectiveness of article 22 of the GDPR within three years, and lay a report on the review before Parliament. This amendment is not required because all new primary legislation is subject to post-legislative scrutiny within three to five years of receiving Royal Assent. Any review of the Act will necessarily also cover the GDPR. Not only that, but the Information Commissioner will keep the operation of the Act and the GDPR under review and will no doubt flag up any issues that may arise on this or other areas.
Amendment 153A would place a requirement on the Information Commissioner to investigate, keep under review and publish guidance on several matters relating to the use of automated data in the health and social care sector in respect of the terms on which enterprises gain consent to the disclosure of the personal data of vulnerable adults. I recognise and share noble Lords’ concern. These are areas where there is a particular value in monitoring the application of a new regime and where further clarity may be beneficial. I reassure noble Lords that the Information Commissioner has already contributed significantly to GDPR guidance being developed by the health sector and continues to work closely with the Government to identify appropriate areas requiring further guidance. Adding additional prescriptive requirements in the Bill is unlikely to help them shape that work in a way that maximises its impact.
As we have heard, Amendment 183 would insert a new clause before Clause 171 stating that public bodies who profile a data subject should inform the data subject of their decision. This is unnecessary as Clauses 13 and 48 state that when a data controller has taken a decision based solely on automated processing, they must inform the data subject in writing that they have done so. This includes profiling. Furthermore, Clauses 13 and 48 confer powers on the Secretary of State to make further provisions to provide suitable measures to safeguard a data subject’s rights and freedoms.
I thank noble Lords for raising these important issues, which deserve to be debated. I hope that, as a result of the explanation in response to these amendments, I have been able to persuade them that there are sufficient safeguards in relation to automated decision-making in the GDPR and Parts 2 to 4 of the Bill, and that their amendments are therefore unnecessary. On that basis, I invite noble Lords not to press their amendments.
Tonight the noble Lord can because the Secretary of State is leading on this important matter. She is as committed as I am to ensuring that such a body is set up shortly. She has been consulting widely with civil society groups, industry and academia, some of which has been mentioned tonight, to refine the scope and functions of the body. It will work closely with the Information Commissioner and other regulators. As the noble Lords, Lord Clement-Jones and Lord Patel, mentioned, it will identify gaps in the regulatory landscape and provide Ministers with advice on addressing those gaps.
It is important that the new advisory body has a clearly defined role and a strong relationship to other bodies in this space, including the Information Commissioner. The Government’s proposals are for an advisory body which may have a broader remit than that suggested in the amendment. It will provide recommendations on the ethics of data use in gaps in the regulatory landscape, as I have just said. For example, one fruitful area could be the ethics of exploiting aggregated anonymised datasets for social and commercial benefit, taking into account the importance of transparency and accountability. These aggregated datasets do not fall under the legal definition of personal data and would therefore be outside the scope of both the body proposed by the noble Lord and, I suspect, this Bill.
Technically, Amendment 78 needs to be more carefully drafted to avoid the risk of non-compliance with the GDPR and avoid conflict with the Information Commissioner. Article 51 of the GDPR requires each member state to appoint one or more independent public authorities to monitor and enforce the GDPR on its territory as a supervisory authority. Clause 113 makes the Information Commissioner the UK’s sole supervisory authority for data protection. The functions of any advisory data ethics body must not cut across the Information Commissioner’s performance of its functions under the GDPR.
The amendment proposes that the advisory board should,
“monitor further technical advances in the use and management of personal data”.
But one of the Information Commissioner’s key functions is to
“keep abreast of evolving technology”.
That is a potential conflict we must avoid. The noble Lord, Lord Patel, alluded to some of the conflicts.
Nevertheless, I agree with the importance that noble Lords place on the consideration of the ethics of data use, and I repeat that the Government are determined to make progress in this area. However, as I explained, I cannot agree to Amendment 78 tonight. Therefore, in the light of my explanation, I hope the noble Lord will feel able to withdraw it.
