Online Gambling
Lord Ashton of Hyde Excerpts(7 years ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have taken part in this informed and very interesting, although somewhat alarming, debate. I particularly thank the noble Lord, Lord Browne, for securing it and for sharing his thoughts with me beforehand. I am also pleased that the A-team on the Data Protection Bill, which has already been mentioned by the noble Lord, Lord Griffiths, is in place.
The issue here—in a sense, the dilemma—is that for millions of people gambling is an enjoyable leisure activity with no harmful consequences. Sixty-three per cent of adults gambled in one form or another in the last year. However, the Gambling Act makes it clear that gambling is subject to the licensing objectives set out by the Gambling Commission, including the protection of young and vulnerable people from gambling-related harm. Headline rates of problem gambling have remained relatively low over time, at below 1% of the adult population. As noble Lords have mentioned, the latest statistics found that 0.8% of the adult population—some 430,000 people—were classified as problem gamblers in 2015, but a further 2 million people were identified as being at risk of problem gambling.
I do of course realise, and the noble Lord, Lord Morrow, reminded us, that, in addition to those headline numbers, there may be severe consequences for families. I generally agree with the many statistics that have been mentioned in this debate—too many to come back on. The basic fact is that online gambling is big and growing, and 5% of those online gamblers are problem gamblers. The Government are clear that more must be done to protect people from harm, and on 31 October we published a consultation on proposals for changes to gaming machines and social responsibility measures across the gambling industry. The consultation sets out a package of measures to improve player protection for the online sector, including strengthening existing protections and outlining further measures relating to gambling advertising to minimise the risk to the most vulnerable.
Although online gambling is widely accessible and available 24 hours a day, it also has unique characteristics that provide opportunities to protect players. For example, all online gambling is account based, unlike land-based gambling where customers can often gamble anonymously. That means that online operators can know exactly who their customers are, what they are spending their money on and their patterns of gambling behaviour. We have seen some progress in this area with a number of operators adopting the use of behavioural analytics and algorithms to detect problem gambling on their websites. Recent research has found—this might address some of the identity issues raised by the noble Lord, Lord Trevethin and Oaksey—that operators are able to detect problem gambling using the data they collect from customers today.
While that is encouraging, the Government have made it clear that industry must act on the findings of the research to date and trial a range of harm-minimisation measures to strengthen player protection. We want to see the industry evaluate the action it takes and share best practice. In addition, the industry must continue to engage in GambleAware’s research and commit to implement the findings of this ongoing work. The next phase of the research aims to provide a best-practice model that can be used by online gambling companies in their responsible gambling operations, including recommended interventions which have been evaluated for their effectiveness to reduce the risk of harm.
In the light of those issues, what is the Gambling Commission doing? The Gambling Commission is monitoring this area closely and is encouraging operators to increase action to identify harmful play, design and pilot better interventions and put in place measures that work. The commission has already concluded that it will need to consult on changes to the licence conditions and codes of practice next year in order to raise standards in this area. The commission will also issue guidance to the industry setting out expectations in relation to operator interactions with customers.
I turn now to the issue of self-exclusion—an important tool for those who recognise that they have a problem with gambling and a vital means of protecting consumers from harm. All operators must offer self-exclusion to customers on their request, and more than 800,000 online self-exclusions were reported last year. However, as the average player has more than one account, that does not necessarily translate to 800,000 people. The Government understand just how important it is for recovering problem gamblers to be able to self-exclude from all licensed online gambling platforms in one step. A new multi-operator self-exclusion scheme for online gambling, called GAMSTOP, will be launched in spring next year. A range of stakeholders, including GambleAware and GamCare, have provided advice during development of the scheme. I am aware that the proposals for such a scheme were debated by noble Lords during the passage of the Gambling (Licensing and Advertising) Act 2014 and I pay tribute to the noble Lord, Lord Browne, who was a vocal champion of such a scheme back then and has remained a leading advocate for it since.
The new scheme will allow customers to self-exclude from all online licensed operators in a single step. The website will also set out other measures that are available to help people manage their gambling and will signpost specialist advice and support services. It will significantly strengthen the self-exclusion arrangements available for online gamblers and provide improved protection for those customers who have previously self-excluded from individual gambling websites, only to open an account with other operators. As the noble Lord, Lord Browne, asked, we want to see the industry promote awareness of the scheme and do more to increase its take-up along with other responsible gambling tools such as time-outs and deposit limits which are available. These are in the consultation that we have just published.
The noble Lord, Lord Griffiths, asked why this has taken so long. I share the noble Lord’s frustration, and I would have liked to have seen the scheme in operation sooner. Indeed, we called for the gambling consultation and review for implementation of the scheme to be completed at the earliest opportunity. The truth of the matter is that there have been a number of complex issues to consider which I will not bore noble Lords with, but it is absolutely vital that when GAMSTOP is launched, it actually meets its objectives and can ensure that customers who register with it are prevented from gambling online with licensed operators. It is an industry scheme, but the Gambling Commission is working closely with the industry on its development to ensure that it is robust and effective, again a point made by the noble Lord, Lord Browne. Certain technical barriers have had to be overcome, not least in relation to data protection. The system must be capable of dealing with millions of checks being made by operators every day in real time. It must provide a service to consumers that is effective and easy to use, and therefore while the delay is frustrating, it is important that it is robust and will work across all licensed operators. However—in reply to the noble Lord, Lord Griffiths—we expect it to be up and running by March 2018.
While self-exclusion is a useful tool, it is often the case that an individual who chooses to self-exclude may do so as the result of having suffered harm in relation to their gambling. The Government are clear that operators must act quickly to improve approaches to identifying problem gambling on their platforms and interacting with their customers to protect vulnerable people before serious harm occurs.
I turn now to the points raised by my noble friend Lord Chadlington. Where gambling operators have used children’s characters to front games, the Gambling Commission and the Advertising Standards Authority have written to them to make it crystal clear that they are in breach of advertising rules that prohibit gambling marketing material aimed at children. My noble friend also raised the question of independent research and transparency, as did the noble Lord, Lord Foster. We agree that this is an essential tool in building an evidence base and enhancing our understanding of gambling-related harm. GambleAware is an independent charity with an independent chair, and the majority of its board members are from outside the betting industry. We want to see the industry continue to fund GambleAware and others in this important work, as they do research, education and treatment for problem gamblers. We welcome the additional funding of £5 million to £7 million a year for the next two years that the industry is to invest to support a responsible gambling advertising campaign. This is a large sum in advertising terms which compares well with major national health campaigns.
If the current arrangements fall short, the Government will consider alternative options, including the introduction of a mandatory levy. But it is worth reminding ourselves that the current funding target to meet the needs of research, education and treatment, set by the Responsible Gambling Strategy Board, has been suggested to be around £10 million by 2018-19. This target is being actively pursued by GambleAware, but as and when funding targets change, the voluntary system must gear up to meet that need. I repeat: the consultation made it clear that the Government will consider alternative options, including a mandatory levy, if current arrangements fall short.
Let me address some of the points made by noble Lords in their speeches. As far as the two-tiered approach to self-exclusion is concerned—mentioned by, among others, the noble Lords, Lord Browne and Lord Alton, and the noble Baroness, Lady Howe—we want to see the industry build on the existing protections. Some consumers may wish to self-exclude from certain individual products and not the entire online sector, but we want to encourage self-exclusion. Websites are required to set out clearly the gambling management tools available, including self-exclusion. The important thing to remember is that self-exclusion is only part of the problem. Lots of problem gamblers do not self-exclude, so we must deal with the harms caused to others with perhaps worse problems than those who are prepared and self-aware enough to self-exclude.
The noble Lord, Lord Foster, mentioned FOBTs in the consultation, as did others. I can confirm that we are considering potentially going down to as low as £2 for the stake, and are consulting on that specific issue. We have asked the Gambling Commission for more information about how better tracking and monitoring of play on FOBTs can help with interventions to protect players and whether spin speeds on games such as roulette should be looked at.
The noble Lord, Lord Griffiths, asked about how the consultation is going and whether clarity is emerging. The consultation is ongoing and clarity may well emerge from it but we will not be certain until January next year. He also asked when we will produce our results, and he will not be surprised to hear that we will do that in due course. The noble Lord, Lord Morrow, talked about the problem of gambling in Northern Ireland. It is a bit difficult for me to address the issue here as it is a devolved matter for Northern Ireland.
The noble Baroness, Lady Benjamin, talked about children and what we have done to protect them online, and, more importantly, the issue of what we might do to protect them online and whether we will legislate. Under the Gambling Act, the Gambling Commission has broad powers to place new licensing requirements on operators and respond to the pace of change in the online gambling market. In addition, the Gambling Commission has powers to suspend or revoke a licence, impose financial penalties or take criminal action where there is a failure to prevent underage gambling. However, we are not complacent, which is why the Gambling Commission and the Responsible Gambling Strategy Board are currently examining the relationship between children and gambling to determine whether further action is necessary. We expect the gambling industry to play its part in protecting children online, in line with the Government’s internet safety strategy. We will keep the issue firmly under review, acting accordingly where necessary. As for her questions on age verification, children and free games, all licensed operators must have robust policies to prevent underage gambling. Where age verification is not satisfactorily completed within 72 hours, the operator must return any money that the customer has paid into their account and not pay out any winnings.
The noble Lords, Lord Trevethin and Oaksey and Lord Foster of Bath, asked why operators cannot exclude for life. Data protection rules regarding data retention prevent GAMSTOP from technically offering an indefinite self-exclusion option. However, procedures will be in place to notify self-excluders in these circumstances and give them the opportunity to renew their self-exclusions. The noble Lords asked what would happen if there was non-compliance of operators. It will be a licence condition that all operators sign up to GAMSTOP and the normal penalties will therefore apply, including losing their licence.
The noble Lord, Lord Wigley, mentioned the academic paper on gambling-related harm. He was right to point out that harm goes beyond that of the problem gambler—a point which I made at the beginning and was made also in our consultation. In that regard, I welcome the work that the Gambling Commission, the Responsible Gambling Strategy Board and GambleAware are doing better to understand and measure the extent of this issue, which we agree is very important.
My noble friend Lord Smith of Hindhead asked why we are allowing operators to use affiliates and tipsters to harvest data and target the vulnerable. All gambling operators must have a licence from the Gambling Commission to operate and are held responsible for the actions and behaviours of their affiliates. The commission published advice earlier this year on ensuring that direct marketing is not sent to those who have self-excluded from gambling. Operators and affiliates must comply with the requirements of the privacy and electronic communications regulations and the Data Protection Act, and the ICO may take enforcement action if there is evidence of a breach. The Advertising Standards Authority also has the power to take action if it were to receive evidence of irresponsible targeting.
The noble Baroness, Lady Howe, asked about financial transaction blocking. The Gambling Commission has had great success working with payment providers to prevent unlicensed websites accessing the British market. Payment providers work proactively to stop payments to and from unlicensed websites, which means that the true number of websites effectively blocked may be higher than the figures held by the commission, but I would certainly be happy to write to the noble Baroness with the latest figures held by the Gambling Commission.
I am coming to the end of my time. I will certainly write to other noble Lords, because there are several questions that I have not answered—I think that about 48 questions were asked during the debate. I will read what the noble Lord, Lord Alton, said and write to him on it.
This has been an informative and interesting debate. I thank again the noble Lord, Lord Browne, for bringing it and allowing us to discuss these important issues. We have seen significant changes to the market since the implementation of the Gambling Act, as well as to public perceptions of gambling and to our understanding of harm across the gambling landscape. Our objective in engaging in the gambling review is to strike the right balance between socially responsible growth and the protection of consumers and the communities in which they live. We have listened to what has been said today. I will take noble Lords’ speeches back to the department. I encourage all noble Lords who have a view on these matters to respond to the consultation, which they have until January to do.
Lord Browne of Belmont
My Lords, I am extremely grateful to everyone, including the Minister, who has taken part in today’s debate. It has been an excellent debate, with support right across the House. I do not think that anyone could have failed to be moved by all the contributions. I find myself at the conclusion with a strong sense that, to coin a phrase, something must be done.
