Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Neville-Rolfe
Main Page: Baroness Neville-Rolfe (Conservative - Life peer)Department Debates - View all Baroness Neville-Rolfe's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.
I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.
Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.
On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.
Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.
The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.
I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
On that basis, I am happy to beg leave to withdraw my amendment.