Before the noble Lord, Lord Stevenson, responds—he will probably make this point better than I can—have we just heard from the Minister an outline of an amendment the Government will bring forward in order to enshrine the body they are advocating? He will understand that, whichever side of the House you are on, you are always aware that a future Government may not have the same ways of going about things as the Government he is supporting at the moment, and whose proposals are entirely laudable. Things may change.
I cannot agree with the noble Baroness’s point. However, I accept that that is a possibility and that things will not last for ever. However, in this case we expect to have the proposals shortly and this Government will definitely be around at that time.
(7 years ago)
Lords ChamberMy Lords, I want to add a word in support of the points made by the noble Lord, Lord Pannick, particularly with reference to the concerns that some people have expressed about money being moved out of the very closely and properly regulated regime of English trust law to offshore organisations and jurisdictions which are less careful about how people’s money is handled.
I should declare an interest as Chief Justice of the Abu Dhabi Global Market Courts. I am not suggesting that this has anything to do with Abu Dhabi, but it has introduced me to an aspect of trust law with which I was not previously familiar, and it bears closely on the point made by the noble Lord, Lord Pannick. He referred to Jersey as one of the jurisdictions of concern. One aspect of its legislation which has come to my attention through my connection with Abu Dhabi is the Foundations (Jersey) Law 2009. This is a structure set up by statute under Jersey law which is matched with an equivalent statute in Guernsey. It creates a form of trust which is, as it were, a hybrid between a trust and a corporation with a number of aspects that are described very well in Sections 25 and 26 of the Jersey law.
One of the points about the foundation, which appears in Section 25, is that a,
“beneficiary under a foundation … has no interest in the foundation’s assets; and … is not owed by the foundation or by a person appointed under the regulations of the foundation a duty that is or is analogous to a fiduciary duty”.
So the beneficiary under that system is rather different from a beneficiary under our system, where undoubtedly they have an interest in the foundation’s assets. But also to the point is Section 26, which provides that foundations are,
“not obliged to provide information”.
That has its counterpart in the point made about the Data Protection Act in that jurisdiction. It says that except,
“as specifically required by or under this Law or by the charter or regulations of the foundation, a foundation is not required to provide any person … with any information about the foundation”.
It goes on to say in subsection (2) that the,
“information mentioned in paragraph (1) includes, in particular, information about … the administration of the foundation … the manner in which its assets are being administered … its assets; and … the way in which it is carrying out its objects”.
I do not wish in any way to criticise how the foundation laws are run in Guernsey or Jersey, but it is a pattern which, if repeated in less scrupulous jurisdictions, has obvious attractions. People move into a foundation and nobody knows what part of the foundation money they own, because they are not supposed to own any part of it, and the foundation is not obliged to disclose any information at all. There is a risk that those who are keen, for whatever reason—it could even be for matrimonial reasons—to conceal their assets could move them offshore from a trust such as we have in this country, closely regulated and subject to the ordinary rules, to one of these other bodies, which we would not wish to encourage. One has only to look at the Criminal Finances Act 2017 and some of the clauses in the Sanctions and Anti-Money Laundering Bill that is before the House to see that we are taking a completely opposite line to the foundations laws, because we are insisting that we should be provided with information about what organisations of this kind hold and, indeed, who holds what assets. We have not got as far as actually requiring trusts to do that but, certainly, anyone who puts his money into a company, in an attempt to conceal his assets within the company, will be forced eventually to have that information disclosed.
I add these points to suggest that the point that the noble Lord, Lord Pannick, made has a great deal of substance, which one can trace through the foundations law. I stress again that I am not criticising how this is administered in Jersey or Guernsey—that is not really the point. The point is that those who would wish to copy their systems are subject to less close scrutiny. I also emphasise that I am not suggesting that we in this country would want to adopt a foundations law; that would really be quite contrary to how our current legislation is proceeding. So there is an important issue here about protecting ourselves—and those who set up trusts here and administer them properly according to our rules and conventions—against a loss of business, which would be detrimental not only to those who run the businesses but to the whole ethic by which we practise our trust law.