I am grateful to the Minister for setting out what has been done, but the Government should not underestimate the level of public concern and I hope they will mediate on the political significance of the recent evidence from the Gambling Commission. Public faith in gambling has fallen dramatically in the past nine years. While I certainly did not hear complacency in the Minister’s response, I am not totally convinced that the Government are fully seized of the importance of this issue.
There is a mismatch between the significant technological possibilities for enhancing online gambling and the current proposals in the DCMS consultation. I very much hope that the Minister and the Secretary of State will take away all the excellent proposals that have been made in today’s debate and use them in the current consultation process. I hope that they will accept that while the current consultation proposals for online gambling are good as far as they go, they need to go further. I hope that when they respond to the consultation they make clear their determination not to allow multiple individual self-exclusion mechanisms to continue to exist but mandate their replacement with GAMSTOP. I hope that they will prohibit the marketing of gambling games to children and, even more importantly, prevent children’s access to such games through age verification. I hope that they will introduce a statutory level of at least 0.8% and that they will end the lending of money for gambling through credit cards. I hope that they will look at prohibiting online betting between midnight and 6 am.
I have listened very carefully to the Minister, but I do not think he responded to my specific request for a meeting with himself, GAMSTOP, the Gambling Commission and problem gamblers.
Lord Ashton of Hyde
I am very happy to take that request back to the department and put it before the Minister responsible for gambling.
Lord Browne of Belmont
I welcome that. Finally, I think there is a lot more work to be done. As we do it, we should not forget Joshua Jones, Omair Abbas, Adam Billing and, back home, Lewis Keogh, and their families. We should seek to build a public policy framework that means that their suffering will not be repeated by others.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 22nd November 2017
(7 years ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Ashton of Hyde
( ) has failed to comply with an information notice, an assessment notice or an enforcement notice,”
Lord Ashton of Hyde
Lord Ashton of Hyde
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.
Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.
As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.
It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.
I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.
Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.
Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.
Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.
Lord Clement-Jones
My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.
Lord Ashton of Hyde
If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.
Lord Clement-Jones
That may have been the original intention, but perhaps it was never put properly into effect.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Stevenson of Balmacara
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
Baroness Neville-Rolfe
My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.
Lord Ashton of Hyde
I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.
This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.
The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.
It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.
I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.
Lord Kennedy of Southwark
I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.
Lord Ashton of Hyde
If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.
Lord Kennedy of Southwark
I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
(a) proceedings under section 158 (including proceedings on an application under Article 79 of the GDPR), or(b) proceedings under Article 82 of the GDPR or section 160 .”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.
With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.
Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.
Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.
More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?
We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.
I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Stevenson of Balmacara
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
“Framework for Data Processing by GovernmentFramework for Data Processing by Government
(1) The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—(a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Secretary of State may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Secretary of State must consult—(a) the Commissioner, and (b) any other person the Secretary of State considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the negative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”
Lord Ashton of Hyde
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.
Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.
All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.
The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.
Lord Kennedy of Southwark
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
Lord Clement-Jones
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
Lord Ashton of Hyde
My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.
Lord Ashton of Hyde
“Approval of the Framework
(1) Before issuing a document prepared under section (Framework for Data Processing by Government), the Secretary of State must lay it before Parliament.(2) If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.(3) If no such resolution is made within that period—(a) the Secretary of State must issue the document, and(b) the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.(4) Nothing in subsection (2) prevents another version of the document being laid before Parliament.(5) In this section, “the 40-day period” means—(a) if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or(b) if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.(6) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.(7) This section applies in relation to amendments prepared under section (Framework for Data Processing by Government) as it applies in relation to a document prepared under that section.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)
1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)
2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)
5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)
9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)
14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)
17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)
18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)
19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)
21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)
22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)
23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)
24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)
25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)
26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)
27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)
33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)
34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)
44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)
45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)
49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)
53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)
57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)
58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)
65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)
66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)
69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)
72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)
73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)
76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)
77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)
78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)
81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)
82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)
83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)
84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)
85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)
86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)
87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)
90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)
93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)
96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)
105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)
109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)
110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)
111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)
114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)
115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)
116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)
117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)
118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)
119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)
120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)
123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)
125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)
126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)
127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)
128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))
131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)
132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)
136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)
140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)
141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))
144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)
145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)
147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)
148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)
149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)
150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)
151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)
152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))
153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)
158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)
159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))
167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))
168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)
171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)
172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)
173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)
176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)
186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act
187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)
192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)
201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)
203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule
205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”
Lord Ashton of Hyde
My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.
Lord Ashton of Hyde
Lord Ashton of Hyde
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 20th November 2017
(7 years, 1 month ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
Could I ask the noble Baroness to repeat which provision she is referring to?
Baroness O’Neill of Bengarve
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.
The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.
However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.
Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.
The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.
This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.
There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.
The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.
Lord Clement-Jones
My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?
Lord Ashton of Hyde
At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.
Lord Clement-Jones
So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?
Lord Ashton of Hyde
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
Lord Stevenson of Balmacara
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
Baroness Hamwee
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.
On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.
On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.
Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.
The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.
Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.
I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.
Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.
I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.
Lord Paddick
My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?
Lord Ashton of Hyde
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
Lord Stevenson of Balmacara
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Lord Ashton of Hyde
Lord Ashton of Hyde
English Churches and Cathedrals Sustainability Review
Lord Ashton of Hyde Excerpts(7 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Beith (LD)
My Lords, I beg leave to ask the Question standing in my name on the Order Paper and, in doing so, declare my registered interest as president of the Historic Chapels Trust.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I understand that the chair and the panel are currently finalising the report and recommendations in consultation with key stakeholders. It is hoped that they will submit the report to the Chancellor and the Secretary of State for DCMS before the end of the year.
Lord Beith
I thank the Minister for that reply, but does he realise how much concern there has been at the ending of the Heritage Lottery Fund’s dedicated scheme for major repairs to historic places of worship? Do the Government hope that the sustainability review report to which he referred will provide some answer and will it open some doors in the Treasury? If it does, what will be the position of non-conformist and Roman Catholic historic buildings, which do not fall within the remit of that sustainability review?
Lord Ashton of Hyde
Of course, I understand the implications of the HLF’s fairly sudden decision to close the grants for the places of worship scheme. As a result, the Minister responsible has had discussions with the HLF. I am pleased to say that it has guaranteed to make available the same proportion for the next two years, so the funding will continue. As for other faiths, it is true that the review concentrates on the Church of England, but any lessons learned from that can be taken forward and applied to other faiths. The main government funding, of course, applies to other faiths.
Lord Cormack (Con)
My Lords, does my noble friend accept that some comfort will be drawn from his words, but does he also accept that the churches and cathedrals of this country, of which Lincoln is a prime example, are among the glories of the western world? Will he recognise that the generosity of the former Chancellor of the Exchequer, George Osborne, in giving £50 million towards the repair and restoration of cathedrals was most welcome but it is a tiny sum of money compared with the importance of the buildings? Can we have an assurance that the Government will repeat that largesse in the very near future?
Lord Ashton of Hyde
The Government have already committed to maintaining the funding until 2020. In fact, there is a good story to tell: over the past 40 years —so this includes Governments of both colours— £1.36 billion has been spent on historic places of worship. During the 2014-16 period, an exceptional total of £185 million per year was spent. Of course, the fund that my noble friend mentioned was just one area in which the Government have spent money. As a result of this 40 years of taxpayers’ money being spent on them, only 4% of those listed places of worship are on the at-risk register.
Lord Morgan (Lab)
My Lords, is it not the case that, in France, churches and cathedrals are admirably resourced, even in the most remote areas of the countryside? That is because the state assists with the physical problems of churches. The explanation there is that the people of France, like the people of Wales, have the benefit of a disestablished church.
Lord Ashton of Hyde
As I said, the listed places of worship grant scheme applies to all faiths. The taxpayer has spent an extra £95 million in the past two years to support places of worship. As I mentioned in the previous answer, I think that we are in a pretty good place.
The Lord Bishop of Ely
My Lords, I am very grateful to the noble Lord, Lord Cormack, for his intervention, Lincoln having recently won a favourite cathedral award—Ely is not too bad either. Of course, these churches, cathedrals and chapels are part of our shared heritage, but does the Minister agree that even more important is the work undertaken by cathedrals and churches in food banks, in supporting economic regeneration and in working with homeless people and the lonely, especially in remote parts of the country? Does he agree that the Government should endorse that work and will he encourage the way in which they can support it through the use and deployment of these buildings?
Lord Ashton of Hyde
Of course I agree with the right reverend Prelate that one way that churches can remain relevant is to involve themselves with things that go on in their community. That is exactly what the review is going to look at, among other things, including the uses of listed buildings for purposes beyond worship and what barriers prevent that happening.
Lord Shutt of Greetland (LD)
My Lords, will the Minister make it clear that there must be parity of esteem, when any state resources are being used, between churches of the established Church and nonconformist churches, chapels, meeting houses or Roman Catholic churches, which are not covered by many of the schemes that cover the established Church?
Lord Ashton of Hyde
That is precisely why the Listed Places of Worship Grant Scheme covers all faiths.
Lord Tebbit (Con)
My Lords, will my noble friend correct our noble friend Lord Cormack? The former Chancellor did not give any of his money to these projects; he merely acted as a siphon for taxpayers’ money. The Chancellor of the Exchequer does not have any money.
Lord Ashton of Hyde
I cannot comment on the former Chancellor’s personal finances, but I understand the point—I think it was implicit in what my noble friend Lord Cormack said.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 13th November 2017
(7 years, 1 month ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.
The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.
Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.
Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.
These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.
Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.
I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—
Lord Clement-Jones
My Lords, I am sorry to interrupt. The Minister mentioned the guidance from the Information Commissioner. From what he said, I assume he knows that the insurance industry does not believe that the guidance is sufficient; it is inadequate for its purposes. Is he saying that a discussion is taking place on how that guidance might be changed to meet the purposes of the insurance industry? If it cannot be changed, will he therefore consider amendments on Report?
Lord Ashton of Hyde
Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.
The Earl of Kinnoull
Following up the noble Lord’s point, I would like to say a couple of things. First, I sort of understand where the Information Commissioner’s Office is coming from. I have article 7 in my hands, which contains the definition of consent from the GDPR, and article 9(2)(a). My concern is that even if the Government are very nice to an Information Commissioner and persuade them to change the guidance, it could change at any time. It is important to ensure that the Bill will work for the ordinary man in the street. As for compulsory classes, it is not about looking after the insurers but every small business in Britain and every small person who wants to get motor insurance, especially those who have problems with either criminal convictions or their health.
Lord Ashton of Hyde
I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.
Lord Clement-Jones
My Lords, I am sorry to interrupt the Minister again but he is dealing with important concepts. Right at the beginning of his speech he said he did not think this could be covered by the substantial public interest test. Surely the continuance of insurance in all those different areas, not just for small businesses but for the consumer, and right across the board in the retail market, is of substantial public interest. I do not quite understand why it does not meet that test.
Lord Ashton of Hyde
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
Lord Stevenson of Balmacara
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
Lord Ashton of Hyde
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
Lord Clement-Jones
I am sure that the noble Earl, Lord Kinnoull, will come back at greater length on this. The issue that the Minister has outlined is difficult, partly because the Information Commissioner plays and will play such an important role in the interpretation of the Bill. When the Government consider the next steps and whether to table their own amendments or accept other amendments on Report, will they bring the Information Commissioner or her representative into the room? It seems that the guidance and the interaction of the guidance with the Bill—and, eventually, with the Act—will be of extreme importance.
Lord Ashton of Hyde
I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.
The Earl of Kinnoull
I thank all noble Lords who have taken part in this short but interesting debate. Of course, the Information Commissioner reports to Parliament, so if we held a meeting here, we probably could ask her, quite properly, to come. That might be quite helpful in this complex area. As I said, when you mess around in these areas, the person who suffers is the man in the street, not the insurance companies. The noble Lord, Lord Stevenson of Balmacara, in particular made a number of interesting points in speaking to his amendment, which need to go into the mix as regards how we sort through this difficult area.