I hope that the Minister and those advising him will look carefully at the Jersey and Guernsey examples, with a view not to criticism but to sensing the risk to which the noble Lord, Lord Pannick, drew our attention.
My Lords, Amendments 80A and 83A are in the names of the noble Baroness, Lady Neville-Rolfe, and the noble Lord, Lord Arbuthnot, and come from the Bar Council. In their unavoidable absence, I have again been asked to speak to the amendments. The Government have amendments also to paragraph 5 of Part 1 of Schedule 2—and no doubt we will be asked to agree them shortly. These amendments deal with other aspects of that paragraph and relate to legal professional privilege. The paragraph, as amended, refers to the disclosure of data but disclosure is only one of the acts of processing. The Bar Council is concerned that we need to deal with processing more widely so as not to disrupt the activities of the court and to protect privilege, which is something we have debated on many occasions and which we all agree is not only important but a fundamental right for persons and organisations.
My Lords, if the noble Lord scours the GDPR, he may find that the term “data” is used with a plural verb. I wondered whether to put down amendments to that, but I thought that that was pushing it a bit far.
My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.
My Lords, the Committee may realise that there are sometimes occasions when none of us quite prepare for amendments and others where more than one of us does, but, as my noble friend knows, I rarely pass over an opportunity to say how offensive the phrase “hostile environment” is. Data protection should be a force for good in dealing with the way our society is going.
My noble friend has reminded the Committee of the provisions of paragraph 4. Over the last few years the state has extended the mechanisms for immigration control very significantly to letting of property, employment, bank accounts, driving and so on. We may be told that the various departments have memoranda of understanding between themselves with the Home Office to deal with all this, but that is an inadequate way of dealing with them. I do not think I will be the only one in the Chamber to think that. Home Office errors are reported embarrassingly frequently. The exemption covers so many rights: rights held by data subjects to access rectification and erasure, and the right to know who is processing data and why, including when data is obtained from a third party.
Liberty, with its usual energy, has provided us with 13 pages of briefing on this amendment. I do not propose to read them all to the Committee. No doubt the Government have read them and are prepared to respond, but I reserve the right to do so on Report if necessary. It reminds us of the work, if we needed reminding, of Lord Avebury, who said that the equivalent, very similar provision with which he was dealing was,
“in danger of being oppressive, deeply worrying to the immigrant community living among us, and one which is in grave danger of infringing the provisions”—[Official Report, 21/7/1983; cols. 1274-75]—
of the European Convention on Human Rights. The Minister will be relieved that I have not yet succeeded in emulating my late, much-missed noble friend to the extent I would like—I never will, but I will continue to try. His words are even more pertinent now, extending beyond the immigrant community to families and employers, to give two examples.
Like my noble friend, I would be interested to know examples and justifications for how the exemption might be applied. Presumably it would facilitate sharing between public services used by an individual, government departments and the Home Office to check the individual’s entitlement. The Government have said that they want to make the immigration system as “digital, flexible and frictionless” as possible. Initially that seems admirable, until one delves into issues such as this. Liberty asks whether the provision extends to activities such as running a night shelter or a food bank, which might well benefit undocumented migrants. Providing shelter and providing food could be construed as activities which undermine “effective immigration control”—to quote the Bill. Would a school have to provide a person’s address without their knowledge and without their even having committed an immigration offence? Underlying all this, what effect could such a provision have on migrants’ willingness to engage with public services?
Other noble Lords will probably have received a briefing from the Migrants’ Rights Network. It is about a legal challenge which it is starting against the NHS’s data sharing, but it is relevant here. The director of Migrants’ Rights Network said:
“We are gravely concerned that immigration enforcement is creeping into our public services, especially the NHS. And therefore, it is important to challenge this data-sharing agreement which violates patient confidentiality, and discriminates against those who are non-British”.