I am very grateful to the Minister for confirming that we will continue discussions in this area. I do not think for a moment that I necessarily have all the right answers, but we have started on the journey and will continue. We will certainly be talking about the same issues again in different formats on Report and I look forward to that very much. On that basis, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“15A(1) This condition is met if—(a) the processing is necessary for the purposes of—(i) automatically renewing a pre-GDPR insurance contract, or(ii) carrying out, or managing the expiry of, an insurance contract resulting from the automatic renewal of a pre-GDPR insurance contract,(b) the controller has taken reasonable steps to obtain the data subject’s consent to the processing of personal data necessary for those purposes in accordance with sub-paragraph (2), and(c) the controller is not aware of the data subject withholding such consent. (2) The steps described in sub-paragraph (1)(b) must have been taken—(a) in the case of a contract which automatically renews after a period of less than 10 months, on at least one automatic renewal of the contract in each period of 12 months that has ended since 25 May 2018;(b) in any other case, each time the contract has automatically renewed since 25 May 2018.(3) For the purposes of this paragraph, an insurance contract is automatically renewed if—(a) a new insurance contract between the same parties is made without the insured person taking any steps, and(b) the new contract provides cover which is the same as, or substantially similar to, the cover provided by the expired contract,and references in this paragraph to the automatic renewal of a contract include both the first automatic renewal on the expiry of that contract and subsequent automatic renewal originating with that contract.(4) For the purposes of sub-paragraph (3)(a), the new contract and the expired contract are to be treated as made with the same insurer if they are made with different insurers but arranged by the same intermediary.(5) In this paragraph—“insurance contract” means a contract of general insurance or long-term insurance;“insurer” means a person carrying on business which consists of effecting or carrying out insurance contracts;“pre-GDPR”, in relation to an insurance contract, means made before 25 May 2018.(6) Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.”
Baroness Hamwee (LD)
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
Lord Ashton of Hyde
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
Lord Whitty (Lab)
I fully support my noble friend’s assertions and the Minister’s response. It is very important that registered political parties can operate effectively. I wonder whether, in the discussions he is proposing to undertake, the Minister will also address the issue of other organisations and political parties attempting to influence the political process. I do not think I need to spell it out, in view of recent news, but the use of social media by organisations that are not covered by our electoral law or by registration as a political party must not have the same provisions that registered political parties would have under the Bill or my noble friend’s amendments. I wonder if that could be addressed directly in these discussions.
Lord Lucas (Con)
My Lords, I want to pick up on the last point of the noble Lord, Lord McNally. We are getting into a situation where political parties are addressing personal messages to individual voters and saying different things to different voters. This is not apparent; there must be ways to control it. We will have to give some considerable thought to it, so I see the virtue of the amendments.
Lord Ashton of Hyde
Quickly, because I will not remember all the questions and points, I want to emphasise that they are all very good points and I will reflect on them. My main mission is to get the GDPR and law enforcement directive in place by May 2018. I absolutely accept the point made by the noble Lord, Lord McNally—that this is the tip of iceberg—but we must bear in mind that this is about data protection, both today and on Report, so I will focus on that. We have already had other avenues to raise a lot of the points the noble Lord made, but I agree that it is a huge issue. He asked when the report from the Information Commissioner will be available. I would expect it before Christmas, so it will be before the Bill becomes law.
I certainly undertake to reflect on what the noble Baroness, Lady Jay, said about the Electoral Commission. I believe that our call for views was after the election; nevertheless, I take her point. I am very sorry but I cannot remember what the point from the noble Lord, Lord Whitty, was, but I accept these things have to be taken into account. When we have our meeting—it is becoming a big meeting—it will be for people concerned specifically with the Data Protection Act, not some of the issues that lie outside that narrow area, important though they are.
I ask noble Lords not to press their amendments.
Lord Lucas
My Lords, picking up on the last point from the noble Baroness, Lady Hamwee, is this the first time the privileges of Members of this House have been reduced in relation to Members of the other House? If so, will the Government consult the Speaker of this House on whether he considers that desirable?
Lord Ashton of Hyde
My Lords, they have not been reduced. This is the position that exists today.
Lord Lucas
My Lords, privileges are being given to Members of another place—and indeed to Members of the Parliaments of Scotland and other places—that are being denied to us. Is this the first time that has been done?
Lord Ashton of Hyde
No, it is not the first time because this is the position that exists under the Data Protection Act 1998.
Lord Kennedy of Southwark
My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.
I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.
I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.
Lord Ashton of Hyde
Data Protection Bill [HL]
Lord Ashton of Hyde Excerpts(7 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Griffiths of Burry Port (Lab)
My Lords, if the House will indulge me, having heard someone who described herself earlier as a foot soldier in her army of volunteers, I can now identify her as a beaver in the battalion of dam building. It seems that by broadening all that falls under the term, “legal claims”, and, of course, on the advice of the Bar Council, some common sense is being alluded to here and therefore we have no hesitation in joining our forces to those we have heard so ably expressed.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to the noble Baroness for making her debut in the Committee stage and to the noble Lord for his comments. By way of background, because I find it quite complicated, it is worth reminding ourselves that article 9 of the GDPR provides processing conditions for special categories of data. In particular, the processing necessary for,
“the establishment, exercise or defence of legal claims”,
is permitted by article 9(2)(f). It is directly applicable and does not allow any discretion to derogate from it in any way. Article 10 of the GDPR, which relates to criminal convictions and offences data, takes a different approach. It requires member states to set out in their law conditions relating to the processing of said criminal convictions and offences data in order to enable many organisations to process it. Paragraph 26 of Schedule 1 therefore seeks to maintain the status quo by replicating in relation to criminal convictions data the processing condition for the special categories of personal data contained in article 9(2)(f).
Government Amendment 65, referred to by the noble Baroness, responds to a request we have had from stakeholders to anglicise the language currently used in that paragraph. The Government strongly agree about the importance of ensuring that data protection law does not accidentally undermine the proper conduct of legal proceedings, which is why we have made this provision. We submit that Amendments 63A and 64A are unnecessary. They are predicated on the false premise that government Amendment 65 in some way changes the scope of paragraph 26. It does not, it simply anglicises it. However, even if different wording were to be used in Amendment 63A to that used in Amendment 65, we are certain that the Commission would take a dim view of member states attempting to use article 9(2)(g), the substantial public interest processing condition, to expand article 9(2)(f) in the way that Amendment 63A proposes. In the light of that explanation, I would be grateful if in this case the noble Baroness would withdraw her amendment.
Baroness Hamwee
My Lords, I am still processing the compliment that has been paid to me. If I were standing for election, the noble Lord might find himself being quoted.
The Minister says that the amendment is unnecessary but then goes on to say that it is wrong. The main point is not the five or so lines of wording as what is required or precluded by the articles of the GDPR that he has quoted. I will not attempt to respond today because I could not do his arguments justice, but I suspect that others will try to do so. As I say, his officials have met with representatives of the Bar Council. I am sure that he will be happy for that dialogue to continue, and if necessary for it to extend to some of us who might come along and listen to what the officials are saying and give it a rubber stamp in an effort to progress the argument. There is a real concern about where this exemption should lie and how it should apply, so I will beg leave to withdraw the amendment, not because I am convinced but because there is still more discussion to be had.
Lord Ashton of Hyde
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),(b) is necessary for the purpose of obtaining legal advice, or(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Clement-Jones (LD)
My Lords, the noble Lord, Lord Stevenson, has raised some important points, which refer back to our labour over the Digital Economy Bill. One particular point occurs to me in relation to the questions that he asked: have we made any progress towards anonymisation in age verification, as we debated at some length during the passage of that Bill? As I recall, the Government’s point was that they did not think it necessary to include anything in the Bill because anonymisation would happen. The Minister should engage with that important issue. The other point that could be made is about whether the Government believe that the amendment of the noble Lord, Lord Lucas, would help us towards that goal.
Lord Ashton of Hyde
My Lords, as we have heard, Part 3 of the Digital Economy Act 2017 requires online providers of pornographic material on a commercial basis to institute appropriate age verification controls. My noble friend’s Amendment 71ZA seeks to allow the age verification regulator to publish regulations relating to the protection of personal data processed for that purpose. The amendment aims to provide protection, choice and trust in respect of personal data processed for the purpose of compliance with Part 3 of the 2017 Act.
I think that I understand my noble friend’s aim. It is a concern I remember well from this House’s extensive deliberations on what became the Digital Economy Act, as referred to earlier. We now have before us a Bill for a new legal framework which is designed to ensure that protection, choice and trust are embedded in all data-processing practices, with stronger sanctions for malpractice. This partly answers my noble friend Lord Elton, who asked what we would produce to deal with this problem.
Personal data, particularly those concerning a data subject’s sex life or sexual orientation, as may be the case here, will be subject to rigorous new protections. For the reasons I have just mentioned, the Government do not consider it necessary to provide for separate standards relating exclusively and narrowly to age verification in the context of accessing online pornography. That is not to say that there will be a lack of guidance to firms subject to Part 3 of the 2017 Act on how best to implement their obligations. In particular, the age verification regulator is required to publish guidance about the types of arrangements for making pornographic material available that the regulator will treat as compliant.
As noble Lords will be aware, the British Board of Film Classification is the intended age verification regulator. I reassure noble Lords that in its preparations for taking on the role of age verification regulator, the BBFC has indicated that it will ensure that the guidance it issues promotes the highest data protection standards. As part of this, it has held regular discussions with the Information Commissioner’s Office and it will flag up any potential data protection concerns to that office. It will then be for the Information Commissioner to determine whether action or further investigation is needed, as is her role.
The noble Lord, Lord Clement-Jones, talked about anonymisation and the noble Lord, Lord Stevenson, asked for an update of where we actually were. I remember the discussions on anonymisation, which is an important issue. I do not have the details of exactly where we have got to on that subject—so, if it is okay, I will write to the noble Lord on that.
I can update the noble Lord, Lord Stevenson, to a certain extent. As I just said, the BBFC is in discussion with the Information Commissioner’s Office to ensure that best practice is observed. Age verification controls are already in place in other areas of internet content access; for example, licensed gambling sites are required to have them in place. They are also in place for UK-based video-on-demand services. The BBFC will be able to learn from how these operate, to ensure that effective systems are created—but the age verification regulator will not be endorsing a list of age verification technology providers. Rather, the regulator will be responsible for setting guidance and standards on robust age verification checks.
We continue to work with the BBFC in its engagement with the industry to establish the best technological solutions, which must be compliant with data protection law. We are aware that such solutions exist, focusing rightly on verification rather than identification—which I think was the point made by the noble Lord, Lord Clement-Jones. If I can provide any more detail in the follow-up letter that I send after each day of Committee, I will do so—but that is the general background.
Online age verification is a rapidly growing area and there will be much innovation and development in this field. Industry is rightly putting data privacy and security at the forefront of its design, and this will be underscored by the new requirements under the GDPR. In view of that explanation, I hope that my noble friend will be able to withdraw his amendment.
Lord Lucas
My Lords, I am very grateful for my noble friend’s reply. With his leave, I will digest it overnight and tomorrow. I look forward to the letter that he promised—but if, at the end of that, I still think that there is something worth discussing, I hope that his ever-open door will be open even to that.
Lord Ashton of Hyde
I believe that during our previous day in Committee, I offered to meet my noble friend.
Lord Stevenson of Balmacara
My Lords, I was not referring to this amendment specifically in commenting on Amendment 71ZA, but we had difficulty getting this amendment in scope, so as to be in line with our aspirations and what we wanted to discuss today.
Amendment 71A would introduce an individual right for data subjects to be informed by data controllers when there is an actual or intended commercial exploitation of their personal data. Machine learning will allow data companies to get a lot of value out of people’s data—indeed, it already does. It will allow greater and more valuable targeting of advertisements and services on a vast scale, given the way that modern data platforms work. This skews further the balance of power between those companies and the individuals whose data is being exploited.
One could probably describe the current relationship between people and the data companies to whom they give their data as rather unsophisticated. People hand it over for a very low value, as in a bartering service or crude exchange—and, as in a barter economy, it cannot be efficient. This amendment will test whether we can get more power into the hands of the people who make the exchange to make the market function better. The companies’ position is completely the reverse: it is almost that of a monopsony, although as a technical term monopsonies are those situations in which dominant companies set a price for the market, whereas in this case there is no price. It is interesting to follow that line of thought a little further because, where there are monopsonies, the normal remedy put forward by those involved is to publish a standard price list. That improves choice to the point that people are not exploited on the price they pay; it is just a question of choice on quality or service, rather than the price. That at least protects individuals to some extent against the dominant company exploiting control.
The essence of this amendment is an attempt to try to give power back to the people whose data is being used. We are talking about very significant sums of money. I gather from a recent article in the Guardian that the top price you can get for your data—although I am not sure whether “price” is the right word here; “value” might be better—is about $14 each quarter for a company such as Facebook. If you compare that across the world, in the Asia-Pacific region it is worth only about $2. There is a variation, and the reason is the ability to exploit some form of advertising revenue from individual data, so the US, where the highest prices are going to be available, was worth about $2.8 billion in advertising revenue to Facebook last quarter while the second-biggest Facebook market, Europe, was worth only about £$1.4 billion, which is about half. You can see how the prices would follow through in terms of the data. We are talking about quite a lot of resource here in terms of how this money flows and how it works.
The process of trying to seek the money has already started. Some companies are now trying to reverse the direction of travel. They go to individuals through the web and offer them the chance to connect all their data together across the social media companies in which they already have it. The companies then value it and try to sell it on behalf of the individuals to the companies concerned. That is obviously the beginning of a market approach to this, which is where this amendment is centred.
I mentioned that I had difficulty getting what I wanted in the scope of the Bill. I think I have mentioned this before, but it seems to us that we do not yet have the right sense of what people’s data represent in relation to the companies that seek to use it. One suggestion we have had is that we might look to the creative industries—not inappropriately since this is a DCMS Bill—and think of it as some form of copyright. If it were a copyright—and it may or may not be possible to establish one’s personal data in a copyright mode—we would immediately be in a world where the data transferring from the individual to the company would be not sold but licensed, and therefore there would be a continuing sense of ownership in the process in which the data is transferred. It would also mean that there would have to be continuing reporting back to the licence holder for the use of the data, and we could go further and expect to follow the creative industries down the track which they currently go. The personal copyright would then have value to the company and there is a waterfall, as they call it, of revenue exploitation so that those who hold the copyright might expect to earn a small but not insignificant amount from it. We begin to see a commercial system, more obviously found in other areas of the marketplace, but it relates to the way in which individuals would have a value in relation to their data, and there might even be a way in which that money could be returned. If you were in that happy situation, what would you do with the money? One would hope that it would be useful to some people, but it might also be possible to accumulate it, perhaps through a collecting society, and see it invested in educational work or improving people’s security in relation to their data, for instance. There are many choices around that.
Having said all that about copyright, I am not particularly wedded to it as a concept because there are downsides to copyright, but it is an issue worth exploring. The essence of the amendment is to try to restore equality of arms between the individual and the companies to which the data is transferred. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Stevenson, for raising this important subject. I recall the questions that he posed at Second Reading about whether data subjects had sufficient support in relation to the power of companies that wanted to access, use and monetise their data, and I recognise the intention behind his amendment, which he carefully explained. I also agree wholeheartedly with him that these are questions worthy of debate, not only during the passage of this Bill, but over the coming months and years as the digital economy continues to develop. Later in Committee, we may discuss suitable forums where this could take place. These are big questions of data rights and how they are monetised, if they are, versus the growth of the digital economy for public benefit.
Lord Whitty (Lab)
My Lords, my name is attached to two of these amendments. This is a very difficult subject in that we are all getting used to algorithmic decisions; not many people call them that, but they are what in effect decide major issues in their life and entice them into areas where they did not previously choose to be. Their profile, based on a number of inter-related algorithms, suggests that they may be interested in a particular commercial product or lifestyle move. It is quite difficult for those of my generation to grasp that, and difficult also for the legislative process to grasp it. So some of these amendments go back to first principles. The noble Baroness, Lady Hamwee, said that the issue of human rights trumps everything. Of course, we all agree with that, but human rights do not work unless you have methods of enforcing them.
In other walks of life, there are precedents. You may not be able to identify exactly who took a decision that, for example, women in a workforce should be paid significantly less than men for what were broadly equivalent jobs; it had probably gone on for decades. There was no clear paper trail to establish that discrimination took place but, nevertheless, the outcome was discriminatory. With algorithms, it is clear that some of the outcomes may be discriminatory, but you would not be able to put your finger on why they were discriminatory, let alone who or what decided that that discrimination should take place. Nevertheless, if the outcome is discriminatory, you need a way of redressing it. That is why the amendments to which I have added my name effectively say that the data subject should be made aware of the use to which their data is being made and that they would have the right of appeal to the Information Commissioner and of redress, as you would in a human-based decision-making process that was obscure in its origin but clear in relation to its outcome. That may be a slightly simplistic way in which to approach the issue, but it is a logical one that needs to be reflected in the Bill, and I hope that the Government take the amendments seriously.
Lord Ashton of Hyde
My Lords, I thank the noble Lord, Lord Clement-Jones, who introduced this interesting debate; of course, I recognise his authority and his newfound expertise in artificial intelligence from being chairman of the Select Committee on Artificial Intelligence. I am sure that he is an expert anyway, but it will only increase his expertise. I thank other noble Lords for their contributions, which raise important issues about the increasing use of automated decision-making, particularly in the online world. It is a broad category, including everything from personalised music playlists to quotes for home insurance and far beyond that.
The noble Lord, Lord Stevenson, before speaking to his amendments, warned about some of the things that we need to think about. He contrasted the position on human embryology and fertility research and the HFEA, which is not exactly parallel because, of course, the genie is out of the bottle in that respect, and things were prevented from happening at least until the matter was debated. But I take what the noble Lord said and agree with the issues that he raised. I think that we will discuss in a later group some of the ideas about how we debate those broader issues.
The noble Baroness, Lady Jones, talked about how she hoped that the repressive bits would be removed from the Bill. I did not completely understand her point, as this Bill is actually about giving data subjects increased rights, both in the GDPR and the law enforcement directive. That will take direct effect, but we are also applying those GDPR rights to other areas not subject to EU jurisdiction. I shall come on to her amendment on the Human Rights Act in a minute—but we agree with her that human beings should be involved in significant decisions. That is exactly what the Bill tries to do. We realise that data subjects should have rights when they are confronted by significant decisions made about them by machines.
The Bill recognises the need to ensure that such processing is correctly regulated. That is why it includes safeguards, such as the right to be informed of automated processing as soon as reasonably practicable and the right to challenge an automated decision made by the controller. The noble Lord, Lord Clement-Jones, alluded to some of these things. We believe that Clauses 13, 47, 48, 94 and 95 provide adequate and proportionate safeguards to protect data subjects of all ages, adults as well as children. I can give some more examples, because it is important to recognise data rights. For example, Clause 47 is clear that individuals should not be subject to a decision based solely on automated processing if that decision significantly and adversely impacts on them, either legally or otherwise, unless required by law. If that decision is required by law, Clause 48 specifies the safeguards that controllers should apply to ensure the impact on the individual is minimised. Critically, that includes informing the data subject that a decision has been taken and providing them 21 days within which to ask the controller to reconsider the decision or retake the decision with human intervention.
I turn to Amendments 74, 134 and 136, proposed by the noble Lord, Lord Clement-Jones, which seek to insert into Parts 2 and 3 of the Bill a definition of the term,
“based solely on automated processing”,
to provide that human intervention must be meaningful. I do not disagree with the meaning of the phrase put forward by the noble Lord. Indeed, I think that that is precisely the meaning that that phrase already has. The test here is what type of processing the decision having legal or significant effects is based on. Mere human presence or token human involvement will not be enough. The purported human involvement has to be meaningful; it has to address the basis for the decision. If a decision was based solely on automated processing, it could not have meaningful input by a natural person. On that basis, I am confident that there is no need to amend the Bill to clarify this definition further.
In relation to Amendments 74A and 133A, the intention here seems to be to prevent any automated decision-making that impacts on a child. By and large, the provisions of the GDPR and of the Bill, Clause 8 aside, apply equally to all data subjects, regardless of age. We are not persuaded of the case for different treatment here. The important point is that the stringent safeguards in the Bill apply equally to all ages. It seems odd to suggest that the NHS could, at some future point, use automated decision-making, with appropriate safeguards, to decide on the eligibility for a particular vaccine—
Lord Clement-Jones
My Lords, I hesitate to interrupt the Minister, but it is written down in the recital that such a measure,
“should not concern a child”.
The whole of that recital is to do with automated processing, as it is called in the recital. The interpretation of that recital is going to be rather important.
Lord Ashton of Hyde
My Lords, I was coming to recital 71. In the example I gave, it seems odd to suggest that the NHS could at some future point use automated decision-making with appropriate safeguards to decide on the eligibility for a particular vaccine of an 82 year-old, but not a two year-old.
The noble Lord referred to the rather odd wording of recital 71. On this point, we agree with the Article 29 working party—the group of European regulators—that it should be read as discouraging as a matter of best practice automated decision-making with significant effects on children. However, as I have already said, there can and will be cases where it is appropriate, and the Bill rightly makes provision for those.
Lord Clement-Jones
Would the Minister like to give chapter and verse on how that distinction is made?
Lord Ashton of Hyde
I think that “chapter and verse” implies “written”—and I will certainly do that because it is important to write to all noble Lords who have participated in this debate. As we have found in many of these areas, we need to get these things right. If I am to provide clarification, I will want to check—so I will take that back.
Lord Clement-Jones
I apologise for interrupting again. This is a bit like a dialogue, in a funny sort of way. If the Minister’s notes do not refer to the Article 29 working party, and whether or not we will continue to take guidance from it, could he include that in his letter as well?
Lord Ashton of Hyde
I will. I had some inspiration from elsewhere on that very subject—but it was then withdrawn, so I will take up the offer to write on that. However, I take the noble Lord’s point.
We do not think that Amendment 75 would work. It seeks to prevent any decision being taken on the basis of automated decision-making where the decision would “engage” the rights of the data subject under the Human Rights Act. Arguably, such a provision would wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making at the very least engaged the data subject’s right to have their private life respected under Article 8 of the European Convention on Human Rights, even if it was entirely lawful. All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis. The purpose of the Bill is to ensure that we reflect processing in the digital age—and that includes automated processing. This will often be a legitimate form of processing, but it is right that the Bill should recognise the additional sensitivities that surround it. There must be sufficient checks and balances and the Bill achieves this in Clauses 13 and 48 by ensuring appropriate notification requirements and the right to have a decision reassessed by non-automated means.
Baroness Hamwee
As the Minister may be about to move on from that, I think he is saying that the phrase, “engages an individual’s rights” is problematic. Are the Government satisfied that the provisions the Minister has just mentioned adequately protect those rights—I am searching for the right verb—and that automated decision-making is not in danger of infringing the rights that are, as he says, always engaged?
Lord Ashton of Hyde
Automated processing could do that. However, with the appropriate safeguards we have put in the Bill, we do not think that it will.
Amendment 77 seeks to define a significant decision as including a decision that has legal or similar effects for the data subject or a group sharing one of the nine protected characteristics under the Equality Act 2010 to which the data subject belongs.
We agree that all forms of discrimination, including discriminatory profiling via the use of algorithms and automated processing, are fundamentally wrong. However, we note that the Equality Act already provides a safeguard for individuals against being profiled on the basis of a particular protected characteristic they possess. Furthermore, recital 71 of the GDPR states that data controllers must ensure that they use appropriate mathematical or statistical procedures to ensure that factors which result in inaccuracies are minimised, and to prevent discriminatory effects on individuals,
“on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation”.
We therefore do not feel that further provision is needed at this stage.
Amendment 77A, in the name of the noble Lord, Lord Stevenson, seeks to require a data controller who makes a significant decision based on automated processing to provide meaningful information about the logical and legal consequences of the processing. Amendment 119, as I understand it, talks to a similar goal, with the added complication of driving a wedge between the requirements of the GDPR and applied GDPR. Articles 13 and 14 of the GDPR, replicated in the applied GDPR, already require data controllers to provide data subjects with this same information at the point the data is collected, and whenever it is processed for a new purpose. We are not convinced that there is much to be gained from requiring data controllers to repeat such an exercise, other than regulatory burden. In fact, the GDPR requires the information earlier, which allows the data subject to take action earlier.