The lawyer acting for Migrants’ Rights Network says in the press release what I have heard from many workers in the field: that the data-sharing arrangement,
“is leaving migrants too scared to access healthcare services they are entitled to, for fear their address and other public information may be passed onto the Home Office. This could have a particularly negative effect on children, pregnant women, people with disabilities and victims of trafficking and abuse”.
It could have a severe effect on public health as well—we will debate all this when we deal with NHS charges in the regret Motion on Thursday.
The data subject will not know that data are transferred to the Home Office for immigration control purposes. The exemption seems to apply to immigrants and those connected with them, and those suspected of having an immigration offence in contemplation, thus turning them into an inferior class of citizen. It allows, or perhaps requires, data controllers, including the Home Office and its various arms, processing information for immigration purposes to ignore the principles on which the use of data is founded under the GDPR and the Bill and protection is applied.
I think that your Lordships might gather that we are very unhappy with this provision. It needs more justification than I think is capable of being provided, although we will of course wait and see.
My Lords, the Minister, who is not in his place at the moment, said earlier that he could not understand what I meant by repressive measures, but paragraph 4 of the schedule is exactly what I meant and it is why this amendment would remove it.
The inclusion of an immigration control exemption in the Bill is a brazen violation of the data protection and privacy rights of migrants—both documented and undocumented—and of their families and communities in the name of immigration control. In effect, it removes all the Home Office’s data protection obligations as they relate to its activities to control immigration, as well as those of any other agency processing personal data for the same purpose or sharing data with another agency processing it for that purpose.
As the noble Baroness, Lady Hamwee, mentioned, it is not the first time that the Government have tried to limit data protection rights on immigration control grounds. In 1983, Clause 28 of the then Data Protection Bill had an identical aim, setting out broad exemptions to data subjects’ rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,
“a palpable fraud upon the public if … allowed to become law”,
because it allowed data acquired for one purpose to be processed for another; and here is another power grab by this Government.
Clause 28 was rightly removed from the 1983 Bill, but today we see it resurrected with even more breadth and even less definition of its objectives. No attempt whatever has been made to define the new objective: nowhere in the Bill or its Explanatory Notes are the notions of effective immigration control or the activities requiring its maintenance defined. I simply do not understand the colossal cheek this Government have to put something such as this into a Bill and then present it in this House—I can understand it going through the other place but certainly not here. It is virtually impossible to come up with an exhaustive list of all the activities that might be included under this, or of individuals who might be affected. The potential list, as, again, the noble Baroness, Lady Hamwee, pointed out, could go far beyond the immigrants themselves and could apply to almost anybody, including some in your Lordships’ House—at least, I hope that some in your Lordships’ House might be involved in shelters and food banks.
I urge the Government to think again. This is probably one of the really nasty bits that the Government have an option to take out, so I hope that they will listen to us.
My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.
The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.
It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.
Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,
“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,
“the maintenance of effective immigration control”.
The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.
To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.
It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.
First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.
Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,
“an important objective of general public interest”.
As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.
I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.
Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.
My Lords, there is a lot that demands careful reading and careful thought. I have three questions which I can raise now. First, in the examples which the Minister gave it struck us on these Benches that she was talking about things which are, in fact, criminal offences being dealt with under Part 3, which is the law enforcement part of the Bill.
Secondly, how is all this applied in practice? How does the controller know about the purposes? I am finding it quite difficult to envisage how this might work in real life. Thirdly, the Minister referred to the lawfulness of processing. I wonder whether this is not circular because paragraph 4, in disapplying listed provisions—by the way, I think those listed provisions include many which are very important indeed—makes it lawful, so I have a bit of a problem around that. Of course, I and others will carefully read what the Minister said, but I am sure we will want to return to this at the next stage.
My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.