Similarly, Amendment 77B seeks to ensure that data subjects who are the subject of automated decision-making retain the right to make a complaint to the commissioner and to access judicial remedies. Again, this provision is not required in the Bill, as data subjects retain the right to make a complaint to the commissioner or access judicial remedies for any infringement of data protection law.
Amendment 78 would confer powers on the Secretary of State to review the operational effectiveness of article 22 of the GDPR within three years, and lay a report on the review before Parliament. This amendment is not required because all new primary legislation is subject to post-legislative scrutiny within three to five years of receiving Royal Assent. Any review of the Act will necessarily also cover the GDPR. Not only that, but the Information Commissioner will keep the operation of the Act and the GDPR under review and will no doubt flag up any issues that may arise on this or other areas.
Amendment 153A would place a requirement on the Information Commissioner to investigate, keep under review and publish guidance on several matters relating to the use of automated data in the health and social care sector in respect of the terms on which enterprises gain consent to the disclosure of the personal data of vulnerable adults. I recognise and share noble Lords’ concern. These are areas where there is a particular value in monitoring the application of a new regime and where further clarity may be beneficial. I reassure noble Lords that the Information Commissioner has already contributed significantly to GDPR guidance being developed by the health sector and continues to work closely with the Government to identify appropriate areas requiring further guidance. Adding additional prescriptive requirements in the Bill is unlikely to help them shape that work in a way that maximises its impact.
As we have heard, Amendment 183 would insert a new clause before Clause 171 stating that public bodies who profile a data subject should inform the data subject of their decision. This is unnecessary as Clauses 13 and 48 state that when a data controller has taken a decision based solely on automated processing, they must inform the data subject in writing that they have done so. This includes profiling. Furthermore, Clauses 13 and 48 confer powers on the Secretary of State to make further provisions to provide suitable measures to safeguard a data subject’s rights and freedoms.
I thank noble Lords for raising these important issues, which deserve to be debated. I hope that, as a result of the explanation in response to these amendments, I have been able to persuade them that there are sufficient safeguards in relation to automated decision-making in the GDPR and Parts 2 to 4 of the Bill, and that their amendments are therefore unnecessary. On that basis, I invite noble Lords not to press their amendments.
Lord Lucas
My Lords, I rather hope that the Minister has not been able to persuade noble Lords opposite. Certainly, I have not felt myself persuaded. First, on the point about “solely”, in recruiting these days, when big companies need to reduce a couple of thousand applications to 100, the general practice is that you put everything into an automated process—you do not really know how it works—get a set of scores at the end and decide where the boundary lies according to how much time you have to interview people. Therefore, there is human intervention—of course there is. You are looking at the output and making the decision about who gets interviewed and who does not. That is a human decision, but it is based on the data coming out of the algorithm without understanding the algorithm. It is easy for an algorithm to be racist. I just googled “pictures of Europeans”. You get a page of black faces. Somewhere in the Google algorithm, a bit of compensation is going on. With a big algorithm like that, they have not checked what the result of that search would be, but it comes out that way. It has been equally possible to carry out searches, as at various times in the past, which were similarly off-beam with other groups in society.
When you compile an algorithm to work with applications, you start off, perhaps, by looking at, “Who succeeds in my company now? What are their characteristics?”. Then you go through and you say, “You are not allowed to look at whether the person is a man or a woman, or black or white”, but perhaps you are measuring other things that vary with those characteristics and which you have not noticed, or some combinations. An AI algorithm can be entirely unmappable. It is just a learning algorithm; there is no mental process that a human can track. It just learns from what is there. It says, “Give me a lot of data about your employees and how successful they are and I will find you people like that”.
At the end of the day, you need to be able to test these algorithms. The Minister may remember that I posed that challenge in a previous amendment to a previous Bill. I was told then that a report was coming out from the Royal Society that would look at how we should set about testing algorithms. I have not seen that report, but has the Minister seen it? Does he know when it is coming out or what lines of thinking the Royal Society is developing? We absolutely need something practical so that when I apply for a job and I think I have been hard done by, I have some way to do something about it. Somebody has to be able to test the algorithm. As a private individual, how do you get that done? How do you test a recruitment algorithm? Are you allowed to invent 100 fictitious characters to put through the system, or should the state take an interest in this and audit it?
We have made so much effort in my lifetime and we have got so much better at being equal—of course, we have a fair way to go—doing our best continually to make things better with regard to discrimination. It is therefore important that we do not allow ourselves to go backwards because we do not understand what is going on inside a computer. So absolutely, there has to be significant human involvement for it to be regarded as a human decision. Generally, where there is not, there has to be a way to get a human challenge—a proper human review—not just the response, “We are sure that the system worked right”. There has to be a way round which is not discriminatory, in which something is looked at to see whether it is working and whether it has gone right. We should not allow automation into bits of the system that affect the way we interact with each other in society. Therefore, it is important that we pursue this and I very much hope that noble Lords opposite will give us another chance to look at this area when we come to Report.
Lord Ashton of Hyde
I highlight that we do not disagree with that. I will study carefully what my noble friend Lord Lucas said. We agree that it is important that privacy rights continue to be protected, and we do not expect data subjects to have their lives run by computer alone. That is exactly why the Bill creates safeguards: to make sure that individuals can request not to be the subject of decisions made automatically if it might have a significant legal effect on them. They are also allowed to demand that a human being participate meaningfully in those decisions that affect them. I will look at what my noble friend said and include that in my write-round. However, as I said, we do not disagree with that. The illusion that we have got to a stage where our lives will be run unaccountably by computers is exactly what the Bill is trying to prevent.
Lord Clement-Jones
My Lords, I would not want to give that impression. None of us are gloom merchants in this respect. We want to be able to harness the new technology in a way that is appropriate and beneficial for us, and we do that by setting the right framework in data protection, ethical behaviour and so on.
I am grateful to the Minister for engaging in the way he has on the amendments. It is extremely important to probe each of those areas of Clauses 13, 47 and 48. For instance, there are lacunae. The Minister talked about the right to be informed and the right to challenge, and so on, and said that these provided adequate and proportional safeguards, but the right to explanation is not absolutely enshrined, even though it is mentioned in the GDPR. So in some areas we will probe on that.
Lord Clement-Jones
Yes, my Lords, but it is in the recital, so I think we come back again to whether the recitals form part of the Bill. That is what I believe to be the case. I may have to write to the Minister. Who knows? Anything is possible.
One of the key points—raised by the noble Lord, Lord Lucas—is the question of human intervention being meaningful. To me, “solely”, in the ordinary meaning of the word, does not mean that human intervention is there at all, and that is a real worry. The writ of the article 29 working group may run until Brexit but, frankly, after Brexit we will not be part of the article 29 working group, so what interpretation of the GDPR will we have when it is incorporated into UK domestic law? If those rights are not to be granted, the interpretation of “solely” with the absolute requirement of human involvement needs to be on the face of the Bill.
As far as recital 71 is concerned, I think that the Minister will write with his interpretation and about the impact of the article 29 working group and whether we incorporate its views. If the Government are not prepared to accept that the rulings of the European Court of Justice will be effective in UK law after Brexit, I can only assume that the article 29 working group will have no more impact. Therefore, there is a real issue there.
I take the Minister’s point about safeguards under the Equality Act. That is important and there are other aspects that we will no doubt wish to look at very carefully. I was not overly convinced by his answer to Amendment 75, spoken to by the noble Baroness, Lady Jones, and my noble friend Lady Hamwee, because he said, “Well, it’s all there anyway”. I do not think we would have had to incorporate those words unless we felt there was a gap in the way the clause operated.
I will not take the arguments any further but I am not quite as optimistic as the Minister about the impact of that part of the Bill, and we may well come back to various forms of this subject on Report. However, it would be helpful if the Minister indicated the guidance the ICO is adopting in respect of the issue raised in Amendment 153A. When he writes, perhaps he could direct us to those aspects of the guidance that will be applicable in order to help us decide whether to come back to Amendment 153A. In the meantime, I beg leave to withdraw.
Lord Ashton of Hyde
Lord Lucas
My Lords, clearly the Royal Society has been talking to other people. I hope that someone from there is listening and will be encouraged to talk to me too. I am delighted with this amendment and think it is an excellent idea, paired with Amendment 77A, which gives individuals some purchase and the ability to know what is going on. Here we have an organisation with the ability to do something about it, not by pulling any levers but by raising enough of a storm and finding out what is going on to effect change. Amendments 77A and 78A are a very good answer to the worries we have raised in this area.
It is important that we have the ability to feel comfortable and to trust—to know that what is going on is acceptable to us. We do not want to create divisions, tensions and unhappiness in society because things are going on that we do not know about or understand. As the noble Lord said, the organisations running these algorithms do not share our values—it is hard to see that they have any values at all other than the pleasures of the few who run them. We should not submit to that. We must, in all sorts of ways, stand up to that. There are many ways in which these organisations have an impact on our lives, and we must insist that they do that on our terms. We are waking up quite slowly. To have a body such as this, based on principles and ethics and with a real ability to find out what is going on, would be a great advance. It would give me a lot of comfort about what is happening in this Bill, which otherwise is just handing power to people who have a great deal of power already.
Lord Ashton of Hyde
My Lords, the noble Lord, Lord Stevenson, has raised the important issue of data ethics. I am grateful to everyone who has spoken on this issue tonight and has agreed that it is very important. I assure noble Lords that we agree with that. We had a debate the other day on this issue and I am sure we will have many more in the future. The noble Lord, Lord Puttnam, has been to see me to talk about this, and I tried to convince him then that we were taking it seriously. By the sound of it, I am not sure that I completely succeeded, but we are. We understand the points he makes, although I am possibly not as gloomy about things as he is.
We are fortunate in the UK to have the widely respected Information Commissioner to provide expert advice on data protection issues—I accept that that advice is just on data protection issues—but we recognise the need for further credible and expert advice on the broader issue of the ethical use of data. That is exactly why we committed to setting up an expert advisory data ethics body in the 2017 manifesto, which, I am glad to hear, the noble Lord, Lord Clement-Jones, read carefully.
Lord Clement-Jones
We like to hold the Government to their manifesto commitments occasionally.
Lord Ashton of Hyde
Tonight the noble Lord can because the Secretary of State is leading on this important matter. She is as committed as I am to ensuring that such a body is set up shortly. She has been consulting widely with civil society groups, industry and academia, some of which has been mentioned tonight, to refine the scope and functions of the body. It will work closely with the Information Commissioner and other regulators. As the noble Lords, Lord Clement-Jones and Lord Patel, mentioned, it will identify gaps in the regulatory landscape and provide Ministers with advice on addressing those gaps.
It is important that the new advisory body has a clearly defined role and a strong relationship to other bodies in this space, including the Information Commissioner. The Government’s proposals are for an advisory body which may have a broader remit than that suggested in the amendment. It will provide recommendations on the ethics of data use in gaps in the regulatory landscape, as I have just said. For example, one fruitful area could be the ethics of exploiting aggregated anonymised datasets for social and commercial benefit, taking into account the importance of transparency and accountability. These aggregated datasets do not fall under the legal definition of personal data and would therefore be outside the scope of both the body proposed by the noble Lord and, I suspect, this Bill.
Technically, Amendment 78 needs to be more carefully drafted to avoid the risk of non-compliance with the GDPR and avoid conflict with the Information Commissioner. Article 51 of the GDPR requires each member state to appoint one or more independent public authorities to monitor and enforce the GDPR on its territory as a supervisory authority. Clause 113 makes the Information Commissioner the UK’s sole supervisory authority for data protection. The functions of any advisory data ethics body must not cut across the Information Commissioner’s performance of its functions under the GDPR.
The amendment proposes that the advisory board should,
“monitor further technical advances in the use and management of personal data”.
But one of the Information Commissioner’s key functions is to
“keep abreast of evolving technology”.
That is a potential conflict we must avoid. The noble Lord, Lord Patel, alluded to some of the conflicts.
Nevertheless, I agree with the importance that noble Lords place on the consideration of the ethics of data use, and I repeat that the Government are determined to make progress in this area. However, as I explained, I cannot agree to Amendment 78 tonight. Therefore, in the light of my explanation, I hope the noble Lord will feel able to withdraw it.
Baroness Hamwee
Before the noble Lord, Lord Stevenson, responds—he will probably make this point better than I can—have we just heard from the Minister an outline of an amendment the Government will bring forward in order to enshrine the body they are advocating? He will understand that, whichever side of the House you are on, you are always aware that a future Government may not have the same ways of going about things as the Government he is supporting at the moment, and whose proposals are entirely laudable. Things may change.
Lord Ashton of Hyde
I cannot agree with the noble Baroness’s point. However, I accept that that is a possibility and that things will not last for ever. However, in this case we expect to have the proposals shortly and this Government will definitely be around at that time.
Lord Ashton of Hyde
The noble Baroness asked whether it would be enshrined in this Bill. As I tried to explain, it will have a far broader remit than this Bill.
Lord Stevenson of Balmacara
That is a no, then. Oh well, these things happen. You are up one minute and then down. We cannot live like this, can we? However, it is only the Committee stage and we have plenty of time. We can presumably inveigle the Minister into a meeting about this. Not with everyone concerned because that would be too much, but I would be happy to meet him about this on neutral turf if possible. I am fairly confident that we would not want to see the Government voting against a manifesto commitment, which I think I heard him say. We can be reasonably certain that progress can be made on this issue and I wish to signal here our considerable support for that. I look forward to the discussions and beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 13th November 2017
(7 years, 1 month ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Lucas
My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, as a non-lawyer, I am delighted to find myself in the same company as the noble and learned Lord, Lord Hope of Craighead, as this has also introduced me to an area of trust law which I am not familiar with. I thank noble Lords for their amendments, which concern the exemptions from data rights in the GDPR that the Bill creates. Two weeks ago we debated amendments that sought to create an absolute right to data protection. Today we will further debate why, in some circumstances, it is essential to place limitations on those rights.
The exemptions from data rights in the GDPR are found in Schedules 2 to 4 to the Bill. Part 6 of Schedule 2 deals with exemptions for scientific or historical research and archiving. Without these exemptions, scientific research which involves working on large datasets would be crippled by the administration of dealing with requests from individuals for their data and the need to give notice and service other data rights. This data provides the fuel for scientific breakthroughs, which the noble Lord, Lord Patel, and others have told us so much about in recent debates.
Amendment 79 seeks to remove “scientific or historical” processing from the signposting provision in Clause 14. Article 89 of the GDPR is clear that we may derogate only in relation to specifically historical or scientific research. We believe that Clause 14 needs to correctly describe the available exemption, although I reassure noble Lords that, as we have discussed previously, these terms are to be interpreted broadly, as outlined in the recitals.
Part 1 of Schedule 2 deals with exemptions relating to crime, tax and immigration. For example, where the tax authorities assess whether tax has been correctly paid or criminally evaded, that assessment must not be undermined by individuals accessing the data being processed by the authority. Amendments 79A and 79B, spoken to by the noble Lord, Lord Griffiths of Burry Port, would limit the available exemptions by removing from the list of GDPR rights that can be disapplied the right to restrict processing and the right to object to processing. In my example, persons subject to a tax investigation would be able to restrict and object to the processing by a tax authority. Clearly that is not desirable.
Amendments 80A and 83A seek to widen the exemption in paragraph 5(3) of Schedule 2 which exempts data controllers from complying with certain data rights where that data is to be disclosed for the purposes of legal proceedings. Without this provision, which mirrors the 1998 Act, individuals may be able to unfairly disrupt legal proceedings by blocking the processing of data. We are aware that the Bar Council has suggested that the exemption be widened as the amendments propose. This would enable data controllers to be wholly exempt from the relevant data rights. We believe that this is too wide and that the exemption should apply only where the data is, or will be, subject to a disclosure exercise, which is a process managed through court procedure rules. At paragraph 17 of Schedule 2, the Bill makes separate provision for exemptions to protect legal professional privilege. We think that the Bill continues to strike the right balance between the rights of data subjects and controllers processing personal data for the purposes of exercising their legal rights.
Amendment 83B seeks to remove paragraph 7 of Schedule 2 from the Bill. This paragraph sets out the conditions for restricting data subjects’ rights in respect of personal data processed for the purposes of protecting the public. Those carrying out functions to protect the public would include bodies and watchdogs concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, securing the health and safety of persons at work and protecting charities and fair competition in business. Paragraph 7, which is based on the current Section 31 of the 1998 Act, ensures that important investigations can continue without interference. Without this paragraph, persons would have to be given notice that they were being investigated and, on receipt of notice, they could require their data to be deleted, frustrating the investigation.
Paragraph 14 of Schedule 2 allows a data controller to refuse to disclose information to the data subject where doing so would involve disclosing information relating to a third party. Amendment 86A would remove the circumstances set out in sub-paragraph (3) to which a data controller must have regard when determining whether it is reasonable to disclose information relating to a third party without their consent. These considerations mirror those in the 1998 Act and we think that they remain important matters to be considered when determining reasonableness. They also allow for any duty of confidentiality to be respected.
Paragraph 15 of Schedule 2 ensures that an individual’s health, education or social work records cannot be withheld simply because they make reference to the health, education and social work professionals who contributed to them. Amendment 86B would allow a controller to refuse to disclose an individual’s health records to that individual on the grounds that they would identify the relevant health professionals who authored them. We believe that individuals should be able to access their health records in these circumstances.
Lord Ashton of Hyde
This was included in the letter I was sent today. I am afraid the noble Lord has not got it. The noble Lord, Lord Kennedy, helpfully withdrew his amendment before I was able to say anything the other night but the EU withdrawal Bill will convert the full text of direct EU instruments into UK law. This includes recitals, which will retain their status as an interpretive aid.
Lord Clement-Jones
My Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.
I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.
Lord Stevenson of Balmacara (Lab)
Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.
Lord Ashton of Hyde
We are not transposing the GDPR. It takes direct effect on 25 May.
Lord Stevenson of Balmacara
I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.
Lord Clement-Jones
My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.
Lord Ashton of Hyde
They will be part of UK law, because the withdrawal Bill will convert the full text into UK law. There will of course be a difference between the recitals and the articles; it will be like a statutory instrument, where the Explanatory Memorandum is part of the text of the instrument.
Lord Pannick
May I add to this fascinating debate? Does this not illustrate one of the problems of the withdrawal Bill—that in many areas, of which this is one, there will be two potentially conflicting sources of English law? There will be this Act, on data protection, and the direct implementation through the EU withdrawal Bill on the same subject. The two may conflict because this Act will not contain the recitals.
Lord Clement-Jones
My Lords, all I can say is that I do not know how the legal profession will cope in the circumstances.
Lord Ashton of Hyde
One thing we can all be certain of is that the legal profession will cope.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“( ) the placement (or prospective placement) of the data subject as a volunteer,”
Lord Ashton of Hyde
Lord Ashton of Hyde
Charitable Incorporated Organisations (Consequential Amendments) Order 2017
Lord Ashton of Hyde Excerpts(7 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
That the draft Order laid before the House on 7 September be approved.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the order forms a very small part of a package of secondary legislation that will enable charities that have adopted the company structure, or a community interest company, to use a simple process to convert into a charitable incorporated organisation —CIO—should they so wish, and makes some consequential amendments. The order provides a right of appeal against a decision of the Charity Commission not to permit a community interest company to convert into a CIO. This mirrors the right of appeal that already exists in statute in Schedule 6 to the Charities Act 2011 for a charitable company.
It may help the House if I explain the overall package of which the order forms a small part. If approved by Parliament, the two negative resolution regulations that complete the package will also be made. The first sets out the detail of the conversion process for community interest companies and supplements the provision for charitable companies. The second adds CIOs and Scottish CIOs to the index of company names to prevent the registration of new companies with names that are the same as, or too similar to, existing CIOs and Scottish CIOs on the index. This will help charities to protect their corporate identity. To assist in understanding the package of secondary legislation, my honourable friend the Minister for Sport and Civil Society has deposited draft versions of the two other statutory instruments in the House Library.
The CIO, available since 2013, is the first and only legal structure designed specifically for charities. It has the benefits of legal personality and limited liability for its members and trustees, but, unlike the company structure, it is subject to a single regulatory regime under the Charity Commission rather than a dual regime under both the Charity Commission and Companies House. It has proved popular, with more than 12,000 CIOs set up so far.
Some charities that had already chosen the company structure may want to change to become CIOs, and some community interest companies may want to become CIOs. That is the purpose of this package of legislation: to enable a smooth conversion process that makes it simple for charitable companies and community interest companies to convert if they want to. These changes have been developed in close consultation with the Charity Commission, Companies House and the Scottish Government. Consultation feedback showed overwhelming support, 95%, for establishing a statutory conversion process.
That is the background. The draft order before us today merely provides a right of appeal for community interest companies. I commend it to the House and beg to move.
Lord Stevenson of Balmacara
Indeed—my final point was to be that we have something waiting in the wings which presumably is the answer and I thank the noble Lord for raising it. That is my main point and there are two minor points around it. The first concerns paragraph 8.6 of the Explanatory Memorandum, which suggests that minor amendments were made as a result of the consultation, which I felt was well handled. Only one is given, which is that this order does not include,
“the requirement for charitable companies to have filed their most recent accounts or reports with Companies House before an application is granted”.
On the other hand, it states:
“We will retain the requirement to refuse an application if a charity is in default”.
This seems to me to be the same thing. Has the Minister any light to throw on it? If a charity has not completed its formal registration, then it will be in default, so I do not know what this adds. I may be misreading it; if so, I will be grateful to be corrected on it.
Finally, those who have followed my long and extensive career in quizzing statutory instruments will know that I am fixated on dates. The date for the introduction of this does not fall within the common commencement dates. I accept that this does not affect business, so it is not necessarily caught by that, but to choose 1 January, a public holiday, for implementation seems a little perverse and I would be grateful for any comments.
Lord Ashton of Hyde
My Lords, I thank both noble Lords for their comments. I shall start with my noble friend. Of course we are aware that there will be some work involved in this for the Charity Commission, and we also acknowledge that it has limited resources. That is why we have agreed with the commission a phased approach to implementation. It has been planning for this for a number of years and has IT processes and support systems in place. I remind noble Lords that the Charity Commission received an £8 million investment in 2015 to support its transition into a modern, effective regulator and we believe that it has made very good progress. Work is under way within government to explore future funding options, including bringing the Charity Commission more into line with the model of other regulators. All options regarding the future funding model will be properly considered by the Government and will be subject to public consultation before any changes are made.
I am grateful to the noble Lord, Lord Stevenson, for his kind words about the preparation of this order, for which I take no credit, but the DCMS team, which does, will be very pleased: I think it is merited. I take his point about the issues more generally about charities. I agree with my noble friend Lord Hodgson that the report by your Lordships’ Committee on Charities, Stronger Charities for a Stronger Society, is awaiting a response. I can say that that will be coming soon, and soon means soon in this case.
Lord Ashton of Hyde
I have spent a long time at this Dispatch Box debating what “soon” means, and “very soon” and “imminent”, but in this case it is soon. My noble friend Lord Hodgson said there are opportunities in that response. I think it will be worth reading. I am sure that in due course the business managers will arrange a debate on the report.
My noble friend did not mention, but the noble Lord, Lord Stevenson, did, that he was responsible for the statutory review of the Charities Act 2006. The Law Commission’s report, which was published in September, examined a range of technical changes in charity law, many of which my noble friend posited in his statutory review. We welcome the Law Commission’s report and we will respond formally in due course. I expect, but cannot guarantee, that our response will be positive. The challenge is likely to be securing a legislative slot, which may take some time.
The noble Lord, Lord Stevenson, asked why we chose 1 January. I can only assume—if I am wrong on this, I will confirm it—that it was because it is the beginning of the new year and we decided that would be a good time. He asked one more, rather technical, question, and I do not have an answer to it. I will certainly write to him.
As I explained, the order provides a right of appeal for community interest companies. The rest of the package will be laid if the order is agreed to. I commend it to the House.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 6th November 2017
(7 years, 1 month ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Lord Stevenson of Balmacara (Lab)
My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.