(7 years ago)
Lords ChamberI realise that, in rising to speak on this particular part of the Bill, I depart slightly from the purpose of the noble Lord, Lord Stevenson—but I thank him for raising the issue all the same.
Of course, we are dealing with the overview of the Bill. The noble Lord, Lord McNally, almost wrote my introduction. What has worried me for some considerable time, notwithstanding the Bill’s provisions that provide for data subject to error correction, is the manifest inclusion of data in the data processing function, which is broadly drawn—namely, the inclusion of information that is knowingly false or recklessly included in that process, and which can affect the life chances of individuals. We know of significant and high-profile circumstances in which false information has been included and has either affected a significant class of people or has seriously damaged the life prospects of individuals.
Given that the collection of data is part of the processing function, it seems to me that very little is being said about responsibility for those sorts of errors—in other words, the things that one could or should have realised were incorrect or where there was a disregard for the norms of checking information before it got into data systems. We heard at Second Reading how difficult it is to excise that information from the system once it has got in there and been round the virtual world of information technology.
Could the noble Lord, Lord Stevenson, or the Minister in replying, say whether there is anything apart from the Bill—I do not see it there at the moment—that enables there to be some sort of sanction, for want of a better word, against knowingly or recklessly including data that is false and which affects the life chances and prospects of individuals because it is capable of being identified with them and can be highly damaging? That is something that we may need to look at further down the line. If I am speaking in error, I shall stand corrected.
My Lords, I say to my noble friend Lord McNally that it is even worse having people say to you, “You’re a lawyer, you must understand this”, when too often you do not.
I have a question for the Minister. Am I right in thinking that the Charter of Fundamental Rights will apply to all member states after Brexit? Is it not the objective that we are on all fours with them as other users of data and, therefore, if there is no provision such as the ones that we have been debating contained in the Bill, how will that affect the adequacy arrangements?
My Lords, I want to say a couple of words about privacy. A very important basic point has been raised here. I am not going to argue with lawyers about whether this is the right way in which to do it, but the right to privacy is something about which people feel very strongly—and you will also find that the Open Rights Group and other people will be very vociferous and worry about it, as should all of us here. When we go out and do things on the internet, people can form some interesting conclusions just by what we chance to browse on out of interest, if they can record that and find it out. I became very aware of this, because I have been chairing a steering group that has been producing, along with the British Standards Institution, a publicly available specification, PAS 1296, on age verification. It is designed to help business and regulators to comply with Section 3 of the Digital Economy Act, which we passed just the other day, which is about protecting children online. The point is to put age verification at the front of every website that could be a problem. We want it to be anonymous, because it is not illegal for an adult to visit sites like that; if it was recorded for certain people in certain jobs, it could destroy their careers, so it must be anonymous. So a question arises about trying to put in the specification a right to privacy.
One thing that we have to be very careful about is not to interpret laws or regulations or tread on the toes of other standards. Therefore, when this Bill and the GDPR are passed, we must make sure that people processing any of that material ensure that any data is kept completely secure, or anonymised, or is anonymous in the first place. Websites, first of all, should not know the identity of a temporary visitor when they get verified—there are ways of doing that—so that there are rights to privacy. The thing about the right to privacy is that it is a right that you, the individual, should have. The GDPR and this Bill are about how you process data; in other words, it is about what you do with the data when you have it. The legislation builds in lots of safeguards, but there is nothing that says, when you decide what data to keep or whatever it is, that people should have a right to know that it will not be revealed to the general world.
The question is where we should put it in. People used to think that Article 8 of the European Convention on Human Rights covered them, but I realised just now that it covers only your relationship with Governments. What about your relationship with other corporates, other individuals or ordinary websites? It should cover everybody. So there is an issue here that we should think about. How do we protect ourselves as individuals, and is this the right place to do it? I think that this is probably the only place where we can put something in—but I leave that to the very bright lawyers such as the noble Lord, Lord Pannick, to think about.