I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.
Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.
The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.
I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.
At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.
The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.
The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.
The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.
I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.
The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.
Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.
We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.
Lord Knight of Weymouth
I apologise to the Minister for interrupting. I am just interested in that confusion that he talks about. Perhaps I am incorrect, but I understand that images, for example, are data. There is a lot of concern about sexting and about platforms such as Snapchat and the sharing of data. Where is the confusion? Is it in the Government, or in the Chamber?
Lord Ashton of Hyde
I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.
Baroness Kidron
I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.
Lord Ashton of Hyde
There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.
We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.
It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.
First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.
Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.
Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.
Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.
Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.
I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.
Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.
In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.
There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.
Lord Alton of Liverpool
My Lords, the Minister has just referred to the round table. He will recall that I mentioned in my remarks the issue of definitions and suicide sites that were raised during that round table last week. Can he tell the House any more about that?
Lord Ashton of Hyde
I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.
Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.
I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.
First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.
Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.
Lord Stevenson of Balmacara
I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.
Lord Ashton of Hyde
I am happy to confirm those two points. On extraterritoriality, I agree with the noble Baroness that it is difficult to control. Commercial sites are easier—an example of which is gambling. We can control the payments, so if they are commercial and cannot pay people, they may well lose their attractiveness. Of course, the only way to solve this is through international agreement, and the Government are working on that. Part of my point is that, if you drive children away to sites located abroad, there is a risk in that. The big, well-known sites are by and large responsible. They may not do what we want, but they will work with the Government. That is the thrust of our argument. We are working with the well-known companies and, by and large, they act responsibly, even if they do not do exactly what we want. As I say, however, we are working on that. The noble Baroness is right to say that, if we drive children on to less responsible sites based in jurisdictions with less sensible and acceptable regimes, that is a problem.
Lord Knight of Weymouth
Could the Minister help me with any information he might have about when the GDPR was drawn up? It must have been envisaged when Article 8 was put together that some member states would go with something different—be it 13, 16, or whatever. The issue of foreign powers must have been thought about, as well as verifying age, parental consent, or the verification of parental identity to verify age. Article 8 just talks about having to have parental sign-off. These issues of verification and going off to foreign powers must have been thought about when the article was being put together in Europe. Does he have any advice on what they thought would be done about this problem?
Lord Ashton of Hyde
I cannot give the noble Lord chapter and verse on what the European bureaucrats were thinking when they produced the article, but age verification is not really the issue on this one, because it is extremely difficult to verify ages below 18 anyway. Although one can get a driving licence at 17, it is at the age of 18 when you can have a credit card. As I say, the issue here is not age verification—rather, it is about how, when we make things too onerous, that has the potential to drive people away on to other sites which take their responsibilities less seriously. That was the point I was trying to make.
Baroness Jay of Paddington
My Lords, the Minister was kind enough to respond to the point I sought to make about the extraterritorial nature of all this, which of course goes way beyond individual sites to corporate ownership, the issue that I am most concerned about. I am glad that the Government are having conversations with, or at least dealing with, what he describes as the most responsible players in this market. None the less, we are dealing with a global environment in which most countries, not just a few rogue countries, have a very different environment and understanding of the culture and nature of the regulation of broadcasting than we do in this country. We have had a very particular and sophisticated way of dealing with terrestrial broadcasting for several generations. The real problem lies in addressing how we can translate some of those values and regulatory formats into the global internet age.
Lord Ashton of Hyde
I take that point completely. So that I get it right, it would be best if I write to the noble Baroness about what we are doing. I am afraid that I cannot recall whether it is the G8, the G20 or whatever. Ownership is obviously a key point as well, so I will write to the noble Baroness on those points.
Lord Stevenson of Balmacara
My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.
This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.
However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.
The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.
I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.
Lord Puttnam
I accept entirely that the economic drivers for the digital economy are being handled quite well. I am suggesting that the societal end of that debate is not keeping pace with the commercial and that, if we allow too great a disconnect to occur between societal impacts and commercial success, we will reap a very unfortunate harvest. The Minister was good enough to see me last week, together with an official from the Department for Education. I am not pretending for a moment that nothing is being done, but I am suggesting that there is nothing like enough urgency in trying to correct the societal aspects of this issue.
Lord Ashton of Hyde
I take that point. I also understand the difference that the noble Baroness, Lady Lane-Fox, highlighted between digital skills and digital understanding, and we need to address that. One of the issues that the data ethics body is going to look at is how society deals with these technical problems, albeit that they are changing incredibly fast.
I have talked about younger pupils. Older pupils are also taught citizenship as part of the national curriculum. That equips pupils to take their place in society as active and responsible citizens, including providing them with the knowledge and skills that they need to think critically and to research and interrogate evidence. These vital skills help our children understand how their data can be used and why data protection is important.
Amendment 20 would require the Secretary of State for Education to make changes to the current maintained schools national curriculum, and would create new requirements for independent schools and academies. In our view, now is not the time to make further changes to these subjects. We need to allow schools to fully embed the new curriculum in order to provide a period of stability for schools so that they can focus on ensuring that pupils are taught this new curriculum well, including the new aspects on data protection.
Having said that, we are not complacent. We realise that companies’ use of data in the online world is increasingly complex and that we need to support children to understand that. The changes introduced in the Children and Social Work Act 2017 represent a step change in education on online safety. For the first time it will be compulsory for all primary-aged children at school in England to be taught relationships education, and all secondary-school children will be taught relationships and sex education. In addition, we will carefully consider whether also to make personal, social, health and economic education compulsory in all schools.
The noble Lord, Lord Knight, took my lines to a certain extent. I was going to confirm that the Department for Education confirmed today that it has begun its engagement with stakeholders. This is a point that has come up before: that will help it reach evidence-based decisions on the content. I can tell the noble Lord that the head teacher who is running it will advise the Department for Education on what will be included in relationships and sex education and PSHE, whether it should be compulsory and, if so, what content may be included. It will be live to online issues and include what children need to know to be safe online, beyond what is already in the computing curriculum.
The Government will ensure that these new compulsory subjects in England address the challenges experienced by young people online and are seeking views to work out exactly what this should cover and how best to do so. The Department for Education will support schools to ensure that content is pitched at the right level for each school year and builds knowledge as children grow up. Engagement and consultation will help us to get the detail right.
My department, DCMS, and the Department for Education are working together on the online safety aspects of these subjects. We will work with partners, including social media and technology companies, subject experts, law enforcement—
Baroness O'Neill of Bengarve (CB)
I thank the Minister for giving way. Is he suggesting that the aim should be to adapt children to the realities of the online world and the internet service providers, rather than to adapt the providers to the needs of children?
Lord Ashton of Hyde
I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.
We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.
I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.
Lord Storey
I am very grateful for the Minister’s helpful reply and to noble Lords who have contributed to this debate. I do not particularly like the phrase “digital literacy”: I much prefer “digital understanding”. I always understood that the fourth “r” was religion, so perhaps, with a small “r”, this is a religion for some of these large tech companies.
I can accept everything the Minister said, with the exception of two points. He said that these things are happening in the maintained sector. However, over 70% of our secondary schools are no longer in the maintained sector and they can choose whether or not to follow the programmes that he has suggested. Free schools are also increasing in number and, again, they do not have to take any part in this activity if they do not want to.
I agree with the Minister that this is not a discrete package where you tick the box when you have done it. It has to be part of a wider programme which goes through all aspects of learning. I also agree with the noble Lord, Lord Stevenson, who raised the question of whether we have the skills in our schools. It is not just digital issues: we do not have teachers for A-level maths or physics but we do not stop doing maths or physics. This might ensure that we actually started training teachers to work in this area.
I am grateful for the Minister’s helpful reply and look forward to considering this again on Report. I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Ashton of Hyde Excerpts(7 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Lester of Herne Hill (LD)
My Lords, I want to raise an issue which I would be grateful if it were thought about, although I would not dream of asking the Minister to give an informed reply today. I am puzzled especially by Amendment 37, spoken to by the noble Lord, Lord Griffiths, because I spent a good deal of my time developing the Equality Act 2010 and we were very concerned when doing so about issues of personal privacy and enforceability.
Obviously, one size does not fit all when it comes to equal opportunity and treatment. It is fairly easy to operate a policy measuring ethnicity, for example, without any problem about privacy; it is pretty easy to do so in respect of gender, although gender does not at the moment figure in the list for some reason, but it becomes terribly difficult when one is dealing with sexuality, religion or philosophical belief, which are for some reason in the list at the moment. I would be grateful if the Minister could reflect with people from the Government Equalities Office on whether this is an example of overlegislation, which it would be much better to prune down.
I am all in favour of affirmative action to promote equality between the sexes or people of different ethnicity, but when it comes to religion, philosophical belief and the other matters that are either there at the moment or would be there under Amendment 37, I get very worried. For example, I once represented the Church of Scientology—successfully—in establishing that scientology is a religion. I would not like these provisions to be the source of conflict and division between one kind of religion and another, or one kind of no religion and humanists, and so on. I think it is an example of overlegislation and underlegislation, and needs to be sorted.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have participated. I am especially grateful for the clear way in which the noble Lord, Lord Griffiths, outlined the case for all his amendments. He could have chosen an easier Bill to start on, I must say, but he did it very well. I am grateful for the opportunity to set out the purpose of various conditions included in Schedule 1, this time specifically with reference to Part 2.
As we have already discussed, for “special categories of data” to be processed lawfully, controllers must demonstrate that their processing meets one of the processing conditions set out in article 9 of the GDPR. We have already touched on several of these. Here we turn to processing which is,
“necessary for reasons of substantial public interest”.
Clause 9 requires that controllers wishing to rely on this processing condition must meet one of the conditions set out in Part 2 of Schedule 1.
Paragraph 7 of Schedule 1 allows processing of certain specified special categories of personal data for the purpose of promoting equality of opportunity. Amendment 37 seeks to expand this condition to permit the processing of additional categories of personal data. This is unnecessary because the categories of data referred to in the amendment are either not considered by the GDPR framework to be special categories of data in the first place or covered by the categories already listed in paragraph 7 of Schedule 1; for example, “Personal data revealing age” need not be listed because it is not subject to additional protection to begin with.
The Government accept that the existing special categories of data are broad and in some circumstances will overlap with the categories of data suggested in the amendment; for example,
“Personal data revealing a disability”,
will fall within the special category of “Data concerning health”. But in these cases, paragraph 7 already permits the processing of such data for equality-monitoring purposes. I will read carefully the remarks of the noble Lord, Lord Lester. I suspect his point is to do with what is and what is not a special category of data, but I will read Hansard and write to him, and copy other noble Lords. I thank him for not requiring a considered answer tonight.
Amendments 38 and 39 address the condition in paragraph 8 which permits the processing of data where this is,
“necessary for the purposes of the prevention or detection of an unlawful act”.
Amendment 38 would make it clear that the condition was available only if the unlawful act in question was “serious”. I can understand the rationale behind the amendment but the Government consider that it might nevertheless be in the substantial public interest for an organisation to process data for the prevention or detection of an unlawful act that was not obviously “serious”. An offence such as driving without a licence or insurance may not be the most serious in terms of the maximum penalty available, but it could still be in the substantial public interest for it to be reported by the data controller. Paragraph 8 ensures that data controllers are empowered to make that call and be accountable for their decision.
Amendment 39 would make the condition available only,
“under circumstances in which it is reasonably clear that a data subject is unlikely to give consent”.
While similar provision is made in other conditions where required, the Government consider that it would not be appropriate in this case, given that the purpose is to process data in circumstances where seeking consent risks prejudicing the prevention or detection of an unlawful act.
Amendment 40 would remove the word “dishonesty” from paragraph 9(2)(a) so that an organisation could rely on this provision only if it were processing sensitive categories of personal data to protect the public from malpractice, other seriously improper conduct or the other listed behaviours. The Government consider that there might be situations where an organisation would also need to process data to protect the public from dishonesty that does not necessarily amount to malpractice or improper conduct. It is therefore right that the paragraph covers the full gamut. This processing condition is not new; a similarly worded provision already exists under the current Data Protection Act.
The noble Lord, Lord Griffiths, suggested that there was a need for a further definition of “dishonesty”. I am afraid we do not agree. The word has a plain English meaning, defined in the dictionary. Furthermore, to define it here would cause confusion as it is used throughout UK legislation.
Amendment 41 would extend the scope of the same processing condition so that it could also be used to protect bodies and associations, rather than just the general public, from dishonesty, malpractice and improper conduct. It is one thing to allow the processing of an individual’s personal data for the purposes of protecting the general public—that is, other individuals; there is a neat symmetry there—but quite another to suggest that it could be processed to protect organisations from reputational harm. On that basis, I cannot agree to include it.
Amendments 43 and 44 address the processing condition in paragraph 12 which allows organisations such as banks to make disclosures “in good faith” under the Terrorism Act 2000 and the Proceeds of Crime Act 2002 about third parties who are suspected of terrorist-financing offences or money laundering. This processing condition is intended to protect organisations that disclose data on the basis of a genuine suspicion, even if it turns out later not to have been well founded. Noble Lords will recall that this condition was debated and agreed to as part of the Criminal Finances Bill earlier this year. The condition is tied to the improvement of a specific statutory regime—known as the suspicious activity reports regime—and is designed to give legal clarity to encourage the sharing of information to prevent serious crime and terrorism. I know there are some in the financial sector who have suggested that these provisions should go further to permit screening by private companies for the purposes of checking against non-UK laws on terrorist financing and money laundering. As noble Lords may be aware, the relevant provisions in the Criminal Finances Act were commenced only at the end of last month. We are not convinced that there is a need to amend them at such an early stage.
Amendment 45 would amend the processing condition relating to,
“confidential counselling, advice or support”,
in paragraph 13. It would add “guidance” to the list of processing activities which are permitted under this provision. This paragraph is not new; the relevant wording is drawn directly from existing legislation. But I am happy to put on the record the Government’s view that guidance is already covered by this provision and thus there is no need to amend it.
Amendments 45A and 64 in the name of my noble friend Lady Neville-Jones seek to clarify the legal status of processing by patient support groups. The Government strongly support the varied and important work of patient support groups and I am grateful for my noble friend’s time in meeting me recently. It is important to reiterate that groups such as Unique will have access to a number of provisions already in the Bill, even in cases where consent cannot be obtained, or reobtained, from the data subject.
We discussed the provisions for scientific research last week. In addition, paragraph 13 of Schedule 1 makes provision for confidential counselling, advice and support. Taken together, the provisions I have mentioned—for consent, scientific research, and confidential counselling, advice and support—seem to cover a great deal of the vital work undertaken by patient support groups. But the Government retain an open mind on this and I will read my noble friend’s contribution in Hansard carefully.
Lord Ashton of Hyde
I agree. I have the same. You have to put in your numerical password every so often just to check that you have still got the same finger. Technically, you might not have.
The amendments also seek to permit the processing of such data when biometric identification devices are installed by employers to allow employees to gain access to work premises or when the controller is using the data for internal purposes to improve ID verification mechanisms. I am grateful to the noble Lord for raising this important issue because the use of biometric verification devices is likely only to increase in the coming years. At the moment, our initial view is that, given the current range of processing conditions provided in Schedule 1 to the Bill, no further provision is needed to facilitate the activities to which the noble Lord referred. However, this is a technical issue and so I am happy to write to the noble Lord to set out our reasoning on that point. Of course, this may not be the case in relation to the application of future technology, and we have already discussed the need for delegated powers in the Bill to ensure that the law can keep pace. I think we will discuss that again in a later group.
On this basis, I hope I have tackled the noble Lord’s concerns, and I would be grateful if he will withdraw the amendment.
Lord Clement-Jones
My Lords, as usual the noble Lord, Lord Maxton, has put his finger on the problem. If we have iris recognition, he will keep his eye on the matter.
I thank the Minister for his explanation of the multifarious amendments and welcome the maiden speech from the Front Bench by the noble Lord, Lord Griffiths. I do not think I can better my noble friend Lord McNally’s description of his ascent to greatness in this matter. I suspect that in essence it means that the noble Lord, Lord Griffiths, like me, picks up all the worst technical amendments which are the most difficult to explain in a short speech.
I thought the Minister rather short-changed some of the amendments, but I will rely on Hansard at a later date, and I am sure the Opposition Front Bench will do the same when we come to it. The particular area where he was disappointing was on what you might call the Thomson Reuters perspective, and I am sure that we will want to examine very carefully what the Minister had to say because it could be of considerable significance if there is no suitable exemption to allow that kind of fraud prevention to take place. Although he said he had an open mind, I was rather surprised by his approach to Amendments 45A and 64 which were tabled by the noble Baroness, Lady Neville-Jones. One will have to unpick carefully what he said.
The bulk of what I want to respond to is what the Minister said about biometrics. I took quite a lot of comfort from what he said because he did not start quoting chapter and verse at me, which I think means that nobody has quite yet worked out where this biometric data fits and where there might be suitable exemptions. There is a general feeling that somewhere in the Bill or the schedules we will find something that will cover it. I think that may be an overoptimistic view, but I look forward to receiving the Minister’s letter. In the meantime, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am grateful to noble Lords who have spoken and for the opportunity to set out the purposes of various conditions included in Part 1 of Schedule 1.
It is worth recalling that, in order for special categories of data to be processed lawfully, controllers must demonstrate that their processing meets one of a defined list of processing conditions set out in article 9 of the GDPR. Many controllers will meet this requirement by seeking the explicit consent of the data subject but the reality is there will be circumstances where it would not be appropriate, or indeed possible, for a controller to seek consent. In these cases, alternative conditions include processing which is necessary for the purposes of employment and social security; for the provision of health or social care; for public health; and for archiving and research. But for UK controllers to take advantage of these particular processing conditions, the UK must make suitable provision in UK law. That is what the conditions set out in Part 1 of Schedule 1 seek to do.
Paragraph 1 of that schedule, referenced in Amendment 25, refers to the processing of sensitive personal data where necessary for exercising obligations under employment law, social security law or the law relating to social protection. This is a specific category under article 9(2)(b) of the GDPR, and paragraph 1 gives it legislative effect.
It is true that the 1998 Act did not refer to social security and social protection law, but the GDPR gives them specific emphasis in recognition of the reality that processing of special categories of data may be necessary for the purposes of calculating social security benefits or arranging interventions by social services when people are in need of support. In practice, it may not be possible to obtain consent to every measure or decision which is taken about a person when arranging benefit payments or care provisions. Amendment 25 would remove paragraph 1(1)(a) from Schedule 1, making this clause ineffective and closing off a potentially valuable processing condition to social services and other care providers.
The noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, suggested in Amendment 25A that “under” employment law should be replaced with “in connection with” employment law. I appreciate the sentiment behind the amendment, which is to ensure that the provision does not operate too restrictively. However, the Government are satisfied the term is sufficiently broad to cover processing that would have been permitted for these purposes under the Data Protection Act, while operating within the limits of the derogation provided for by the GDPR. The new condition, which permits processing that is,
“necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law”,
would have the same meaning as the Data Protection Act wording, which referred to, processing necessary for the purposes of,
“exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment”.
I therefore hope the noble Lords will accept my reassurances in that regard.
The Earl of Kinnoull
I raise a simple point—that pretty big businesses look after the employment law insurance issues, and they are so incredibly important that they are often compulsory types of insurance because we feel that every business should have them. These huge businesses will have massive change in the way this operates because there is this change. We have just heard that it is not a change, but I hope that the Minister will accept that the insurance businesses—I had a sensitive briefing from the ABI—are worried about that. Accordingly, will he at least be prepared to have a meeting to go through that, otherwise there will be a lot of expense, fuss and bother and maybe some unintended damage to the process of an important type of insurance?
Lord Ashton of Hyde
I said that we believe that the term is sufficiently broad to cover processing that would have been permitted hitherto, which the noble Earl refers to. However, of course, if we have got it wrong and if the insurance industry has a point it wants to bring up, it would be sensible, and I would be delighted, to meet him and the industry to discuss that. As I said before, we have an open mind, so I will certainly do that.
On the provisions in paragraphs 2 and 3 of Schedule 1 on health and social care, and public health, respectively, which are the focus of Amendments 27 to 29, it is fair to say that the drafting here has moved on slightly from the approach taken in Schedule 3 to the 1998 Act. However, article 9(2)(h) of the GDPR refers specifically to processing which is necessary for,
“the assessment of the working capacity of an employee”,
and,
“the management of health … care systems”.
Article 9(2)(i) refers specifically to processing which is,
“necessary for reasons of public interest in the area of public health”.
The purpose of paragraphs 2 and 3 of Schedule 1 is to give these GDPR provisions legislative effect. To remove these terms from the clause by virtue of Amendments 27 to 29 would mean that healthcare providers might have no lawful basis to process special categories of data for such purposes after 25 May. I am sure that noble Lords would agree that that would be unwelcome.
The noble Lord, Lord Kennedy, asked some questions on paragraph 2 and asked for an example of data processed under paragraph 2(b). An example would be occupational health. The wording of paragraph 2(2)(f) of Schedule 1 is imported from article 9(2)(h), and I refer the noble Lord—I am sure that he has remembered it—to the exposition given in recital 53.
Paragraph 4—the focus of Amendments 32 to 34—provides for the processing of special categories of data for purposes relating to archiving and research. The outcome of these amendments would be to name specific areas of research and types of records. The terms “scientific research” and “archiving” cover a wide range of activities. Recital 157 to the GDPR specifically refers to “social science” in the context of scientific research, and recital 159 makes it clear that,
“scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.
The Government are not aware of anything in the GDPR or the Bill which casts doubt on the application of these terms to social science research or digital archiving.
Finally, on the important issue of confidentiality, Amendments 31 and 70 are unnecessary, because all health professionals are subject to the common-law duty of confidentiality. The duty is generally understood to mean that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. However, beyond relying on the common-law duty of confidentiality, health professionals and social work professionals are bound by the requirements in their employee contract to uphold rules on confidentiality, whether that information is held on paper, computer, visually or audio recorded, or even held in the memory of the professional. Health professionals and social work professionals as defined in Clause 183 are all regulated professionals.
I can therefore reassure the noble Lord, Lord Kakkar—I am also grateful to the noble Lord, Lord Lester, for his support with regard to the Human Rights Act—that the Government strongly agree on the importance of the common-law duty of medical confidentiality but also recognise that it is not absolute. For example, there already are, and will continue to be, instances where disclosure of personal data by a medical professional is necessary for important public interest purposes, such as certain crime prevention purposes or pursuant to a court order. I therefore cannot agree to Amendment 108A, although, as we have already said, the Government are committed to looking at the issue of delegated powers in the round. I will certainly include that in that discussion. Therefore, with that reassurance, I ask the noble Lord to withdraw his amendment.
Lord Lucas
My Lords, might I beg a meeting of the Minister to discuss the matter of suicidal students at university and how that will be handled under the new legislation as it is developed? This need not necessarily fit within the timescale of the Bill, but I would very much like to be able to understand policy on it and to involve universities in moving from the current unsatisfactory position.
Lord Ashton of Hyde
It is always a pleasure to meet my noble friend, and I am happy to do that.
Lord Kennedy of Southwark
My Lords, I thank all noble Lords who have spoken in the debate this evening. We have touched on a number of important topics, which I hope the noble Lord, Lord Ashton of Hyde, will reflect on as we move through the Bill and look at these issues again. I make it clear that my amendments were all probing amendments to get from the Government their position on things. I was particularly pleased that the noble Earl, Lord Kinnoull, raised the issue about the insurance industry and that the Minister will meet him and representatives of the industry.
I noticed when the Minister replied to the debate that on more than one occasion he made references to recitals. He, I and the House know that the recitals will not form part of British law, so to keep relying on them is, I contend, a little weak on the Government’s part. They will have to find something a bit stronger and more solid as we move on, because, as I said, these will not form part of British law. That is an important point for the Minister to think of when he responds to amendments. For him to keep relying on them highlights the position the Government are in, which is not very good at the moment. Having said that, I beg leave to withdraw the amendment.